Vista - Standard user needs to run ATI Tasks without admin password - how?

Discussion in 'Acronis True Image Product Line' started by tuttle, Jun 17, 2008.

Thread Status:
Not open for further replies.
  1. tuttle

    tuttle Registered Member

    Joined:
    Mar 5, 2005
    Posts:
    376
    Maybe my default administrator account, the one that Vista makes you create when Vista is first started and setup, is not a member of the "Administrators" group, and maybe your administrator is a member of that group. When I right-click a shortcut | Properties | Security tab, under "Group or user names" are these:

    SYSTEM
    admin (Sonylaptop\admin)
    Fred (Sonylaptop\Fred)
    Administrators (Sonylaptop\Administrators)

    SYSTEM and Administrators each have icon of two heads, and both have Permissions set to Full control.
    admin (the default administrator account Vista made me create initially) and Fred each have icon of one head.
     
  2. K0LO

    K0LO Registered Member

    Joined:
    Mar 9, 2006
    Posts:
    2,591
    Location:
    State College, Pennsylvania
    You should be able to change the group membership of an account by using Control Panel > Users, if that's the case.

    I had a thought -- in another post you had said that you changed some of the UAC properties on the machine. What happens if you change all of the UAC properties back to their default? My system is set up that way; UAC is on and none of the advanced properties have been modified from their default values. Just a thought...
     
  3. tuttle

    tuttle Registered Member

    Joined:
    Mar 5, 2005
    Posts:
    376
    I'm not sure what to look for. When I check my user account, under Change Your Account Type it says that I am an Administrator.

    I had the same thought, so I restored UAC to default and had done all recent testing that way. It made no difference. I hadn't done a lot of messing around with it anyway: I simply used TweakUAC to put UAC into quiet mode, which means that UAC is fully enabled for Standard users and enabled for administrators, but elevation prompts are suppressed for administrators.

    I wish I knew why your Standard user can see SYSTEM tasks created by the administrator, but my Standard user can not.

    Can your administrator user launch shortcuts to those SYSTEM tasks (which in turn run ATI tasks) with a normal double-click, or do you have to right-click the shortcut to "Run as administrator" as I must do? (see my post #25 in case you missed it)
     
  4. K0LO

    K0LO Registered Member

    Joined:
    Mar 9, 2006
    Posts:
    2,591
    Location:
    State College, Pennsylvania
    I get the same behavior. I think I understand this behavior. The shortcut works for a standard user because a standard user can start Task Manager without a UAC prompt since it starts in read-only mode, whether started from the command line (or a shortcut to the command in this case) or from the GUI. When an administrator starts Task Manager it starts in read/write mode, and wants to prompt for write permission. Thus, when an admin user double-clicks on the shortcut a non-elevated command prompt window opens and fails because the admin user needs elevated privileges to run Task Manager. You don't get to see the "permission denied" error message because it goes by so fast. If you set the shortcut properties to "run as administrator" then you will see a UAC prompt and it will work. But that's the wrong setting for a standard user.

    Have you noted that in many cases it is more convenient to run as a standard user; there are fewer UAC prompts. I hadn't run Vista like this before and I kind of like it. For example, you can start the Event Viewer as a standard user and just view the logs without a UAC prompt. If you start the Event Viewer as an administrative user then you will be prompted to elevate privileges because an admin can make changes (like clearing logs). Of course, if you do something that requires privilege elevation it is a lot more convenient to be running an admin account since you only have to click a button to elevate. If you run a standard account then it's a pain just like Linux - you have to type a password to elevate privileges.

    Another question - does your standard user account have a password? Mine does. If yours doesn't then that's another difference between our setups.
     
  5. tuttle

    tuttle Registered Member

    Joined:
    Mar 5, 2005
    Posts:
    376
    Interesting. Good explanation.

    Yes, I agree that Standard user is the way to run day-to-day. I get similar behaviour even as administrator though, because I put UAC into quiet mode. Quiet mode leaves UAC fully enabled for all users, but elevation prompts are suppressed for administrators.

    Yes. AFAICT, the main difference difference between our setups is that I have Vista Home Premium, while you have Ultimate.

    If you login as administrator and create a new task with user "SYSTEM", then logout and login as Standard user, can the Standard user see that new task?

    I tried another test to gain further information:

    When logged in as Standard user, I created new task to launch Notetab (text editor). When I selected "Run whether user is logged on or not" and clicked OK to save, I got warning: "This task requires that the user account specified has Log on as batch job rights. For more information about setting this policy, see the Task Security Context topic in Help."
    But, task did save. When I tried to run it, it showed status as "Queued" rather than "Running".

    I then changed the task to default "Run only when user is logged on", clicked "Run" and it worked.

    But, when Standard user tried to run it from a shortcut, I get brief flash of command window and it does not run.
    When I right-click the shortcut to "Run as administrator", after entering my admin password I get same result: brief flash of command window and it does not run.
    So, Standard user can't use a shortcut even to run a task that he created. o_O
    Addendum: I rebooted the laptop, and now the Standard user can use the shortcut to run task that he created, to launch Notetab. Bizarre.

    I'm now thoroughly confused and frustrated, and not sure what to try next. I'll do more research on Task Scheduler, but so far I haven't found any documentation that helps.
     
    Last edited: Jun 22, 2008
  6. K0LO

    K0LO Registered Member

    Joined:
    Mar 9, 2006
    Posts:
    2,591
    Location:
    State College, Pennsylvania
    Yes, the standard user can see the new task.
    Be careful! With that setting if you are using an account that is a member of the administrators group to install software and you click on a viral attachment or on a download that includes something you don't want installed (like Google Toolbar) then nothing will stop it from proceeding with no second chances. If a virus, it will have its way with your system. That's why I prefer seeing the UAC prompt tell me which executable is attempting to run and giving me a second chance to bail out. I have caught a couple of installers trying to put stuff that I didn't intend to authorize onto my system and UAC stopped them both cold.

    I set up a simple task to start Notepad and entered "Users" as the user context so that any user could use the task, and I kept the default "Run only if user is logged on". I created the task in the admin account. It runs when started from the Task Scheduler GUI "Run" button. When attempted from the command prompt it fails with "Permission denied", as expected. When an admin starts Task Scheduler it needs to be done from an elevated command prompt. That works.

    The standard user can see the task listed in the Task Scheduler library, can start it from the Run button in Task Scheduler, and can start it from a command prompt or shortcut.

    This makes sense to me but I still don't understand why your standard users can't see the tasks created by the admin user. I am starting to think that the problem may be that Vista Home Premium does not support this the same way that Business or Enterprise or Ultimate do. Some of the enterprise networking and security features are missing in the Home versions and perhaps this is one of them.

    If you navigate to your Acronis script file (the one that you are trying to run from a scheduled task) and check the Security tab, does it have "Backup Operators" listed as a group or user name? This may be one of the security contexts missing from the Vista Home editions.
    Security.PNG
     
  7. tuttle

    tuttle Registered Member

    Joined:
    Mar 5, 2005
    Posts:
    376
    Hmm. I had not considered that I UAC would provide multiple warnings for individual parts of a package installation. I thought that when I'm installing something I would get an elevation prompt, and when I accept to approve the installation then the package would install. I didn't know that if there is, for example, a Google toolbar as part of it that I would get a separate warning for it and therefore an opportunity to stop just that toolbar from installing.



    That's exactly what I've been wondering. I've read several tech papers, articles, MS knowledge base entries, etc. about Task Scheduler and I can't find documentation of differences between Vista packages, other than that there is an annoying bug in Task Scheduler in Vista Home Premium.

    I don't see that.
     

    Attached Files:

  8. K0LO

    K0LO Registered Member

    Joined:
    Mar 9, 2006
    Posts:
    2,591
    Location:
    State College, Pennsylvania
    OK; look up "User Groups in Windows" in the Vista help file. Finally, this is the first place I've seen this spelled out:
    So here is a feature that isn't part of the Home editions of Vista, so I suspect that there are other differences related to user rights. It's looking like our suspicions are correct.
     
  9. tuttle

    tuttle Registered Member

    Joined:
    Mar 5, 2005
    Posts:
    376
    Acronis True Image has been coded to require administrator privileges to run on Vista.

    I think it would be better if Acronis development would code Acronis True Image to allow Standard user accounts to run backups, but not to do potentially damaging things like restore, delete, DriveCleanser, etc. That way we could create shortcuts for Standard users to do ATI backups whenever they need to without going through all this work.
     
  10. tuttle

    tuttle Registered Member

    Joined:
    Mar 5, 2005
    Posts:
    376
    Re. our discussion about whether setting UAC to “quiet” mode is less secure, have a look at this: http://www.tweak-uac.com/uac-quiet-mode/
    That claims that as long as you leave UAC enabled that “quiet” mode is no less secure, just more convenient for administrators. See what you think.
     
  11. K0LO

    K0LO Registered Member

    Joined:
    Mar 9, 2006
    Posts:
    2,591
    Location:
    State College, Pennsylvania
    tuttle:

    That's a very interesting article, especially in the email exchanges that occured after it was written. See the exchanges with Chris Hill starting on June 21, 2007. I would recommend that everyone read these if they intend to change the behavior of UAC.

    For clarification of my position you should know that I have been a Linux user for several years and have gotten used to the Unix/Linux security model which is similar to Vista's UAC. I am comfortable enough with it that I have never used antivirus software on Linux and have never had a problem. With Windows XP, antivirus software was a necessary evil and I always used it. When Vista was released I had enough experience with and confidence in the underlying security model that I have not used antivirus or antispyware software on Vista. I don't like the load it puts on the system. So this is the context that my decision to keep UAC fully enabled comes from.

    Having said that, I don't believe the article's claim that the UAC "quiet" mode is as secure as "regular" mode. My personal choice is to leave the regular mode enabled.
     
  12. tuttle

    tuttle Registered Member

    Joined:
    Mar 5, 2005
    Posts:
    376
    Yeah, I used Solaris for a few years, so I know what you mean. I'm not sure what to think about the "quiet mode" option. It has been endorsed by PC Magazine and several other "experts", but of course that is not canon. I'm in favour of more protection rather than less, as long as it doesn't overly slow the system or annoy the user. I'll see if there are solid articles discussing "quiet mode".
     
    Last edited: Jun 23, 2008
  13. MudCrab

    MudCrab Imaging Specialist

    Joined:
    Nov 3, 2006
    Posts:
    6,485
    Location:
    California
    I've been following this thread on and off. I just setup a task in Vista Ultimate and looked at the Security tab and it set it up for both Power Users and Backup Operators. Backup Operators has Full permissions checked, otherwise they're the same.
    VistaUltimateTask.jpg

    Under Vista Home Premium, TI added two Account Unknown groups to the permissions. The first one has the same settings as Power Users and the second one has the same settings as Backup Operators.
    VistaPremiumTask.jpg

    Do either of you see anything like that? I didn't try running either of the tasks. I was just curious about the permissions. Both were created using my Administrator account with UAC turned on (default settings).
     
  14. tuttle

    tuttle Registered Member

    Joined:
    Mar 5, 2005
    Posts:
    376
    No. In Vista Home Premium when I right-click an individual ATI tasks/scripts, I see only the users in the screenshot in my earlier post #32. In Ultimate, Mark had a user entry for Backup Operators as you can see in his screenshot.
     
  15. tuttle

    tuttle Registered Member

    Joined:
    Mar 5, 2005
    Posts:
    376
    Hey, I found a solution. I was thinking about how the failures may greatly be attributed to the Standard user's inability to even see Task Scheduler tasks created by the administrator. Here's what I did that works:
    1. Login as Standard user, in Task Scheduler create task to run Acronis backup task. Exit Task Scheduler.
    2. Right-click Task Scheduler shortcut to "Run as administrator", edit that task: change user to SYSTEM which also automatically selects "Run whether user is logged on or not", and select "Run with highest privileges". Exit Task Scheduler.
    3. Open Task Scheduler normally, confirm that Task Scheduler can see the changes, verify that task can run.
    4. Still as Standard user, create shortcut to that scheduled task.
    Eureka!

    Thanks for all your help Mark. I could not have done this without your help. :thumb:

    This process could be avoided if Acronis development would code Acronis True Image to allow Standard user accounts to run backups. That way administrators could create shortcuts for Standard users to do ATI backups whenever they need to.
     
    Last edited: Jun 23, 2008
  16. K0LO

    K0LO Registered Member

    Joined:
    Mar 9, 2006
    Posts:
    2,591
    Location:
    State College, Pennsylvania
    Paul:

    Since you have Vista Home Premium, if you start mmc and add the snap-in for Local Users and Groups, do you see "Backup Operators" listed as one of the groups? Or, can you even add the snap-in at all in Home Premium?

    The figure in your post makes sense; these security permissions are added by TI even in XP. The Power Users group was removed from Vista but is still available for backwards compatibility. The Backup operators group is still there in Vista.

    Here's a curiosity - on my work PC running Vista Business I have three TI scheduled tasks. The task that I created pre-SP1 has both "Backup Operators" and "Power Users" listed as groups in the security tab. The tasks that I created post-SP1 do not have an entry for "Power Users". My home PC has Ultimate SP1 installed from DVD (as SP1; not upgraded) and the TI tasks do not have "Power Users" entries at all.
     
  17. K0LO

    K0LO Registered Member

    Joined:
    Mar 9, 2006
    Posts:
    2,591
    Location:
    State College, Pennsylvania
    tuttle:

    Success at last! That one sure wasn't easy. I am curious though why you couldn't have done the task editing from the standard user account by starting Task Scheduler "as administrator" but perhaps this is related to the missing security features in the Home versions of Vista.

    I learned a lot trying to help, so you're quite welcome!
     
  18. tuttle

    tuttle Registered Member

    Joined:
    Mar 5, 2005
    Posts:
    376
    I tried it:
     
  19. tuttle

    tuttle Registered Member

    Joined:
    Mar 5, 2005
    Posts:
    376
    Boy, you said it brother.
    Perhaps I could have. I may try that, just to avoid having to logoff and login each time. I suspect that running Scheduler "as administrator" from Standard user account is actually no different than running it normally from admin account. I think it's actually doing the same thing, editing the list of tasks that admin has access to.

    Added: I just tried it. It does work. Thanks, that saves me from the multiple logoff/login.
     
    Last edited: Jun 23, 2008
  20. K0LO

    K0LO Registered Member

    Joined:
    Mar 9, 2006
    Posts:
    2,591
    Location:
    State College, Pennsylvania
    So is this a fair summary of the workaround for Vista Home versions?

    1. As standard user, start Task Scheduler normally and create a scheduled task. Some choices will be unavailable to standard users.
    2. Close Task Scheduler, right-click and run it as administrator, edit the task to add remaining choices that only an administrator can add.
    3. Close Task Scheduler, open normally, and test

    On the Enterprise versions of Vista, step 1 is unnecessary.
     
  21. tuttle

    tuttle Registered Member

    Joined:
    Mar 5, 2005
    Posts:
    376
    Yes. I've edited the process in my earlier post to make it clearer.
     
  22. MudCrab

    MudCrab Imaging Specialist

    Joined:
    Nov 3, 2006
    Posts:
    6,485
    Location:
    California
    I got the same results as tuttle.

    Here is a list of the standard (and, I assume) additional "groups" in the list:
    Vista Groups Permissions List.jpg

    Both of these tasks were created post-SP1, though TI was installed pre-SP1. Both were upgraded to SP1.
     
  23. tuttle

    tuttle Registered Member

    Joined:
    Mar 5, 2005
    Posts:
    376
    These privileges with Task Scheduler are tricky stuff. I tried to add more Actions to the scheduled task that runs the Full backup, so my friend would need to launch just a single shortcut to do everything.

    I added Action to defrag C-drive prior to doing the full backup: C:\Windows\System32\Defrag.exe C:
    That works.

    I added Action to run CCleaner silently to doing the defrage and full backup:
    "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
    That doesn't work.

    It seems that CCleaner will run from Task Scheduler if the task user is the logged-in user. It won't run if task user is set as SYSTEM or non-logged-in user such as admin.
     
  24. K0LO

    K0LO Registered Member

    Joined:
    Mar 9, 2006
    Posts:
    2,591
    Location:
    State College, Pennsylvania
    I think that makes sense. I'm not very familiar with CCleaner but I assume that it would want to clean out a user's TEMP folder, which is located in their user profile. If you have multiple user profiles on the machine and don't run CCleaner as a particular user then how will it know which temp folder to clean out? If it also cleans up cookies and cached internet pages then the same reasoning applies as these are also stored in the individual user's profile.

    However, it's a bit strange that it didn't even try to clean up files in your admin user profile when you ran it that way. Does it have a command-line switch or a configuration file to specify which user profile to clean up?

    You know what's needed here -- if Vista Task Scheduler had a box to specify the User context for each action on the "Action" tab instead of a having only a global User specification on the "General" tab. I think that would allow you to do what you'd like.
     
  25. tuttle

    tuttle Registered Member

    Joined:
    Mar 5, 2005
    Posts:
    376
    That is logical. While user SYSTEM should have the rights to delete files, there's no setting to tell it where to find those files.

    CCleaner (great little maintenance app, by the way) doesn't have switches or config to specify which user profile to clean. I guess it assumes that the user running it wants to clean his/her own files. The only command line switch is AUTO, which enables it to run silently.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.