36
votes

I have a small script on my Domain Controller that is setup to email me via SMTP about the latest Security Event 4740.

The script, when executed manually, will run as intended; however, when setup to run via Scheduled Tasks, and although it shows to have been executed, nothing happens (no email).

The script is as follows:

If (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator"))

{   
$arguments = "& '" + $myinvocation.mycommand.definition + "'"
Start-Process powershell -Verb runAs -ArgumentList $arguments
Break
}

$Event = Get-EventLog -LogName Security -InstanceId 4740 -Newest 5
$MailBody= $Event.Message + "`r`n`t" + $Event.TimeGenerated

$MailSubject= "Security Event 4740 - Detected"
$SmtpClient = New-Object system.net.mail.smtpClient
$SmtpClient.host = "smtp.domain.com"
$MailMessage = New-Object system.net.mail.mailmessage
$MailMessage.from = "[email protected]"
$MailMessage.To.add("toemail.domain.com")
$MailMessage.IsBodyHtml = 1
$MailMessage.Subject = $MailSubject
$MailMessage.Body = $MailBody
$SmtpClient.Send($MailMessage)

Scheduled Task is setup as follows:

RunsAs:LOCAL SYSTEM

Trigger: On event - Log: Security, Event ID: 4740

Action:  Start Program - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

  Argument:  -executionpolicy bypass c:\path\event4740.ps1

I have also tried the following:

Trigger: On event - Log: Security, Event ID: 4740

Action:  Start Program - C:\path\event4740.ps1

According to the Tasks History: Task Started, Action Started, Created Task Process, Action Completed, Task Completed. I have looked through some various links on the site with the same 'issue' but they all seem to have some sort of variable that I do not have. I have also tried some of the mentioned solutions thinking they may be somewhat related, but alas nothing is working. I have even tried removing my Scheduled Task and resetting it as mentioned here: http://blogs.technet.com/b/heyscriptingguy/archive/2012/08/11/weekend-scripter-use-the-windows-task-scheduler-to-run-a-windows-powershell-script.aspx

Has anyone run into this type of error before or know how to bypass this issue?

Troubleshooting:

I decided to try an call a .bat file via a scheduled task. I created a simple file that would echo the current date/time to a monitored folder. Running the file manually and via a task triggered by the 4740 Event achieved desired results. Changing the .bat file to instead call the .ps1 file worked manually. When triggered by the 4740 Event, now the .bat will no longer run.

20
Thanks for the heads up @Amit, even though the question was solved without criticism or relevance of a typographical error.ThinkSpace
I understand. I mention that here only because I intend to use this question as an illustration/reference in the future when I will be inevitably explaining to someone that 1 Picture > 1 Kiloword. There are many other options in the Task Scheduler other than the runas account that can cause such problems, that you didn't list. The typo is absolutely relevant, because localsystem and localservice are polar opposites in terms of rights. Also, your workaround, a permanent locked session on a domain server, certainly sounds like the wrong and unsafe way to solve this problem.Amit Naidu
I was able to get the script to run in task manager with the same issues by fully qualifying the powershell.exe. "C:\...\...\powershell.exe" as the program/script.Andrew Grinder

20 Answers

43
votes

Change your Action to:

powershell -noprofile -executionpolicy bypass -file C:\path\event4740.ps1

On a Windows 2008 server R2: In Task Scheduler under the General Tab - Make sure the 'Run As' user is set to an account with the right permissions it takes to execute the script.

Also, I believe you have the "Run only when user is logged on" Option checked off. Change that to "Run whether user is logged on or not". Leave the Do Not Store password option unchecked, and you'll probably need the "Run with Highest Privileges" option marked.

7
votes

Although you may have already found a resolution to your issue, I'm still going to post this note to benefit someone else. I ran into a similar issue. I basically used a different domain account to test and compare. The task ran just fine with "Run whether user is logged on or not" checked.

A couple of things to keep in mind and make sure of:

  1. The account being use to execute task must have "Logon as batch job" rights under the local security policy of the server (or be member of local Admin group). You must specified the account you need to run scripts/bat files.
  2. Make sure you are entering the correct password characters
  3. Tasks in 2008 R2 don't run interactively specially if you run them as "Run whether user is logged on or not". This will likely fail specially if on the script you are looking for any objects\resource specific to a user-profile when the task was created as the powershell session will need that info to start, otherwise it will start and immediately end. As an example for defining $Path when running script as "Run whether user is logged on or not" and I specify a mapped drive. It would look for that drive when the task kicks off, but since the user account validated to run task is not logged in and on the script you are referring back to a source\object that it needs to work against it is not present task will just terminate. mapped drive (\server\share) x:\ vs. Actual UNC path \server\share
  4. Review your steps, script, arguments. Sometimes the smallest piece can make a big difference even if you have done this process many times. I have missed several times a character when entering the password or a semi-colon sometimes when building script or task.

Check this link and hopefully you or someone else can benefit from this info: https://technet.microsoft.com/en-us/library/cc722152.aspx

7
votes

NOTE: Please ensure that you select Create a Basic task Action and NOT the Create Task Action.

I found the following solution:

1) Make powershell.exe run as administrator for this

  1. right-click on the powershell.exe icon
  2. click on properties under the shortcut key menu
  3. click on the advance button; check that "run as administrator" is checked.

2) in the task scheduler window under the action pane add the following script as a new command

%SystemRoot%\syswow64\WindowsPowerShell\v1.0\powershell.exe -NoLogo -NonInteractive -ExecutionPolicy Bypass -noexit -File "C:\ps1\BackUp.ps1"

enter image description here

3
votes

To achieve "Run as Administrator" functionality I implemented the flag:

-ExecutionPolicy Bypass

Which only seems to take effect when executing Powershell files. So I dropped my command into .ps1 file, run it with -ExecutionPolicy Bypass, and now my scheduled task is behaving as expected.

Program: Powershell.exe
Add Arguments: -ExecutionPolicy Bypass -File C:\pscommandFile.ps1
3
votes

Good morning,

I know this is an old thread but I just ran across it while looking for a similar problem - script was running successfully but not doing its work. I can't find the post that helped me but my issue was that I was running the script as the domain admin. When I followed the suggestion of the post and added the domain admin to the local administrator's group it worked. I hope this helps others with the same issue I had.

Joe

2
votes

If you don't have any error messages and don't know what the problem is - why PowerShell scripts don't want to start from a Scheduled Task do the following steps to get the answer:

  1. Run CMD as a user who has been set for Scheduled Task to execute the PowerShell script
  2. Browse to the folder where the PowerShell script is located
  3. Execute the PowerShell script (remove all statements that block the error notifications if any exists inside of the script like $ErrorActionPreference= 'silentlycontinue')

You should be able to see all error notifications.

In case of one of my script it was:

"Unable to find type [System.ServiceProcess.ServiceController]. Make sure that the assembly that contains this type is loaded."

And in this case I have to add additional line at the begining of the script to load the missing assembly:

Add-Type -AssemblyName "System.ServiceProcess"

And next errors:

Exception calling "GetServices" with "1" argument(s): "Cannot open Service Control Manager on computer ''. This operation might require other privileges."

select : The property cannot be processed because the property "Database Name" already exists

1
votes

Found successful workaround that is applicable for my scenario:

Don't log off, just lock the session!

Since this script is running on a Domain Controller, I am logging in to the server via the Remote Desktop console and then log off of the server to terminate my session. When setting up the Task in the Task Scheduler, I was using user accounts and local services that did not have access to run in an offline mode, or logon strictly to run a script.

Thanks to some troubleshooting assistance from Cole, I got to thinking about the RunAs function and decided to try and work around the non-functioning logons.

Starting in the Task Scheduler, I deleted my manually created Tasks. Using the new function in Server 2008 R2, I navigated to a 4740 Security Event in the Event Viewer, and used the right-click > Attach Task to this Event... and followed the prompts, pointing to my script on the Action page. After the Task was created, I locked my session and terminated my Remote Desktop Console connection. WIth the profile 'Locked' and not logged off, everything works like it should.

1
votes

In addition to advices from above I was getting error and found solution on following link http://blog.vanmeeuwen-online.nl/2012/12/error-value-2147942523-on-scheduled.html.

Also this can help:

In task scheduler, click on the scheduled job properties, then settings.

In the last listed option: "if the task is already running, the following rule applies:" Select "stop the existing instance" from the drop down list.

1
votes

I think the answer to this is relevant too:

Why is my Scheduled Task updating its 'Last Run Time' correctly, and giving a 'Last Run Result' of '(0x0)', but still not actually working?

Summary: Windows 2012 Scheduled Tasks do not see the correct environment variables, including PATH, for the account which the task is set to run as. But you can test for this, and if it is happening, and once you understand what is happening, you can work around it.

1
votes

One more idea that worked. It's really silly, but, apparently, the default target OS setting (bottom right corner of the screen) is Vista / Windows Server 2008. As we're past the 10 year mark, it is likely that your Powershell script will not be compatible to these.

Changing the target to Windows Server 2016, as shown on the screenshot below, did the trick for me.

Change the setting on the screenshot

0
votes

I was having almost the same problem as this but slightly different on Server 2012 R2. I have a powershell script in Task Scheduler that copies 3 files from one location to another. If I run the script manually from powershell, it works like a charm. But when run from Task Scheduler, it only copies the first 2 small files, then hang on the 3rd (large file). And I was also getting a result of "The operator or administrator has refused the request". And I have done almost everything in this forum.

Here is the scenario and how I fixed it for me. May not work for others, but just in case it will:

Scenario: 1. Powershell script in Task Scheduler 2. Ran using a domain account which is a local admin on the server 3. Selected 'Run whether user is logged on or not" 4. Run with highest priviledges

Fix: 1. I had to login to the server using the domain account so that it created a local profile in C:\Users. 2. Checked and made user that the user has access to all the drives I referred to on my script

I believe #1 is the main fix for me. I hope this works for others out there.

0
votes

In my case (the same problem) helped to add -NoProfile in task action command arguments and check checkbox "Run with highest privileges", because on my server UAC is on (active).

More info about it enter link description here

0
votes

I have another solution for this problem that might apply to some of you.

After I created my power shell (xyz.ps1) script, I opened it in notepad for subsequent editing. Hence Windows made an association between my xyz.ps1 file with notepad.exe and Scheduler was trying to run my power shell script (xyz.ps1) with notepad.exe in the background instead of executing it in Powershell. I found this problem by paying close attention to "Display all running tasks" section in the scheduler, which showed that notepad.exe was being used to run the xyz.ps1 script. To verify this, I right clicked on my xyz.ps1 file in windows explorer, went to "Properties", and it showed Notepad against the "Opens With" section. Then I changed the "Opens With" to %SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe. This did the trick. Now the scheduler would execute my xyz.ps1 using powershell.exe and gave me the desired results.

To locate your powershell.exe, refer to this article: https://www.powershelladmin.com/wiki/PowerShell_Executables_File_System_Locations

0
votes

I had very similar issue, i was keeping the VSC window with powershell script all the time when running the schedule task manually. Just closed it and it started working as expected.

0
votes

I had the same issue, while running the couple of scripts. When i execute it manually from task scheduler, The script was executing flawlessly. But it was not executing at the scheduled time automatically.

The following resolution worked for me

Find the location of the powershell exe , Right click and go to security options,Add the "Authenticated users" to the group or user names and give full control.

Once this is done wait for the script to executed.

0
votes

If youu are having this problem under WIN 10 this might solve your problem as it did for me. An update messed up the task scheduler.

http://answers.microsoft.com/en-us/windows/forum/windows_10-performance/anniversary-update-version-1607-build14393-breaks/d034ab52-5d49-4b92-976a-a1355b5a6e6d?page=2

This comment solved my problem.

Your tip about "one-time" tasks works great - it will definitely be sufficient as a workaround until MS fixes the issue. The only advantage to "daily" as far as I can see is that lack of the arbitrary date associated with the run time. It might be confusing to others as to why the job is set to start on X date.

Trigger settings "Einmal" means "one-time", "Sofort" means "At once"

0
votes

In my case it was related to a .ps1 referral inside the ps1 script which was not signed (you need to unblock it at the file properties) , also I added as first line:

Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Force

Then it worked

0
votes

My fix to this problem was to ensure I used the full path for all files names in the ps1 file.

0
votes

I had a similar problem where only half the script would run using task scheduler, but would run fine under the same account running the script manually. The problem was I was referencing my own module. When I added the functions directly to my script file, the task scheduler worked, but when I used the module task scheduler failed. The same coded (module) running under the same account worked fine without task scheduler.

I think this was some type of issue with how windows handles environment variables doing a run as. When I referenced the module via the full path (instead of module name) it worked from task scheduler.

-2
votes

after trying a lot of time...

task scheduler : powershell.exe -noexit & .\your_script.ps1

be sure to put your script in this folder : windows\system32

good luck !