NT Gatekeeper: Providing Access to the NT Schedule Service

My user account is a member of the Server Operators group on my department's domain controllers (DCs). I'd like to use Windows NT's At command to schedule a housekeeping batch file. But when I run At with the appropriate switches to schedule the batch file, I receive an Access denied error. Why am I receiving this error, and what can I do about it?

By default, only members of the Administrators group can use the NT Schedule service (i.e., the At command or the GUI utility Winat, which ships with the Microsoft Windows NT Server 4.0 Resource Kit) to schedule jobs. (This limitation complies with NT C2 security guidelines.) If certain members of the Server Operators group require scheduling authority on a regular basis, I recommend that you add their accounts to the Administrators group.

You can apply a registry edit to let nonadministrators use the Schedule service, although you should do so with extreme caution: Malicious members of the Server Operators group can take advantage of the registry change to escalate their authority. To use this method, open a registry editor on a DC, go to the HKEY_LOCAL_MACHINE SYSTEMCurrentControlSetControl Lsa subkey, and add a value named SubmitControl (of type REG_DWORD) with the hexadecimal value 00000001. This registry tweak will permit members of the Server Operators group to use the Schedule service on DCs only. (For more information about this method, see the Microsoft article "Allowing Non-Administrators to Use the AT Command" at http://support.microsoft.com/directory/article.asp?id=kb;en-us;q124859.)