Vista - Standard user needs to run ATI Tasks without admin password - how?

Discussion in 'Acronis True Image Product Line' started by tuttle, Jun 17, 2008.

Thread Status:
Not open for further replies.
  1. tuttle

    tuttle Registered Member

    Joined:
    Mar 5, 2005
    Posts:
    376
    Acronis True Image Home 11, Vista Home Premium, User Account Control (UAC) is enabled

    I logged in as Administrator to setup the laptop for my friend. When I am done, he will login as a Standard user, so he has less power to damage or infect the laptop. ;)

    Whenever the Standard user tries to launch ATI, either via the executable or by batch file to the Tasks, User Account Control prompts for the Administrator password before launching. That's okay, because I don't need the Standard user to be able to access the full ATI application. However, the Standard user needs to be able to run the pre-created Tasks, and I can't figure out how to enable him to do this without the administrator password.

    In ATI I created a Task, set to run Manually, that creates a Full Backup. I also created a batch file to directly launch the Task (ATI script), The Standard user will run the batch file to launch the Task. The problem is that the Standard user is unable to launch the ATI Task, because User Account Control (UAC) prompts to require the administrator password.

    Just in case someone suggests disabling UAC, that would be a bad idea. UAC is valuable protection that should not be disabled. I used TweakUAC to enable the Administrator account to switch UAC to "quiet mode", which means that UAC remains enabled but the Administrator profile won’t see the elevation prompts. Standard user profiles will have full UAC protection enabled with elevation prompts. I explained further in https://www.wilderssecurity.com/showp...55&postcount=9

    My situation seems like a common situation that Acronis development would have considered: an Administrator configures the Vista system, and creates ATI Tasks, but the Standard user needs to be able to run the ATI Tasks.

    How can I set the ATI Tasks to run with administrator permissions, or run without requiring password?
    If that isn't possible to set that permission for Tasks alone, is it possible to configure ATI to run with administrator permissions, or run without requiring password when run by a Standard user?


    .
     
  2. tuttle

    tuttle Registered Member

    Joined:
    Mar 5, 2005
    Posts:
    376
    further information:
    even I as Administrator user can't run the batch file to launch the ATI Task, unless I right-click to select "Run as administrator". Administrator can launch ATI application and use the Backup wizard, but cannot run the batch file to launch the ATI Task, unless "Run as administrator" is specifically selected. I don't know how to make that selection permanent even when Administrator, let alone do so for a Standard user.

    so, there are two issues interconnected issues:
    1. Standard user can't run Acronis True Image unless Administrator password is provided.
    2. Administrator user can't run a batch file to launch an ATI Task, unless he right-clicks the .bat file to select "Run as administrator".

    That means that even if I can solve #1, I still need to solve #2 so a Standard user can run the .bat file.
     
  3. K0LO

    K0LO Registered Member

    Joined:
    Mar 9, 2006
    Posts:
    2,591
    Location:
    State College, Pennsylvania
    tuttle:

    Yes, ATI is one of those programs (like Regedit) that requires privilege escalation to run. You might want to look into using Vista's Task Scheduler - it has the ability to run tasks using stored user credentials. So you can schedule a task to run with highest privileges using the administrator's credentials. The Task Scheduler is very powerful and can start tasks based on time of day, or can be triggered by events. Also, tasks can be started manually but to run Task Scheduler itself requires admin credentials.

    If you look at this article there are some examples of setting up a task to wake the computer at a predetermined time to perform a backup. I know that you don't want to do this, but the section on Task Scheduler may give you some ideas on how to trigger the task manually. Ignore the parts about making the PC stay awake and take a look on page 4 to see examples from a scheduled task.

    I'm sorry that I can't be more specific but am away on travel right now and am unable to work on this at the moment, but I know there are probably several ways to do what you want.
     
  4. tuttle

    tuttle Registered Member

    Joined:
    Mar 5, 2005
    Posts:
    376
    Thanks Mark, I'll read that document. It would be good if Acronis would provide a way for Vista Standard users to run Tasks manually without us having to do all this extra work with batch files and other gyrations.
     
  5. tuttle

    tuttle Registered Member

    Joined:
    Mar 5, 2005
    Posts:
    376
    Hi Mark:

    Thanks for that document. It's a very good piece of work! I agree with you that the solution seems to lie with using Vista's Task Scheduler. As the desired method for this user is to run tasks manually, it may be a matter of using event triggers rather than schedule triggers. I looked at:

    Triggers | New | Begin the task: On an event | Basic. - but I'm not sure what event would work

    Maybe I need to use event filters:

    Triggers | New | Begin the task: On an event | Custom | New Event Filter... - but I haven't figured out what to do with that. Maybe someone knowledgeable with Vista Task Scheduler events can provide further info.
    .
     
  6. K0LO

    K0LO Registered Member

    Joined:
    Mar 9, 2006
    Posts:
    2,591
    Location:
    State College, Pennsylvania
    tuttle:

    Good news - this is easier than I first thought.

    1. Create a batch file that runs your TI scheduled task. I think you have already done this step.
    2. Create a Vista scheduled task called "Backup"
    3. On the "General" tab, choose your administrator account as the account to use when running the task. Check "run with highest privileges" and choose "run whether user is logged on or not"
    4. On the "Triggers" tab, do not enter a trigger event (!). The idea here is that we will run the task manually from the command line.
    5. On the "Actions" tab, enter the path to your batch file. Alternatively, you can skip creating a batch file and put the command and its arguments into this tab.
    6. When you have completed the setup for the task, click on "Run" and verify that the task completes correctly and without a UAC prompt.

    Here is how to start the scheduled task from the command line. You can put this command into a desktop shortcut for your friend to click on.
    Code:
    schtasks.exe /run /tn Backup
    In this command, tn means "task name" and is followed by the name you gave the scheduled task in step 2. Try this from a command prompt window manually to verify that it runs correctly. This will run a scheduled task without needing administrative privileges to run the command itself. Privilege escalation takes place within the scheduled task because the administrator's credentials have been stored in the task.

    I tried this (via the wonders of Remote Desktop to my home PC) and it seems to work fine.

    **Edited to simplify the last step.
     
    Last edited: Jun 19, 2008
  7. Wandering2

    Wandering2 Registered Member

    Joined:
    Jun 12, 2008
    Posts:
    110
    There are a number of techniques that may help you at:

    http://lifehacker.com/5016951/how-to-make-windows-vista-less-annoying

    There is a way to set the task as a job in Vista's Task Manager, and then make a shortcut that will run it. The Task will have administrator status and not ask for any input from the user. Take a look.

    It's much like the post above, but there are other techinques there you may find useful.
     
  8. tuttle

    tuttle Registered Member

    Joined:
    Mar 5, 2005
    Posts:
    376
    Mark, this is brilliant! Thank you, merci, grazie! This works perfectly, just what my friend needs.

    Wandering2, thanks for the link. That looks like a similar process in the task scheduler, but it doesn't go far enough. That author covers how an admin account can run a task without a prompt/password at run time, but doesn't discuss how to let a Standard user run the task.

    Mark, Remote Desktop sounds great. I'd like to use something like this to support my friends remotely. However, they're on Vista Home Premium and I'm using XP Home, so it seems that Remote Desktop is not included. Vista Home Premium has something called Remote Assistance: is that similar?
     
    Last edited: Jun 19, 2008
  9. tuttle

    tuttle Registered Member

    Joined:
    Mar 5, 2005
    Posts:
    376
    Whoops, spoke too soon. I was logged in as administrator when I created the tasks and the shortcuts. Now that I'm logged in as the Standard user, the shortcuts don't work because the tasks don't exist for that user. When I open Task Scheduler, the tasks I created are not there. It seems that Vista maintains separate tasks for each user.

    I'll need to see if there's some way to copy or share scheduled tasks from one user to another, or even to create them for all users. If not, then I'll start from scratch when logged in as the Standard user.
     
  10. K0LO

    K0LO Registered Member

    Joined:
    Mar 9, 2006
    Posts:
    2,591
    Location:
    State College, Pennsylvania
    It's somewhat similar but it requires user interaction. Remote Desktop is easier for you as the helper. However, while all versions of XP and Vista have the Remote Desktop client, only XP Pro and Vista Business, Enterprise, and Ultimate have the Remote Desktop server, so your friends with Vista Home Premium would be unable to host RD sessions from their machines.

    You should check into Remote Assistance; from what I've read Vista Home Premium can host RA sessions. Here are a couple of articles from Microsoft and from WindowsNetworking.com.

    I tried Remote Assistance to fix my Mom's PC a couple of times, but it required her to be there and to respond to my chat session. This became awkward for her so I bought her a copy of XP Pro and have been maintaining her machine from 500 miles away via Remote Desktop ever since. That's been great because she doesn't have to do anything to get help except ask me to take a look at her machine.
     
  11. K0LO

    K0LO Registered Member

    Joined:
    Mar 9, 2006
    Posts:
    2,591
    Location:
    State College, Pennsylvania
    Try exporting the task as an xml file and then importing it when logged in as the Standard user. Otherwise, I think that recreating the task when logged in as the standard user should work. You will be prompted to enter your administator credentials when you create the task, but afterwards it should run like before.
     
  12. tuttle

    tuttle Registered Member

    Joined:
    Mar 5, 2005
    Posts:
    376
    Thanks for the information, I'll certainly look into Remote Assistance more thoroughly. From your comments, Remote Desktop sounds more like what I would need. I'll Google to see if it's possible to obtain the server portion for Vista Home Premium and XP Home.
     
  13. tuttle

    tuttle Registered Member

    Joined:
    Mar 5, 2005
    Posts:
    376
    Apparently it doesn't allow that, perhaps since it was created in a different user account. When I try to confirm the import (when logged in as Standard user), I see this error:
    On the General tab it shows my admin account as the user.

    When I create the task from scratch (when logged in as Standard user), I get the same error. The error appears no matter which user is specified on the General tab under "When running the task, use the following user account:": whether I leave the Standard user, or if I Change User to make it specify my admin account as the user.
     
  14. K0LO

    K0LO Registered Member

    Joined:
    Mar 9, 2006
    Posts:
    2,591
    Location:
    State College, Pennsylvania
    tuttle:

    Have you tried using "SYSTEM" as the account?
     
  15. tuttle

    tuttle Registered Member

    Joined:
    Mar 5, 2005
    Posts:
    376
    When logged in as admin, I tried using SYSTEM for one of the tasks. The task completed. So, I exported it, logged in as Standard user, imported the task, but when I click OK to complete the import, this error:

    The user account does not have permission to create this task.

    If I try to create the task from scratch (when logged in as Standard user), I don't even have the ability to choose SYSTEM as the user account.
     
    Last edited: Jun 19, 2008
  16. K0LO

    K0LO Registered Member

    Joined:
    Mar 9, 2006
    Posts:
    2,591
    Location:
    State College, Pennsylvania
    So close ...

    I will have to think about this some more. There must be a way to do this.
     
  17. tuttle

    tuttle Registered Member

    Joined:
    Mar 5, 2005
    Posts:
    376
    LOL. Yeah, that's what I was thinking. When I read your process for Task Scheduler I thought: yeah, that will do it! And it does work as long as I'm logged in as admin, just not when logged in as a Standard user (which is how my non-technical non-savvy friend will use it).
    Thanks, I appreciate all your help. I've been searching and trying things, but have not yet found a solution.

    One of the reasons so little is written about doing such things as a Standard user may be because most Vista users, like most XP users, are still operating all the time as admin. I spoke to a Sony support tech about another issue on this notebook, and he told me that from his support experience most users never bother to create a Standard user account. They just create the initial admin account, which Vista setup requires, and they always just use that, even though it's less secure than using a Standard user profile.

    MS recommends that even a single user use a Standard user account for everyday computing and use the admin account only when necessary for configuring, installing, etc. People criticize MS for past security holes, but when MS designs a sensible system people avoid it or disable it in favour of slightly more convenience.

    Thanks for your continued help Mark. Have a good night.
     
  18. K0LO

    K0LO Registered Member

    Joined:
    Mar 9, 2006
    Posts:
    2,591
    Location:
    State College, Pennsylvania
    tuttle:

    Got it!

    I didn't have a standard user account on my machine so I had to create one remotely to test this. The missing step turned out to be the method used to create the scheduled task. When creating the task in the standard user account, right-click on Task Scheduler and choose "Run as administrator". While running this way you will be able to create the task to use the SYSTEM account and you will be able to enter your administrator's account credentials to be stored with the task.

    After doing this, exit Task Scheduler and start it as a standard user. You should see the newly-created task in the task list.
     
  19. tuttle

    tuttle Registered Member

    Joined:
    Mar 5, 2005
    Posts:
    376
    Hi Mark:

    How did you do that? Do you mean this:

    1. Login as Standard user
    2. Right-click on Task Scheduler shortcut (such as in Start menu) and choose "Run as administrator"
    3. Create a new task, and change user to SYSTEM
    4. Exit Task Scheduler
    5. Launch Task Scheduler normally (left-click, so it's launched under Standard user profile)
    When I launch Task Scheduler "Run as administrator", I see all the tasks that I created when I was logged in as administrator, so I assumed that I'm seeing only the administrator's tasks.

    Nonetheless, I created a new task and changed user to SYSTEM. I exited from Task Scheduler. When I subsequently launch Task Scheduler normally (so it's launched under Standard user profile) I do not see the new task.

    How are you able to see an admin-created task when logged in under a Standard user profile?
     
    Last edited: Jun 20, 2008
  20. K0LO

    K0LO Registered Member

    Joined:
    Mar 9, 2006
    Posts:
    2,591
    Location:
    State College, Pennsylvania
    tuttle:

    hmm... I don't know but I can see the task I just created when logged in as standard user.

    Thinking this might have been a fluke, I just tried logging in to the PC again to the Test (standard user) account. The task is visible in Task Scheduler's task list when started normally (by left-click). When I drop to a command prompt and run the task as standard user it runs and completes normally.

    Here is a snip showing the first setup tab in the task:

    Sch. Task.PNG

    And here's what happens if I attempt to modify the task as standard user:

    Task 2.PNG
     
  21. tuttle

    tuttle Registered Member

    Joined:
    Mar 5, 2005
    Posts:
    376
    Boy, I sure wish I knew why it works for you but doesn't for me. I've created two tasks as admin, and can't see either of them as Standard user. o_O

    Are you using the sort of default admin account, the one that Vista forces you to create when you first setup Vista? That's what I'm using. There's also a hidden "true" administrator account that is more powerful, but you have to do some work to use it. I have not accessed that one.

    I wonder if there might also be some differences between Vista flavours. I'm on Vista Home Premium, which Vista do you use? I wonder if there might be other config differences that would explain the different results that you and I are seeing.

    Drat, this is getting me down, especially as you appear to have found a solution that I am so far unable to employ.
     
    Last edited: Jun 20, 2008
  22. K0LO

    K0LO Registered Member

    Joined:
    Mar 9, 2006
    Posts:
    2,591
    Location:
    State College, Pennsylvania
    tuttle:

    The procedure that you describe in post 19 is exactly the same that I used to create the scheduled task, so I don't know why it works for me and does not work for you. And yes, I am using the default user account that is a member of the administrator group just like you.

    I wouldn't think that there would be any differences in this feature between the different editions of Vista, but perhaps there are. I run Vista Business at work and Ultimate at home. The test was performed on my home PC that runs Ultimate. I don't have access to a machine running Home Premium to try this on but maybe some kind person reading this would be willing to try an experiment?

    If you can't get this sorted then consider a compromise solution. Have a look in Task Scheduler at the Windows task settings for System Restore. This task is triggered at boot time and also once every day at midnight but does not run until the PC has been idle for 10 minutes. You could consider doing something similar for a backup task -- trigger it once weekly or monthly or whatever, but set it to not run until after X minutes of idle time. In TI, set the task up for normal priority. Instruct your users to leave the PC on until the backup task finishes. Even if they come back to the PC and start using it while the task is running they may not even notice the background activity. I know this isn't optimum but it may be an acceptable compromise.
     
  23. tuttle

    tuttle Registered Member

    Joined:
    Mar 5, 2005
    Posts:
    376
    Mark:

    You logged in as Standard user, launched Task Scheduler "Run as administrator", created a new task and changed task user to SYSTEM, exited Task Scheduler, launched Task Scheduler normally and you could then see the new task under Standard user profile.

    If you login as Administrator user and launch Task Scheduler, can you see that new task?
     
  24. K0LO

    K0LO Registered Member

    Joined:
    Mar 9, 2006
    Posts:
    2,591
    Location:
    State College, Pennsylvania
    Yes. Here's a little test I ran:

    1. Log into my user account that is a member of the administrator group
    2. Start Task Scheduler (requires confirmation of a UAC prompt)
    3. Confirm that I can see the backup task that was created by the standard user
    4. Edit the task to add a description
    5. Run the task to confirm that it runs for the administrator
    6. Logout
    7. Log into the standard user account
    8. Start Task Scheduler
    9. Confirm that I can see the description that was added by the administrator
    10. Click on "Run" to verify that the task runs for the standard user
    11. Run the task from a command prompt

    In all cases the backup task ran perfectly.

    I've attached the task's xml file. Perhaps you can compare it to one that you create to see if there are any differences.

    When you run Task Scheduler as a standard user can you see the Windows tasks in the Task Library? I can but I cannot edit them as a standard user.
     
  25. tuttle

    tuttle Registered Member

    Joined:
    Mar 5, 2005
    Posts:
    376
    So you can edit when logged in as administrator, and then see those changes when logged in as Standard user. I suspect that when you're logged in as Standard user and launch Task Scheduler "Run as administrator", that that is the same as being logged in as administrator and launching Task Scheduler normally. I suspect that in both cases, you're really creating or editing the administrator's Task Scheduler.

    I suspect that you could login as administrator and create a new task with user "SYSTEM", and then login as Standard user and see that task.

    When you set a task's user to "SYSTEM" it is then also visible when you login as your Standard user. That's what my Standard user is unable to do. I guess if my Standard user can't see the tasks, he can't run them.

    The ones in various sub-folders under Task Scheduler Library\Microsoft\Windows\ ? Yes, my Standard user can see those tasks, but not edit. He just cannot see any that my admin user created.

    Another odd wrinkle: I, as admin user, cannot normally launch shortcuts to run the tasks that have user set to SYSTEM. When I launch shortcut, I see a brief flash of a command window, and that's all. I can run that shortcut, to the SYSTEM user task, only if I right-click the shortcut to "Run as administrator".

    I wonder if there are differences between a default admin user in Vista Home Premium from a default admin user in Vista Ultimate. Maybe your user has more rights than my user. o_O
     
    Last edited: Jun 21, 2008
Thread Status:
Not open for further replies.