Specific Windows 10 permissions to run .py script when user not logged in

5971
14
02-24-2017 10:47 AM
Lake_Worth_BeachAdmin
Regular Contributor

I have a script (.py) to perform SDE Maintenance that I want to run after work hours (say 2am). I can execute the script fine manually and it works. 

I set a task schedule job to run this script when my user account is not logged on (because it will be 2am, who the heck wants to be at work at 2am). It is important to run this script after hours because it will disconnect all users from the SDE. 

Windows Task Scheduler History says the task has ran successfully but the script is not ran and the SDE Maintenance is not performed. I had IT temporarily give me Admin rights and then everything worked as it should.

However our Network Admin will not grant me Admin rights permanently.... and he is having difficulty finding the exact permissions to grant me in order for this to run successfully. 

Does anyone know what group policy/user privileges will have this work without granting my user full Admin rights?

Or are there any workarounds for this? 

Thanks for any help,

Joe 

14 Replies
ScottFierro2
Regular Contributor

Sounds like you just need to configure a Service Account. With Windows Task Scheduler you can assign the task to run as a different user and so you would use the Service account which can be assigned limited and elevated permissions, may have a static password and that can be controlled by your Network Admin. The easy button on this assuming you are using AD or similar is the Network Admin creates the account, you assign the account permissions in Task Scheduler, assign any needed NTFS permissions on any files/folders needed, your DBA adds the service account and grants needed permissions and now all your admins can limit and maintain complete control of the accounts access keeping things locked down for security reasons but still accomplishing the tasks you need.

The part I am questioning is the scripts ability to execute because Windows Task Scheduler says it completed. This means whatever failed occurred inside your script and Task Scheduler can't see it and nothing in your script is e-mailing you or otherwise able to generate notifications on the issue. I wrap all my GP's inside an e-mail script and then call published GP REST services into batch files where I can also build in timeout rules, etc. This ensures I receive e-mails if anything in the python script or model fails/errors and also hard kills anything that hangs or runs longer than we want ensuring system resources don't peg and 1 task can't linger forward and impact another.

My first guess is that you don't have the DB credentials embedded in your .py and the connection to the DB is using Windows credentials that can't be pulled because you aren't logged in but if I'm wrong and it is truly limited to something else permissions then it depends on how you wrote the task but here are some basics:

1) Is the Windows Task Schedule not only authored by you but set to run using your account as well (Security Options on General Tab)

2)Execution permission on the .py you are using as well as python.exe (for whatever account is in Security Options)

3) You mention SDE, so does your .py have login credentials embedded in it that have access to execute objects in the DBO/SDE schema (SQL Server try starting here http://desktop.arcgis.com/en/arcmap/10.3/manage-data/gdbs-in-sql-server/comparison-geodatabase-owner... for Oracle you could try looking here http://desktop.arcgis.com/en/arcmap/10.3/manage-data/gdbs-in-oracle/privileges-oracle.htm) and any other read/write/execute permissions on any other schemas you might be doing work on, using a stored procedure from, etc. If that's not embedded into the script and it's pulling your IWA credentials then your script isn't running because without you logged in under your account at the time the script is running there are no credentials for it to pull from.

0 Kudos
Lake_Worth_BeachAdmin
Regular Contributor

Well my Db is authenticated by Windows user credentials so when i set it to the task scheduler it prompts me for my credentials. 

I am using this: Using Python scripting to batch reconcile and post versions—ArcGIS Help | ArcGIS for Desktop 

But when my Network Admin granted me admin rights it works fine so its not the script I do not think. I run the script fine manually when I log in it works fine. I am just missing some sort of permission i think the service account may be a good idea to create and grant it full rights and just only have my network admin know its credentials. 

0 Kudos
ScottFierro2
Regular Contributor

When you say it works when you run it manually are you meaning it works when you run it manually from Windows Task Scheduler? Or it works when you run it manually as a standalone Python tool?

So you have the python script established to run in Windows Task Scheduler and the Security Options shows to run using your Windows login?

If that is the case then it would seem the issue is 1 of two things:

1) Check the account used to author the Task and confirm if it's in the Admin group https://technet.microsoft.com/en-us/library/cc722152(v=ws.11).aspx

2) Assuming all things are correct and meet the outlines of that Microsoft page then your individual account lacks sufficient execute permissions for something. Given that you are leveraging the SMTP call a first guess is checking with your AD/Outlook people and confirm your account has permissions to make the SMTP call. That might explain why when you are made Network Admin it works but once removed it doesn't.

0 Kudos
Lake_Worth_BeachAdmin
Regular Contributor

I am sorry for not clarifying this earlier.

1. What I meant when I said I run it 'manually' is I load the script into IDLE and execute it. It works fine and everything is executed as expected. 

My windows account is not 'admin' because IT does not want me to have all those privileges. So instead they are looking for the specific privileges to grant me rather than just give me admin rights. 

Also, I removed the SMTP partition of the script. I did not want to include that I have another protocol standalone form this script for alerting users. 

0 Kudos
ScottFierro2
Regular Contributor

Got ya, ok so now that we are narrowing this down let's try to eliminate/confirm a few more things.

If you have removed the SMTP calls then this script is literally just connecting "A user" to the SDE "as admin" and performing some administrative functions.

So what database are you using for your SDE (Oracle, SQL, Postgre)?

Is your account (sounds like you use AD?) an admin within the database?

Hoping we can avoid the dive into ESRI database security model that is outdated but depending on how you have things configured we can still get this resolved just will come down to if it's done using your account or service account.

0 Kudos
Lake_Worth_BeachAdmin
Regular Contributor

We are using SQL, and yes I am Admin in the DB/SDE. (windows user authentication protocol within the DB). And when I use the task scheduler for 'run this task' even if user is logged off it asks me for the username/pass to use which is an admin in the DB. 

I sent my IT network admin an email yesterday regarding creating a separate service account with admin rights which will only be used for this purpose (and perhaps more tasks in the future) and have not gotten a  reply yet (yep.... IT ugh). 

It seems like this would be ideal rather than dive into all these security protocols. Just bugs me that when when I run it in IDLE it works but not in task scheduler even though it says the task was completed. 

0 Kudos
ScottFierro2
Regular Contributor

OK, so then it sounds like it shouldn't be a permissions issue at the DB side and the account you are using is able to execute the admin commands that are necessary. So for permissions that's really all there is other than having the local permissions to be able to execute the .py from whatever system it is run off of (local or server).

Now I am wondering if you possibly missed 1 of the most common pieces of using a direct Python call into Windows Task Scheduler. Where you have added this into Windows Task Scheduler can you send me a screen shot of what the "Edit Action" Window has in it?

Launch Task -> Actions tab -> Edit button -> Edit Action Window

Should have a drop down that lists the Action to be performed, a box for the Program/Script that you can Browse to, a box to Add Arguments and a box to set the Start in.

0 Kudos
Lake_Worth_BeachAdmin
Regular Contributor

I have tried also just putting the python script path in the field program/script without starting the python terminal first and it was the same results. 

0 Kudos
ScottFierro2
Regular Contributor

OK, that looks like the correct configuration and appears as though you have the double quotes correct around the argument line. As I said we do this all via batch files now so been a little bit but try this. Ensure you have double quotes at both the begin and end of each line (program & argument). Give that a shot and see what happens but I think that will solve your run issues as I am almost certain that is the correct format. If it doesn't then there is something else still missing.