Scheduled task - EXCEL Access is denied. (0x80070005 (E_ACCESSDENIED))

Copper Contributor

Hi,

 

Some time ago, I made a ps1 script that leverages excel COM libraries and excel process operations in 2 major ways. (details below)

I configured a scheduled task to execute this script non-interactively as a standard user in a Windows Server 2022 environment.

Othmane_ElHanchi_0-1717407113853.png

Long story short, everything was working fine until the domain account this script was running under got deleted, and as you may imagine the provisioning process for a new account can take some time. 

 

In order to circumvent this and also prevent this kind of issue from reappearing in the future i would like to run it as a local standard account with no more privilege than required for security reasons.

 

It appears this is a tidy bit more complex than what i've imagined.

 

Below is the stacktrace for each operation.

 

1/ Stopping all excel processes 

 

 

Stop-Process: C:\XXX\XXX\XXX.ps1:28
Line |
  28 |  get-process *excel* | stop-process -force
     |                        ~~~~~~~~~~~~~~~~~~~
     | Cannot stop process "EXCEL (2632)" because of the following error: Access is denied.

 

 

2/ Creating an instance of Excel.Application COM class object

 

 

PS>TerminatingError(New-Object): "Retrieving the COM class factory for component with CLSID {00024500-0000-0000-C000-000000000046} failed due to the following error: 80070005 Access is denied. (0x80070005 (E_ACCESSDENIED))."
New-Object: C:\XXX\XXX\XXX.ps1:29
Line |
  29 |  $excel_input = New-Object -ComObject Excel.Application

 

 

 

As you can see, both operations are blocked for permission issues, despite having taken all the steps below to address it :

 

1/ Assigned all DCOM permissions to local account for Excel Application

Othmane_ElHanchi_1-1717407402873.png

2/ Added local account to local Distributed COM Users group

3/ Set registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{00020812-0000-0000-C000-000000000046} to run as "Interactive User"

Othmane_ElHanchi_2-1717407804014.png

4/ Assign full control over root script folder to local account 

5/ Assign full control over Excel.exe to local account

Othmane_ElHanchi_3-1717408063215.png

 

When adding this local account to local Administrators group, the errors disappear, but this is obviously not a solution, just a sanity check.

 

Which leads to my final question : What are the minimally required permissions to run excel operations as a scheduled task ?

 

Any suggestion would be greatly appreciated,

Thank you, 

 

1 Reply
Try granting "Log on as a batch job" rights to your new account in Group policy. You can find this setting under below path.
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

If your system is domain joined and domain policies are not allowing to make this change locally, as an alternate solution, try adding new account to "Backup Operators" group locally.