I have a small script on my Domain Controller that is setup to email me via SMTP about the latest Security Event 4740.
The script, when executed manually, will run as intended; however, when setup to run via Scheduled Tasks, and although it shows to have been executed, nothing happens (no email).
The script is as follows:
If (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator"))
{
$arguments = "& '" + $myinvocation.mycommand.definition + "'"
Start-Process powershell -Verb runAs -ArgumentList $arguments
Break
}
$Event = Get-EventLog -LogName Security -InstanceId 4740 -Newest 5
$MailBody= $Event.Message + "`r`n`t" + $Event.TimeGenerated
$MailSubject= "Security Event 4740 - Detected"
$SmtpClient = New-Object system.net.mail.smtpClient
$SmtpClient.host = "smtp.domain.com"
$MailMessage = New-Object system.net.mail.mailmessage
$MailMessage.from = "[email protected]"
$MailMessage.To.add("toemail.domain.com")
$MailMessage.IsBodyHtml = 1
$MailMessage.Subject = $MailSubject
$MailMessage.Body = $MailBody
$SmtpClient.Send($MailMessage)
Scheduled Task is setup as follows:
RunsAs:LOCAL SYSTEM
Trigger: On event - Log: Security, Event ID: 4740
Action: Start Program - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Argument: -executionpolicy bypass c:\path\event4740.ps1
I have also tried the following:
Trigger: On event - Log: Security, Event ID: 4740
Action: Start Program - C:\path\event4740.ps1
According to the Tasks History: Task Started, Action Started, Created Task Process, Action Completed, Task Completed. I have looked through some various links on the site with the same 'issue' but they all seem to have some sort of variable that I do not have. I have also tried some of the mentioned solutions thinking they may be somewhat related, but alas nothing is working. I have even tried removing my Scheduled Task and resetting it as mentioned here: http://blogs.technet.com/b/heyscriptingguy/archive/2012/08/11/weekend-scripter-use-the-windows-task-scheduler-to-run-a-windows-powershell-script.aspx
Has anyone run into this type of error before or know how to bypass this issue?
Troubleshooting:
I decided to try an call a .bat file via a scheduled task. I created a simple file that would echo the current date/time to a monitored folder. Running the file manually and via a task triggered by the 4740 Event achieved desired results. Changing the .bat file to instead call the .ps1 file worked manually. When triggered by the 4740 Event, now the .bat will no longer run.
1 Picture > 1 Kiloword
. There are many other options in the Task Scheduler other than the runas account that can cause such problems, that you didn't list. The typo is absolutely relevant, because localsystem and localservice are polar opposites in terms of rights. Also, your workaround, a permanent locked session on a domain server, certainly sounds like the wrong and unsafe way to solve this problem. – Amit Naidu