Running scheduled task as system doesn't output right information

Welcome Forums General PowerShell Q&A Running scheduled task as system doesn't output right information

This topic contains 1 reply, has 2 voices, and was last updated by

 
Keymaster
1 year, 6 months ago.

  • Author
    Posts
  • #77826
    Jon

    Participant
    Points: 77
    Rank: Member

    The only thing I have changed in this script is where the output file goes to, everything else is the same. When I run the script in ISE I get a weird error about get-winevent not working, however when i run it from the shell or as scheduled task that works fine.

    When I run the script from the shell the file outputs with the UPN, IP, Time. When I run it as a scheduled task, the file outputs with UPN, IP but no time. I have the scheduled task running as system, and running with highest privileges. If I run the scheduled task as my domain admin account (obviously a no no, but this was for testing purposes) it outputs with time. Any ideas on how to get it to run as system and get time? Or do I need to create a service account to do this? (my least favorable option, as my security team is going to be a pain in the ass about it)

    PARAM ($PastDays = 1, $PastHours)
    #************************************************
    # ADFSBadCredsSearch.ps1
    # Version 1.0
    # Date: 6-20-2016
    # Author: Tim Springston [MSFT]
    # Description: This script will parse the ADFS server's (not proxy) security ADFS
    #  for events which indicate an incorrectly entered username or password. The script can specify a
    #  past period to search the log for and it defaults to the past 24 hours. Results will be placed into a CSV for 
    #  review of UPN, IP address of submitter, and timestamp.
    #************************************************
    $dToday = Get-Date -format “MM-dd-yyyy”
    cls
    if ($PastHours -gt 0)
    	{$PastPeriod = (Get-Date).AddHours(-($PastHours))}
    	else
    		{$PastPeriod = (Get-Date).AddDays(-($PastDays))	}
    $Outputfile = $Pwd.path + "\BadCredAttempts.csv"
    $CS = get-wmiobject -class win32_computersystem
    $Hostname = $CS.Name + '.' + $CS.Domain
    $Instances = @{}
    $OSVersion = gwmi win32_operatingsystem
    [int]$BN = $OSVersion.Buildnumber 
    if ($BN -lt 9200){$ADFSLogName = "AD FS 2.0/Admin"}
    	else {$ADFSLogName = "AD FS/Admin"}
    
    $Users = @()
    $IPAddresses = @()
    $Times = @()
    $AllInstances = @()
    Write-Host "Searching event log for bad credential events..."
    if ($BN -ge 9200) {Get-Winevent  -FilterHashTable @{LogName= "Security"; StartTime=$PastPeriod; ID=411} -ErrorAction SilentlyContinue | Where-Object  {$_.Message -match "The user name or password is incorrect"} |  % {
    	$Instance = New-Object PSObject
    	$UPN = $_.Properties[2].Value
    	$UPN = $UPN.Split("-")[0]
    	$IPAddress = $_.Properties[4].Value
    	$Users += $UPN
    	$IPAddresses += $IPAddress
    	$Times += $_.TimeCreated
    	add-member -inputobject $Instance -membertype noteproperty -name "UserPrincipalName" -value $UPN
    	add-member -inputobject $Instance -membertype noteproperty -name "IP Address" -value $IPAddress
    	add-member -inputobject $Instance -membertype noteproperty -name "Time" -value ($_.TimeCreated).ToString()
    	$AllInstances += $Instance
    	$Instance = $null
    	}
    }
    
    
    $AllInstances | select * | Out-File $("\\fileserver\" + $dtoday + "_" + "adfslogs.csv")
    Write-Host "Data collection finished. The output file can be found at $outputfile`."
    $AllInstances = $null
    
  • #78178

    Keymaster
    Points: 1,811
    Helping HandTeam Member
    Rank: Community Hero

    I'm guessing the account can't read that field. Seems a bit odd, though. Do you have that problem – just for testing – with any of the other date time fields in the event record?

The topic ‘Running scheduled task as system doesn't output right information’ is closed to new replies.

denizli escort samsun escort muğla escort ataşehir escort kuşadası escort