我正在制作PowerShell脚本的原型,该脚本完成后将在计算机上作为SYSTEM运行,但目前我正在以管理员身份进行测试。脚本将做的一件事是潜在地为其他用户创建计划任务,例如当其中一个用户登录时;在第一次登录时";计划任务。到目前为止,我可以创建计划任务,当我以用户身份登录时,它会运行,但当它转到最后一行进行注销时,我会遇到权限错误,并失败。以下是我创建计划任务的方式:
Clear-Host;
$currentIdentity = [System.Security.Principal.WindowsIdentity]::GetCurrent();
$currentPrincipal = New-Object System.Security.Principal.WindowsPrincipal($currentIdentity);
$userName = 'JDOE';
Set-Content `
-Path "C:$userName-FirstLogOn.ps1" `
-Value "
New-Item -Path 'C:Users$userNameDownloadsFirstLoggedOn.txt' -Force -Confirm:`$false > `$null;
'TEST' | Out-File -FilePath 'C:Users$userNameDownloadsFirstLoggedOn.txt';
Unregister-ScheduledTask -TaskName '$userName - First Log On' -Confirm:`$false > `$null;
Read-Host;
".Trim();
$action = New-ScheduledTaskAction `
-Execute 'PowerShell.exe' `
-Argument "-File C:$userName-FirstLogOn.ps1";
$principal = New-ScheduledTaskPrincipal `
-UserId $currentPrincipal.Identity.Name `
-RunLevel Highest;
$settings = New-ScheduledTaskSettingsSet;
$trigger = New-ScheduledTaskTrigger `
-AtLogOn `
-User $userName;
$task = New-ScheduledTask `
-Action $action `
-Principal $principal `
-Trigger $trigger `
-Settings $settings;
$task.Author = $userName;
Register-ScheduledTask `
-TaskName "$userName - First Log On" `
-InputObject $task `
-User $userName > $null;
我得到的例外是:
Unregister-ScheduledTask : Access is denied.
At C:JDOE-FirstLogOn.ps1:5 char:1
+ Unregister-ScheduledTask -TaskName 'JDOE - First Log On' -Confirm: ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (MSFT_ScheduledT...TaskPath = ""):Root/Microsoft/...T_ScheduledTask)
[Unregister-ScheduledTask], CimException
+ FullyQualifiedErrorId : HRESULT 0x80070005,Unregister-ScheduledTask
我已经确保任务的用户是正确的,我甚至篡改了任务文件的权限,并授予用户完全的访问权限和/或所有权,但我仍然会收到拒绝访问的错误。我该怎么做才能让它发挥作用?
我删除了$currentIdentity和$currentPrincipal,因为我在使用$env:USERNAME时没有发现任何问题,但如果由于某种原因失败,我会重新添加它。
$downloadsFolder = (New-Object -ComObject Shell.Application).NameSpace('shell:Downloads').Self.Path
$scriptDestination = Join-Path $downloadsFolder -ChildPath "$env:USERNAME - FirstLogOn.ps1"
$taskName = "$env:USERNAME - First Log On"
# Adding a Try {...} Catch {...} so if the Task runs but fails to delete itself,
# the error will be stored in a file.
@"
Try
{
'TEST' | Out-File $downloadsFolderFirstLoggedOn.txt -Force
Unregister-ScheduledTask -TaskName '$taskName' -Confirm:`$false
}
Catch
{
`$_ | Select-Object * | Out-File $downloadsFolderTaskFailLog.txt
}
"@ | Out-File $scriptDestination
$action = New-ScheduledTaskAction -Execute 'PowerShell.exe' -Argument "-File `"$scriptDestination`""
# NOTE: The Access Denied Error was coming from here, -RunLevel Highest requires that the
# current PS session is running with the Highest privileges.
$principal = New-ScheduledTaskPrincipal -UserId $env:USERNAME
$settings = New-ScheduledTaskSettingsSet
$trigger = New-ScheduledTaskTrigger -AtLogOn -User $env:USERNAME
$params = @{
Action = $action
Trigger = $trigger
Settings = $settings
Principal = $principal
}
$task = New-ScheduledTask @params
$params = @{
TaskName = $taskName
InputObject = $task
User = $env:USERNAME
}
Register-ScheduledTask @params