Administering User Configuration settings for Task Scheduler

As mentioned in previous blog posts you can manage the Computer Configuration and User Configuration security settings using the gpedit.msc management console. There are numerous configuration settings which can be managed with this utility. In this post I will just take a quick tour of the different settings for the Task Scheduler.

The Task Scheduler is a utility which allows you to kick off scripts and Windows utilities at predetermined times, to aid you in managing your Windows XP Professional system. The Task Scheduler has been around since Windows 95, but whereas it was implemented as a program or application in Windows 95, Windows 98 and Windows ME, it has run as a service since Windows NT right through to Windows Vista. Don’t go looking for Task Scheduler in Windows 95 though, because it was know as System Agent at that time.

Back to the Group Policy editing console. Within User Configuration > Administrative Templates > Windows Components Task Scheduler you can administer the following aspects of the Task Scheduler for the local Windows XP machine.

You can Hide Property Pages which prevents the logged on user from either viewing or changing the properties of an existing configured task. This will mean that the logged on user will not be able to check which program the task will kick off, he will also not be able to check when the task is run or under which user account the task is run.

You can Prevent Task Run or End which simply means that the user for which this security template is configured will not be able to either start or stop tasks.

You can Prevent Drag-and-Drop which simply prevents a user from creating a task by moving or copying a program into the scheduled tasks folder. As per the Microsoft documentation a user can still delete tasks and can still create tasks using the normal method of creating a task.

You can Prohibit New Task Creation which is fairly self-explanatory in that it prohibits users from creating new tasks. And it does this by removing the Add Scheduled Task icon from the Task Scheduler list. However, users with Administrator group membership can still create tasks from the command line by using the At.exe program.

You can Prohibit Task Deletion which is is also self-explanatory in that it prohibits users from deleting existing tasks. In the same manner a user with membership of the Administrators group can still delete tasks from the command line using the At.exe command line utility.

The Hide Advanced Properties Checkbox in Add Scheduled Task Wizard’s only benefit is that it simplifies the creation of new tasks.

The Prohibit Browse setting limits the user to create newly scheduled tasks only from the items appearing on his Start menu. What is does is to remove the Browse button in the Task creation wizard so that the user can only select from a limited set of programs that which he want the task scheduler to execute. However, note that this setting does not prevent a user from dragging a program into the Scheduled tasks folder.