A user can schedule a task to run in the security context of a user account that has more user rights

When you use the Scheduled Task Wizard to create a scheduled task on a Microsoft Windows Server 2003-based computer, you must be a member of the Administrators group, the Backup Operators group, or the Server Operators group on the local computer. Additionally, you must type the user name and the password of a user account to schedule the task. When the scheduled task starts, it runs as if it were started by this user. Therefore, the scheduled task runs in the security context of this user account. If you type the user name and the password of a user account that belongs to a group that has more user rights than the group where you are a member, the task will not run as you expect, because the user name and the password are not configured for the task. However, a user may be able to use the schtasks command to schedule a task to run in the security context of a user account that has more user rights, including administrative rights.

A member of the Administrators group can use the Cacls.exe utility to modify the discretionary access control List (DACL) of the Tasks folder and grant a member of any group permission to create or to modify scheduled tasks. If a member of the Administrators group uses the Cacls.exe utility to modify the DACL of the Tasks folder, a user may be able to use the schtasks command to create a scheduled task to run in the security context of a user account that has more user rights, including administrative rights. However, if the user creates a second scheduled task to run under the same user account that has more rights, the user receives a message that is similar to the following, where taskname is the name of the task:The scheduled task is created, but the user name and password account information are not configured for the task.

For more information about how to use the Cacls.exe utility to modify a DACL, visit the following Microsoft Web site: