The Active Directory account lockout policy is designed to safeguard user accounts from unauthorized access by disabling them if an incorrect password is entered repeatedly within a specific period. However, scheduled tasks and services that use domain user credentials to perform actions are one of the main causes of Active Directory account lockouts.
Trying to track the causes of these issues using Task Manager can be a very difficult process as services and scheduled tasks are stored and displayed separately.
A solution to this is to use command line tools with PowerShell to list scheduled tasks. The Get-ScheduledTask cmdlet from the scheduledtasks module will list all task names and other general information depending on the parameters used. Combining this with the Get-ScheduledTaskInfo cmdlet will provide information, such as last and next run times. However, neither of these cmdlets shows you the username; to get that information, you need to use schtasks.exe in your script.
By using a PowerShell script, you can also query remote computers by using the invoke-command cmdlet which is required for your script to work on a remote Windows Server or workstation. You also must have PSRemoting enabled across your Active Directory (AD). However, it is important to note that this will add to your attack surface, reducing your overall security.
How to Use PowerShell
Please follow below steps:
- Open the PowerShell ISE and create a new file with the following PowerShell script, being sure to input your own computer name and output path:
$cred = Get-Credential
$comp = "PDC"
$session = New-PSSession -ComputerName $comp -Credential $cred
$script = {
"Services:"
Get-WmiObject win32_service -ErrorAction Stop| where {$_.StartMode -like 'Auto' -and $_.Startname -notlike '*local*' -and $_.Startname -notlike '*NT AU*'}| Select-Object Name, DisplayName, State, StartMode, StartName | Format-Table -Property * -AutoSize| Out-String -Width 4096
# To output to CSV, add this string to the previous command: | Export-Csv c:\Out\filename.csv - NoTypeInformation"ScheduledTasks"
schtasks.exe /query /V /FO CSV | ConvertFrom-Csv | Where { $_.TaskName -ne "TaskName" -and $_.TaskName -like "*powershell*"}|Select-Object @{ label='Name'; expression={split-path $_.taskname -Leaf} }, Author ,'run as user','task to run'| Format-Table -Property * -AutoSize| Out-String -Width 4096
# To export to CSV, add this string to the previous command: | Export-Csv c:\Out\filename.csv - NoTypeInformation
}
Invoke-Command -Session $session -ScriptBlock $script
- Run the script using the credentials for an account that has administrator rights on the local computer in question.
How Lepide Helps
An alternative, more straightforward solution, which requires no knowledge of PowerShell, is to use the All Schedule Task Modification on Domain Controller Report included as part of the Lepide Data Security Platform. This report lists all tasks which have been modified and shows what the modification was. This report can be exported to CSV, PDF or MHT format.
The steps below explain how to run this report:
- Select Lepide Auditor, Reports
- From here, expand Active Directory Reports
- Select the All Schedule Task Modification on Domain Controller Report
- Select Generate Report
The report is generated and can be filtered, sorted and exported to CSV and PDF format
