Powershell script does not run via Scheduled Tasks

Question

I have a small script on my Domain Controller that is setup to email me via SMTP about the latest Security Event 4740.

The script, when executed manually, will run as intended; however, when setup to run via Scheduled Tasks, and although it shows to have been executed, nothing happens (no email).

The script is as follows:

If (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator"))  {    $arguments = "& '" + $myinvocation.mycommand.definition + "'" Start-Process powershell -Verb runAs -ArgumentList $arguments Break }  $Event = Get-EventLog -LogName Security -InstanceId 4740 -Newest 5 $MailBody= $Event.Message + "`r`n`t" + $Event.TimeGenerated  $MailSubject= "Security Event 4740 - Detected" $SmtpClient = New-Object system.net.mail.smtpClient $SmtpClient.host = "smtp.domain.com" $MailMessage = New-Object system.net.mail.mailmessage $MailMessage.from = "[email protected]" $MailMessage.To.add("toemail.domain.com") $MailMessage.IsBodyHtml = 1 $MailMessage.Subject = $MailSubject $MailMessage.Body = $MailBody $SmtpClient.Send($MailMessage) 

Scheduled Task is setup as follows:

RunsAs:LOCAL SYSTEM  Trigger: On event - Log: Security, Event ID: 4740  Action:  Start Program - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe    Argument:  -executionpolicy bypass c:\path\event4740.ps1 

I have also tried the following:

Trigger: On event - Log: Security, Event ID: 4740  Action:  Start Program - C:\path\event4740.ps1 

According to the Tasks History: Task Started, Action Started, Created Task Process, Action Completed, Task Completed. I have looked through some various links on the site with the same 'issue' but they all seem to have some sort of variable that I do not have. I have also tried some of the mentioned solutions thinking they may be somewhat related, but alas nothing is working. I have even tried removing my Scheduled Task and resetting it as mentioned here: http://blogs.technet.com/b/heyscriptingguy/archive/2012/08/11/weekend-scripter-use-the-windows-task-scheduler-to-run-a-windows-powershell-script.aspx

Has anyone run into this type of error before or know how to bypass this issue?

Troubleshooting:

I decided to try an call a .bat file via a scheduled task. I created a simple file that would echo the current date/time to a monitored folder. Running the file manually and via a task triggered by the 4740 Event achieved desired results. Changing the .bat file to instead call the .ps1 file worked manually. When triggered by the 4740 Event, now the .bat will no longer run.

Answer 1

Change your Action to:

powershell -noprofile -executionpolicy bypass -file C:\path\event4740.ps1

On a Windows 2008 server R2: In Task Scheduler under the General Tab - Make sure the 'Run As' user is set to an account with the right permissions it takes to execute the script.

Also, I believe you have the "Run only when user is logged on" Option checked off. Change that to "Run whether user is logged on or not". Leave the Do Not Store password option unchecked, and you'll probably need the "Run with Highest Privileges" option marked.

Answer 2

Although you may have already found a resolution to your issue, I'm still going to post this note to benefit someone else. I ran into a similar issue. I basically used a different domain account to test and compare. The task ran just fine with "Run whether user is logged on or not" checked.

A couple of things to keep in mind and make sure of:

1. The account being use to execute task must have "Logon as batch job" rights under the local security policy of the server (or be member of local Admin group). You must specified the account you need to run scripts/bat files.
2. Make sure you are entering the correct password characters
3. Tasks in 2008 R2 don't run interactively specially if you run them as "Run whether user is logged on or not". This will likely fail specially if on the script you are looking for any objects\resource specific to a user-profile when the task was created as the powershell session will need that info to start, otherwise it will start and immediately end. As an example for defining $Path when running script as "Run whether user is logged on or not" and I specify a mapped drive. It would look for that drive when the task kicks off, but since the user account validated to run task is not logged in and on the script you are referring back to a source\object that it needs to work against it is not present task will just terminate. mapped drive (\server\share) x:\ vs. Actual UNC path \server\share
4. Review your steps, script, arguments. Sometimes the smallest piece can make a big difference even if you have done this process many times. I have missed several times a character when entering the password or a semi-colon sometimes when building script or task.

Check this link and hopefully you or someone else can benefit from this info: https://technet.microsoft.com/en-us/library/cc722152.aspx