The Windows 2000 Task Scheduler enables you to configure Windows to automatically open a document, start a program, or run a script at a preconfigured time. This functionality is convenient for administrators, who can force these tasks to occur at specified times on users' computers. The Task Scheduler starts by default when you start Windows 2000 and runs in the background.
In a high-security environment, Task Scheduler can pose a security threat. Users can create new tasks or delete those that are set to run by the administrator. If you are an administrator, you can control this behavior to provide greater security and ensure that only the tasks that you configure run at the proper time. This article describes how you can prevent users from scheduling tasks.
Deny Users the Ability to Create or Delete Scheduled Tasks
You can also deny users the ability to create or delete tasks on a more global basis by using Windows 2000 Group Policy. Microsoft has provided a built-in administrative template to make it easy to accomplish this task. You can apply the policy to the users in a site, domain, or organizational unit. To do so:
Create or edit the applicable group policy.
For example, if you want this policy to be a domain-wide policy, use the following procedure:
Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
Right-click the domain name, click Properties, and then click the Group Policy tab.
Click the default domain policy, and then click Edit to open the Group Policy console.
In the left pane of the Group Policy console, click to expand the User Configuration node.
Click to expand Administrative Templates, and then click to expand Windows Components.
Click Task Scheduler.
In the right pane, double-click Disable New Task Creation.
NOTE: To prevent users from deleting scheduled tasks, double-click Disable Task Deletion.
By default, this policy is not configured. To configure it, click Enabled, and then click OK.
When this policy is enabled, users cannot create new scheduled tasks by using either the New Task Wizard or by pasting, moving, or dragging programs or documents into the Scheduled Tasks folder.
This policy is displayed in the Computer Configuration and User Configuration folders. If both policies are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.
NOTE: This policy does not prevent administrators of a computer from using At.exe to create new tasks or from submitting tasks from remote computers.