Why does powershell -command "Restart-Service Tomcat6" fail when run from a Scheduled Task?
tl;dr
My SDDL was incomplete. I needed to add SW (EnumDeps) to the already added LCRPWP permissions in the SDDL.
Long Version
Here is the (sanitized) version of my (broken) SDDL:
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;LCRPWP;;;S-1-1-11-1111111111-1111111111-1111111111-1111)
The problem is in the last clause permissions:
(A;;LCRPWP;;;S-1-1-11-1111111111-1111111111-1111111111-1111)
The SID S-1-1-11-1111111111-1111111111-1111111111-1111 is correct for the group DOMAIN\Tomcat Restarters that DOMAIN\tomcat.restarter is a member of. That much is right. The permissions granted (LCRPWP) are insufficient for Restart-Service.
For the Restart-Service Cmdlet to work it needs the right to Enumerate Dependent Services. In SDDL this is SW (EnumDeps) in the SDDL string. I had LCRPWP which allows QueryStat, Start and Stop.
The correct SDDL for Tomcat 6 for me is:
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;LCSWRPWP;;;S-1-1-11-1111111111-1111111111-1111111111-1111)
The mystery is why Powershell could run Restart-Service from a runas Command Prompt, but not from the Task Scheduler.
I got the necessary revelation from reading @splattered bits answer to his own similar issue with Restart-Service at https://serverfault.com/a/357753/57073.
Alain O'Dea
Updated on September 18, 2022Comments
-
Alain O'Dea over 1 year
I get the following error in the Scheduled Task history when I try to run a task:
Task Scheduler successfully completed task "\Restart Tomcat" , instance "{264b4620-5f3b-6c5f-a6cb-1625a7fa57de}" , action "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE" with return code 1.The scheduled task is configured as follows:
- Name: Restart Tomcat
- User: DOMAIN\tomcat.restarter
- Triggers: Daily 2AM Enabled
- Actions: Start a Program:
- Program/script:
powershell - Arguments:
-Command "Restart-Service Tomcat6"
- Program/script:
When I launch a Command Prompt as DOMAIN\tomcat.restarter with:
runas /user:DOMAIN\tomcat.restart cmdAnd run:
powershell -Command "Restart-Service Tomcat6"Then
echo %errorlevel%prints0and Tomcat gets restarted. This shows that the SDDL on the Tomcat6 service is sufficient for the purpose and that DOMAIN\tomcat.restarter can restart it.If I change the scheduled task arguments to
-Command "'hello world'" > '%TEMP%\Temp.log'I getreturn code 0in the Task History andhello worldshows up inC:\Users\tomcat.restarter\AppData\Local\Temp\Temp.log. This shows that the Log on as a batch job User Right is effective for DOMAIN\tomcat.restarter, that it can run Powershell and that it can write files.UPDATE: Further investigation
I created a restart.bat in D:\tomcat\bin and set the Program/script to
restart.bat, arguments to> "%TEMP%\Temp.log" 2>&1and Start in toD:\tomcat\bin.Listing of restart.bat:
powershell -Command "Restart-Service Tomcat6"I get the following in
C:\Users\tomcat.restarter\AppData\Local\Temp\Temp.logI get the following content:D:\tomcat\bin>powershell -Command "Restart-Service Tomcat6" Restart-Service : Cannot open Tomcat6 service on computer '.'. At line:1 char:16 + Restart-Service <<<< Tomcat6 + CategoryInfo : NotSpecified: (:) [Restart-Service], InvalidOper ationException + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.Power Shell.Commands.RestartServiceCommandWhy does
powershell -Command "Restart-Service Tomcat6"fail when run from a Scheduled Task?-
Sean C. over 11 yearsCan you try
powershell -Command "& { Restart-Service Tomcat6 }"? I had a similar issue scheduling my own items and had success with that. I do not know why for certain, but I had to use to theinvoke-expressionoperator for some reason. -
Sean C. over 11 yearsDid you ever get a chance to try
-Command "& { Restart-Service Tomcat6 }"as the arguments for the scheduled task?
-
Alain O'Dea over 11 yearsGood idea. However, with "Run with highest privileges" checked the result is the same: "return code 1".
-
Alain O'Dea over 11 yearsI have, it creates an empty file.
-
Alain O'Dea over 11 yearsI should have clarified. The command does not require elevation. I had granted privileges I thought were sufficient to the user in the Tomcat6 service's SDDL, but I missed "SW" (EnumDeps).
-
Alain O'Dea over 11 yearsThis is probably paranoia, but I'd be worried about dragging in unintended services with
*tomcat*. This is especially risky since the next line immediately invokes Restart-Service. It would probably be better to go step by step and log Get-Service*tomcat*. Where would log.log end up here? -
Patrick over 11 years@AlainO'Dea You are correct about the Restart-Service being too wide ranging. If I were to do this on my own systems I would run it once and confirm exactly what the service name is, and specifically perform the Get-Service | Restart-Service against that name. The >log.log will save to the working directory of the script. You could easily put >C:\Logs\log.log instead, to define a location.
