Running scheduled task as system doesn't output right information

This topic contains 1 reply, has 2 voices, and was last updated by  Don Jones 3 months, 3 weeks ago.

  • Author
    Posts
  • #77826

    Jon
    Participant

    The only thing I have changed in this script is where the output file goes to, everything else is the same. When I run the script in ISE I get a weird error about get-winevent not working, however when i run it from the shell or as scheduled task that works fine.

    When I run the script from the shell the file outputs with the UPN, IP, Time. When I run it as a scheduled task, the file outputs with UPN, IP but no time. I have the scheduled task running as system, and running with highest privileges. If I run the scheduled task as my domain admin account (obviously a no no, but this was for testing purposes) it outputs with time. Any ideas on how to get it to run as system and get time? Or do I need to create a service account to do this? (my least favorable option, as my security team is going to be a pain in the ass about it)

    PARAM ($PastDays = 1, $PastHours)
    #************************************************
    # ADFSBadCredsSearch.ps1
    # Version 1.0
    # Date: 6-20-2016
    # Author: Tim Springston [MSFT]
    # Description: This script will parse the ADFS server's (not proxy) security ADFS
    #  for events which indicate an incorrectly entered username or password. The script can specify a
    #  past period to search the log for and it defaults to the past 24 hours. Results will be placed into a CSV for 
    #  review of UPN, IP address of submitter, and timestamp.
    #************************************************
    $dToday = Get-Date -format “MM-dd-yyyy”
    cls
    if ($PastHours -gt 0)
    	{$PastPeriod = (Get-Date).AddHours(-($PastHours))}
    	else
    		{$PastPeriod = (Get-Date).AddDays(-($PastDays))	}
    $Outputfile = $Pwd.path + "\BadCredAttempts.csv"
    $CS = get-wmiobject -class win32_computersystem
    $Hostname = $CS.Name + '.' + $CS.Domain
    $Instances = @{}
    $OSVersion = gwmi win32_operatingsystem
    [int]$BN = $OSVersion.Buildnumber 
    if ($BN -lt 9200){$ADFSLogName = "AD FS 2.0/Admin"}
    	else {$ADFSLogName = "AD FS/Admin"}
    
    $Users = @()
    $IPAddresses = @()
    $Times = @()
    $AllInstances = @()
    Write-Host "Searching event log for bad credential events..."
    if ($BN -ge 9200) {Get-Winevent  -FilterHashTable @{LogName= "Security"; StartTime=$PastPeriod; ID=411} -ErrorAction SilentlyContinue | Where-Object  {$_.Message -match "The user name or password is incorrect"} |  % {
    	$Instance = New-Object PSObject
    	$UPN = $_.Properties[2].Value
    	$UPN = $UPN.Split("-")[0]
    	$IPAddress = $_.Properties[4].Value
    	$Users += $UPN
    	$IPAddresses += $IPAddress
    	$Times += $_.TimeCreated
    	add-member -inputobject $Instance -membertype noteproperty -name "UserPrincipalName" -value $UPN
    	add-member -inputobject $Instance -membertype noteproperty -name "IP Address" -value $IPAddress
    	add-member -inputobject $Instance -membertype noteproperty -name "Time" -value ($_.TimeCreated).ToString()
    	$AllInstances += $Instance
    	$Instance = $null
    	}
    }
    
    
    $AllInstances | select * | Out-File $("\\fileserver\" + $dtoday + "_" + "adfslogs.csv")
    Write-Host "Data collection finished. The output file can be found at $outputfile`."
    $AllInstances = $null
    
  • #78178

    Don Jones
    Keymaster

    I'm guessing the account can't read that field. Seems a bit odd, though. Do you have that problem – just for testing – with any of the other date time fields in the event record?

You must be logged in to reply to this topic.