Advice wanted - acct to run scheduled tasks

[Mike Leone]

So I'm looking for some guidance. When you have to run a scheduled task, say one that copies files from one server to another ... do you use a special AD account for that, just for the purposes of running scheduled tasks?

Further ... permissions. In order to run a scheduled task, the acct has to have the "log on as a batch job" right, doesn't it? (among other things) Now, if that acct is a local admin, it gets that. 

But what do you do? Do you make such an acct, include it as local admin on the 2 hosts in question? Or do you set up the special rights that acct would need, again *only* on those 2 hosts?

Or do you set those via GPO for that acct, so you can use the same acct to run scheduled tasks on any host?

Or do you use a MSA or gMSA? Again, specific to the job at hand  (i.e., different gMSAs for every scheduled task)

Just looking for a direction to go in, on this topic.

--

Mike. Leone, <mailto:tur...@mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

[Philip Elder]

My suggestion if you need a good sync tool: BeyondCompare by www.ScooterSoftware.Com.

 

It can be scripted and can be set up to preserve both NTFS permissions (ACLs) and file created time stamps.

 

Philip Elder MCTS

Senior Technical Architect

Microsoft High Availability MVP

MPECS Inc.

E-mail: Phili...@mpecsinc.ca

Phone: +1 (780) 458-2028

Web: www.mpecsinc.com

Blog: blog.mpecsinc.com

Twitter: Twitter.com/MPECSInc

Teams: Phili...@MPECSInc.Cloud

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BjT23CmPeUEqM2pGVcGOK9MxV0sqSX_GSRwVtYoeO-z6Q%40mail.gmail.com.

[Mike Leone]

     

On Wed, Aug 6, 2025, 4:15 PM Philip Elder <Phili...@mpecsinc.ca> wrote:

My suggestion if you need a good sync tool: BeyondCompare by www.ScooterSoftware.Com.

 

We have it. I'm not looking for a sync tool, in looking for the best way to run scheduled tasks that don't really on a regular user account. Even if I script BeyondCompare, I would need to run it as a scheduled task, over time.

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/41672598a52b483f970f89928659d465%40MPECSInc.Ca.

[Michael B. Smith]

Most of my larger clients have dedicated accounts for doing file moves that have permissions to the relevant shares. If there are additional restrictions on the files (e.g., Finance or HR) then there are dedicated file transfer accounts for those purposes.

 

gMSAs take care of password changes – which is good – but if file placement and removal needs an interactive logon then it may not be helpful for you. It all depends on your specific needs.

 

And no – I wouldn’t create a gMSA for “every” scheduled task.

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Mike Leone

Sent: Wednesday, August 6, 2025 4:00 PM
To: NTSysAdmin <ntsys...@googlegroups.com>

--

[Shawn K. Hall]

I use BeyondCompare myself - great stuff (and integrates well into
dnGrep too, btw) - but how would it improve anything from just setting
up robocopy?


For OP, as for whether to create an admin account: no. If anything, a
limited user account with only FS permissions and the share mapped so it
can't be exploited by something else to elevate to some other permission
that you're not even thinking about right now.

-S

> -----Original Message-----
> From: ntsys...@googlegroups.com
> [mailto:ntsys...@googlegroups.com] On Behalf Of Philip Elder
> Sent: Wednesday, August 6, 2025 13:16
> To: ntsys...@googlegroups.com
> Subject: RE: [ntsysadmin] Advice wanted - acct to run scheduled tasks
>
> My suggestion if you need a good sync tool: BeyondCompare by
> www.ScooterSoftware.Com.
>
>
>
> It can be scripted and can be set up to preserve both NTFS
> permissions (ACLs) and file created time stamps.
>
>
>
> Philip Elder MCTS
>
> Senior Technical Architect
>
> Microsoft High Availability MVP

> <https://mvp.microsoft.com/en-us/PublicProfile/4024277>
>
> MPECS Inc.
>
> E-mail: Phili...@mpecsinc.ca <mailto:Phili...@mpecsinc.ca>
>
> Phone: +1 (780) 458-2028
>
> Web: www.mpecsinc.com <http://www.mpecsinc.com/>
>
> Blog: blog.mpecsinc.com <http://blog.mpecsinc.com/>
>
> Twitter: Twitter.com/MPECSInc <https://twitter.com/MPECSInc>

> <https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BjT23C
mPeUEqM2pGVcGOK9MxV0sqSX_GSRwVtYoeO-z6Q%>
40mail.gmail.com?utm_medium=email&utm_source=footer> .

>
> --
> You received this message because you are subscribed to the
> Google Groups "ntsysadmin" group.
> To unsubscribe from this group and stop receiving emails from
> it, send an email to ntsysadmin+...@googlegroups.com.
> To view this discussion visit

> https://groups.google.com/d/msgid/ntsysadmin/41672598a52b483f9
> 70f89928659d465%40MPECSInc.Ca
> <https://groups.google.com/d/msgid/ntsysadmin/41672598a52b483f
> 970f89928659d465%40MPECSInc.Ca?utm_medium=email&utm_source=footer> .
>
>

[Henry Awad]

Keep it simple by setting up a dedicated account and provide the necessary NTFS/file share permissions (least privilege). No need for local admin rights, MSA or gMSA in this case.

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/1F381BC1AFA74790B99F1886FEC9E32E%40Firefly.

[Aakash Shah]

gMSAs are great for this but I would suggest different ones for different sets of systems. Another approach to consider if you don’t want to create another account (local/domain/gMSA) is to use the System account to run the task, and then grant the source computer account the least privilege access on the target side to access the folder. This wouldn’t be least privilege from the source account permission perspective, but on the target side it can use least privilege and it keeps the access isolated to those 2 computers.

 

-Aakash Shah

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAGaCHK7VbTs2XoXL3%2BsmviLnHSP9BimpVq8ZDuPJx%2BL2ntpd-A%40mail.gmail.com.

[Severino Juan Miguel]

Hi Mike

 

We don't use local admins.

 

I have always used granular permission groups like "sign in as a batch job on server XXX", permissions to specific file shares (Change/Read/etc. on Server YYY share ZZZ folder AAAA), etc. in Active Directory.

We have service accounts for specific usage scenarios and grant them the required permissions.

 

So in your case, we would have:

- An AD group to sign in as a batch job on the server where the task scheduler runs (sign in as a batch on server A)

- An AD group with permissions on the source folder on server A (Server A, Folder X, Read)

- An AD group with permissions on the target folder on server B (Server B, Folder Y, Change)

- An account for "File sync XX" (dedicated or not based on your business requirements) member of these three groups.

- The scheduled task runing as that service account. Not gMSA or whatever.

 

The file permissios groups are standard and we use them for other tasks including users. So anybody can go to AD and see who can use what instead of messing with local policies.

 

Best regards

Seve

Von: ntsys...@googlegroups.com <ntsys...@googlegroups.com> Im Auftrag von Mike Leone
Gesendet: Mittwoch, 6. August 2025 22:00
An: NTSysAdmin <ntsys...@googlegroups.com>
Betreff: [ntsysadmin] Advice wanted - acct to run scheduled tasks

 

-!-!-!- EXTERNAL EMAIL -!-!-!- This email originated from outside of SKAN. Do not click links or open attachments unless you recognize the sender and know the content is safe

--

You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BjT23CmPeUEqM2pGVcGOK9MxV0sqSX_GSRwVtYoeO-z6Q%40mail.gmail.com.

The content of this message is confidential and shall be used solely for the intended purpose and by the intended recipient. If you received this email by mistake, please inform us immediately and delete this message without disclosing its content to any other person. Any viewing, copying or distribution of, or reliance on this message by unintended recipients is strictly prohibited. The integrity and security of this email cannot be guaranteed over the internet. The sender shall not be held liable for any damage caused by this message.