Background
Walked in today to some questions about why an important
scheduled tasks <cringe face here> had been disabled. Turned out that it
was intentional so no big deal. However, the question I was asked before we
knew it was intentional was this… “how do we see an audit trail for task
scheduler changes?” The short answer is that it’s not enabled by default and it’s
not super intuitive.
This has to be auditpol.exe
More Here
Auditing consists of categories and subcategories. To do
this you need to enable a subcategory. Technically, this is the recommended way
to enable non-standard auditing. You don’t want to audit too much or you’ll make
your log difficult to read, fill up space, consume processing time, etc. Per
Micrsoft…
If you are going to use auditing subcategories, you should not use
Group Policy to define and distribute your auditing policies. The Group Policy
Management Console configures only the top-level auditing categories and
enables all of the subcategories within the category and thus cannot be used to
set more targeted audit policy. Instead, auditing policy that uses auditing
subcategories must be defined by using the command-line tool auditpol.exe and
distributed by means of a script.
Execution
So how do I do that? Pretty simple:
From a command prompt:
auditpol.exe /get /category:"Object Access"
I can see that I'm currently set to all "Failure" only which inherited from the Local Policy parent "Object Access". I want to change "Other Object Access Events" which is sort of a misc set of audit events for Task Scheduler and COM+.
All of that to say, here is the command to enable Task Scheduler auditing to the Event Viewer Security logs.
auditpol.exe /set /subcategory:"Other Object Access Events" /Success:Enabled /Failure:Enabled
You can verify your change in the Security log. Event ID 4719.
So I went and disabled/enabled a scheduled task. Now I can see these logs.
We use System Center Operations Manager. So at this point I could capture on the various event IDs (also in the link above) that this new audit log will generate.
Hopefully this will shortcut the process for you. As you can see, I had to pull together a few resources to understand what I really needed.