Author Posts

January 18, 2016 at 1:32 pm

Greetings,
I have a bit of code that collects event logs from domain controllers:

Invoke-Command -ComputerName (Get-ADDomainController -filter * | select -ExpandProperty name) -ScriptBlock {

xcopy 'E:\Maintenance\*.evt' "\\XXXXXXXXX\SecurityLogs$\$env:computername" /y /z
del 'E:\Maintenance\*.evt'

}

When I rdp to the server that has this script and run it manually as a domain administrator then it works fine. On that same server I have created a scheduled task to run this script as a domain administrator account and it fails, presumably with access denied. The scheduled task has the "run with highest privileges" checkbox ticked. Why would running it manually work but not via a scheduled task please?
Thanks
David Z

January 20, 2016 at 7:15 pm

What does you your scheduled task look like? are you trying to call powershell.exe then run the .ps1 file?

I have seen it work setting execution policy to bypass when running the script

January 21, 2016 at 2:15 pm

Thanks for that. Yes I am using powershell.exe. I added 'bypass' as you suggested and it worked – sort of. The script ran three times overnight and twice the 'copys' worked and once it didn't. Very strange – but as long as it works sometimes that will do.

Cheers
David Z

January 26, 2016 at 1:27 pm

Now its not working at all. This is really weird. I'm trying to run this:

Invoke-Command -ComputerName (Get-ADDomainController -filter * | select -ExpandProperty name) -ScriptBlock {

$logfile = Get-WmiObject -Class win32_NTEventlogFile  -Filter "logFileName='Security'" 
$dt = get-date -format "yyyyMMdd-HHmmss"
$savelog = "E:\Maintenance\$env:computername-Security-$dt.evt"
$logfile.ClearEventlog($savelog)
move-item 'E:\Maintenance\*.evt' "\\xxxxx\SecurityLogs$\$env:computername" -force
}

and its failing on the move-item with:
"The system detected a possible attempt to compromise security."

January 26, 2016 at 2:48 pm

I though this might be a credssp thing but it has worked outside of a scheduled task so that cant be it.