Thursday, June 26, 2014

Task Scheduler Change Audit Trail



Background

Walked in today to some questions about why an important scheduled tasks <cringe face here> had been disabled. Turned out that it was intentional so no big deal. However, the question I was asked before we knew it was intentional was this… “how do we see an audit trail for task scheduler changes?” The short answer is that it’s not enabled by default and it’s not super intuitive.

This has to be auditpol.exe

More Here
http://technet.microsoft.com/en-us/library/cc731451.aspx

Auditing consists of categories and subcategories. To do this you need to enable a subcategory. Technically, this is the recommended way to enable non-standard auditing. You don’t want to audit too much or you’ll make your log difficult to read, fill up space, consume processing time, etc. Per Micrsoft…

            http://technet.microsoft.com/en-us/library/cc766468%28v=ws.10%29.aspx
If you are going to use auditing subcategories, you should not use Group Policy to define and distribute your auditing policies. The Group Policy Management Console configures only the top-level auditing categories and enables all of the subcategories within the category and thus cannot be used to set more targeted audit policy. Instead, auditing policy that uses auditing subcategories must be defined by using the command-line tool auditpol.exe and distributed by means of a script.

Execution

So how do I do that? Pretty simple:

From a command prompt:

auditpol.exe /get /category:"Object Access"

I can see that I'm currently set to all "Failure" only which inherited from the Local Policy parent "Object Access". I want to change "Other Object Access Events" which is sort of a misc set of audit events for Task Scheduler and COM+. 

http://technet.microsoft.com/en-us/library/dn319119.aspx

All of that to say, here is the command to enable Task Scheduler auditing to the Event Viewer Security logs.

auditpol.exe /set /subcategory:"Other Object Access Events" /Success:Enabled /Failure:Enabled

























You can verify your change in the Security log. Event ID 4719.


So I went and disabled/enabled a scheduled task. Now I can see these logs.











We use System Center Operations Manager. So at this point I could capture on the various event IDs (also in the link above) that this new audit log will generate.

Hopefully this will shortcut the process for you. As you can see, I had to pull together a few resources to understand what I really needed.

at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)