Scheduled Task problem

[Guest]

Archived from groups: microsoft.public.windowsxp.general (More info?)

I have a PC running Windows XP Pro with 5 user accounts (2 x admin for me &
the missus + 3 x limited user accounts for the kids) + a guest account.

I want to be able to restrict the hours that the kids & guest can use the
PC. I have set log on times for them using net use so that problem is
sorted.

I want to run a batch file which will log them off at a specific time. I've
got the batch file sorted but I am having trouble with the task scheduler.

I thought I could hide the batch file in a hidden folder, log on as each of
the kids and schedule a task. The chances are they wouldn't be able to find
the file if it was hidden. Problem with this is that I need to know their
passwords - one of them I don't so can't schedule the task. Also, it is not
possible to schedule a task when you log on as a guest. Finally, they could
easily delete the task from task scheduler.

So the big question is: Is it possible to schedule a task from an
administrator account that will run on 3 limited user accounts + the guest
account but not on the administrator accounts?

 

[Guest]

Archived from groups: microsoft.public.windowsxp.general (More info?)

PC TimeWatch
http://www.mainsoft.fr/en/pctwoverview.htm

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User
Microsoft Newsgroups

-------------------------------------------------------------------------------------------

"Goonerak" wrote:

| I have a PC running Windows XP Pro with 5 user accounts (2 x admin for me &
| the missus + 3 x limited user accounts for the kids) + a guest account.
|
| I want to be able to restrict the hours that the kids & guest can use the
| PC. I have set log on times for them using net use so that problem is
| sorted.
|
| I want to run a batch file which will log them off at a specific time. I've
| got the batch file sorted but I am having trouble with the task scheduler.
|
| I thought I could hide the batch file in a hidden folder, log on as each of
| the kids and schedule a task. The chances are they wouldn't be able to find
| the file if it was hidden. Problem with this is that I need to know their
| passwords - one of them I don't so can't schedule the task. Also, it is not
| possible to schedule a task when you log on as a guest. Finally, they could
| easily delete the task from task scheduler.
|
| So the big question is: Is it possible to schedule a task from an
| administrator account that will run on 3 limited user accounts + the guest
| account but not on the administrator accounts?

 

[Nightowl]

Archived from groups: microsoft.public.windowsxp.general (More info?)

Goonerak wrote on Mon, 29 Aug 2005:

>So the big question is: Is it possible to schedule a task from an
>administrator account that will run on 3 limited user accounts + the guest
>account but not on the administrator accounts?

Hi Goonerak

Yes, I think it should work.

First, your problem of not knowing one of the kids' passwords for
Scheduled Tasks -- you can get round that by allowing Scheduled Tasks to
run without a password. To do this:

In Start > Run type gpedit.msc <OK>.
In the Group Policy dialog navigate to: Local Computer Policy\Computer
Configuration\Windows Settings\Security Settings\Local Policies\Security
Options [phew!]

In the right-hand pane the 3rd option down says: "Accounts: Limit local
account use of blank passwords to console logon only" -- right-click on
this for Properties and set to Disabled. Close the program.

Now you can go to Scheduled Tasks (still from your admin account). For
this purpose it's easier to bypass the Add Task wizard (because we need
access to the settings tabs) and just go to File > New > Scheduled Task.
A new task will appear in the window with default settings; give it a
name, then right-click and choose Properties to get the New Task
settings box.

On the Task tab fill in the details for the program you want to run. In
Run As: replace your username with your chosen victim's, and make sure
to check the box Run Only if Logged On -- you'll see then that the Set
Password button will fade itself out.

Make any other settings you want on the Schedule and Settings tabs, then
OK your way out. You'd need to repeat this for each of the kids, plus
Guest; on my computer the Guest account is disabled, but I tried setting
a task as above in the Guest name, and the Scheduler seemed to accept
it.

Hope this helps -- good luck!

--
Nightowl

 

[Nightowl]

Archived from groups: microsoft.public.windowsxp.general (More info?)

David Candy wrote on Wed, 31 Aug 2005:

>So if they don;t have passwords anyone anywhere can log in by guessing
>their username, like Administrator.

Hi David

Not sure I follow you: changing the setting in Group Policy to allow
Scheduled Tasks to run without a password doesn't remove the requirement
for a login password, if one has been set.

--
Nightowl

 

[Guest]

Archived from groups: microsoft.public.windowsxp.general (More info?)

So if they don;t have passwords anyone anywhere can log in by guessing their username, like Administrator.

--
--------------------------------------------------------------------------------------------------
http://webdiary.smh.com.au/archives/_comment/001075.html
=================================================
"Nightowl" <owl@[127.0.0.1]> wrote in message news:vZEK7Gh8fGFDFwaQ@black.hole...
> Goonerak wrote on Mon, 29 Aug 2005:
>
>>So the big question is: Is it possible to schedule a task from an
>>administrator account that will run on 3 limited user accounts + the guest
>>account but not on the administrator accounts?
>
> Hi Goonerak
>
> Yes, I think it should work.
>
> First, your problem of not knowing one of the kids' passwords for
> Scheduled Tasks -- you can get round that by allowing Scheduled Tasks to
> run without a password. To do this:
>
> In Start > Run type gpedit.msc <OK>.
> In the Group Policy dialog navigate to: Local Computer Policy\Computer
> Configuration\Windows Settings\Security Settings\Local Policies\Security
> Options [phew!]
>
> In the right-hand pane the 3rd option down says: "Accounts: Limit local
> account use of blank passwords to console logon only" -- right-click on
> this for Properties and set to Disabled. Close the program.
>
> Now you can go to Scheduled Tasks (still from your admin account). For
> this purpose it's easier to bypass the Add Task wizard (because we need
> access to the settings tabs) and just go to File > New > Scheduled Task.
> A new task will appear in the window with default settings; give it a
> name, then right-click and choose Properties to get the New Task
> settings box.
>
> On the Task tab fill in the details for the program you want to run. In
> Run As: replace your username with your chosen victim's, and make sure
> to check the box Run Only if Logged On -- you'll see then that the Set
> Password button will fade itself out.
>
> Make any other settings you want on the Schedule and Settings tabs, then
> OK your way out. You'd need to repeat this for each of the kids, plus
> Guest; on my computer the Guest account is disabled, but I tried setting
> a task as above in the Guest name, and the Scheduler seemed to accept
> it.
>
> Hope this helps -- good luck!
>
> --
> Nightowl

 

[Nightowl]

Archived from groups: microsoft.public.windowsxp.general (More info?)

David Candy wrote on Wed, 31 Aug 2005:

>Admin accounts usually don't have passwords. Admin accounts names are
>easily guessable as most haven't been renamed (as they should be).

Mine all have passwords. I am sure the OP's do too, since he and his
wife have admin accounts, with limited user accounts for the kids..

>One needs to know two things to logon to a computer - name and
>password. It easy to guess name=administrator and password=blank.

Agreed, and that is a security risk.

>Windows won't allow the world to use blank passwords. Your suggestion
>would allow it.

David, you are famously laconic I *think* what you're saying is that
after making this policy change, a hacker could remotely log into an
account that is not password-protected; whereas, before making the
change, he would have to be physically at the machine?

I'm not so sure that Windows without the change would (or could) keep a
determined hacker out. The answer to your point, surely, is to make sure
all accounts are password-protected.

--
Nightowl

 

[Guest]

Archived from groups: microsoft.public.windowsxp.general (More info?)

Admin accounts usually don't have passwords. Admin accounts names are easily guessable as most haven't been renamed (as they should be).

One needs to know two things to logon to a computer - name and password. It easy to guess name=administrator and password=blank. Windows won't allow the world to use blank passwords. Your suggestion would allow it.

--
--------------------------------------------------------------------------------------------------
http://webdiary.smh.com.au/archives/_comment/001075.html
=================================================
"Nightowl" <owl@[127.0.0.1]> wrote in message news:fKI2$tAN1NFDFwt4@black.hole...
> David Candy wrote on Wed, 31 Aug 2005:
>
>>So if they don;t have passwords anyone anywhere can log in by guessing
>>their username, like Administrator.
>
> Hi David
>
> Not sure I follow you: changing the setting in Group Policy to allow
> Scheduled Tasks to run without a password doesn't remove the requirement
> for a login password, if one has been set.
>
> --
> Nightowl

 

[Nightowl]

Archived from groups: microsoft.public.windowsxp.general (More info?)

David Candy <?.?@?.?.invalid> wrote on Thu, 1 Sep 2005:

>My point is that this is dangerous advice and should be given carefully
>and WITH WARNINGS.
>

Hi David

I take your point. I learned the "run Task Scheduler without a password"
trick here in the ng, and up to now hadn't seen anyone objecting to it
for security reasons.

I can't help thinking that someone, shall we say "unaware" enough to run
administrator accounts without a password would not be looking to do
what the OP wanted to do.

But you saw a loophole, and thank you for giving that warning. If I give
this tip in future I will be sure to include it.

--
Nightowl

 

[Guest]

Archived from groups: microsoft.public.windowsxp.general (More info?)

My point is that this is dangerous advice and should be given carefully and WITH WARNINGS.

--
--------------------------------------------------------------------------------------------------
http://webdiary.smh.com.au/archives/_comment/001075.html
=================================================
"Nightowl" <owl@[127.0.0.1]> wrote in message news:fJCGfHGlfPFDFwNh@black.hole...
> David Candy wrote on Wed, 31 Aug 2005:
>
>>Admin accounts usually don't have passwords. Admin accounts names are
>>easily guessable as most haven't been renamed (as they should be).
>
> Mine all have passwords. I am sure the OP's do too, since he and his
> wife have admin accounts, with limited user accounts for the kids..
>
>>One needs to know two things to logon to a computer - name and
>>password. It easy to guess name=administrator and password=blank.
>
> Agreed, and that is a security risk.
>
>>Windows won't allow the world to use blank passwords. Your suggestion
>>would allow it.
>
> David, you are famously laconic I *think* what you're saying is that
> after making this policy change, a hacker could remotely log into an
> account that is not password-protected; whereas, before making the
> change, he would have to be physically at the machine?
>
> I'm not so sure that Windows without the change would (or could) keep a
> determined hacker out. The answer to your point, surely, is to make sure
> all accounts are password-protected.
>
> --
> Nightowl