I use a powershell script (EXE/XML sensor) to monitor scheduled tasks on windows servers. As long as I use local admins (on the remote systems) everything works fine. But I don't want to use local admins for obvious reasons, so I tried configuring a non-admin user to access scheduled tasks on a remote maschine. The user X is allowed is a member of the remote local groups "Distributed COM Users", "Performance Monitor Users", "Performance Log Users", "Remote Desktop Users", and "Remote Management Users". Additionally X is has "Execute Methods", "Remote Access", and "Enable Account" in WMI for the Namespaces "\Root\CIMV2" and "\Root\Mirosoft\Windows\TaskScheduler". Also X has the permission to log on as a batch job.

When I log on with X on the remote server and run Get-ScheduledTaskInfo I get: Category : PermissionDenied Activity : Get-ScheduledTaskInfo Reason : CimException TargetName : PS_ScheduledTask TargetType : Root/Microsoft/Windows/TaskScheduler/PS_ScheduledTask

Which tells me that X does not have the appropriate WMI permissions...

I'm out of ideas. Does anyone know how to configure a user with least privileges to access remotly running scheduled tasks?

Article Comments

Bump.

Has anyone found a way to monitor tasks with an account that is NOT a member of Builtin\Administrators? I've followed similar steps as OP to no avail.


Jul, 2022 - Permalink

Meanwhile I implemented another way to monitor scheduled tasks. I installed solarWinds Eventlog Forwarder on all servers that had scheduled tasks that we wanted to monitor. I configured these to send all events from the Task Scheduler Eventlog as syslog messages to a PRTG Probe server. On all PRTG Probes I installed FastVue Syslog Server to write the received syslog messages to disk. I then wrote a Powershell script as a custom EXE/XML sensor that reads those files and analyses them to handle things like last runtime and return codes of the scheduled tasks. We are currently monitoring a lot of tasks this way and in most cases it works fine. It would be better to do it more directly tho..


Aug, 2022 - Permalink