Continuous Auditing of Active Directory with Scheduled Tasks

Introduction

In my last two installments of “continuous auditing of Windows Active Directory”, we have covered some powerful ways for you, the auditor or security professional, to audit Windows Active Directory. The first article, Using PowerShell to Continuously Audit Security of Active Directory, focused on how to leverage the Windows 7 built-in technology of PowerShell. By using PowerShell, you can query information from Active Directory due to the read access that is granted to all users that are part of the domain. In my second installment, Using ADUC Saved Queries to Continuously Audit Windows Active Directory, we covered how to leverage the Active Directory Users and Computers tool to create Saved Queries. By using saved queries, you can simply “refresh” the view within the tool to see updated objects that meet the criteria that you are looking to audit.

Accessing Scheduled Tasks in Windows 7

Scheduled Tasks are part of the operating system and are accessible by standard users. Again, as auditors, you are a standard user in nearly every instance, so tools like this can be invaluable for you to gather information out of Active Directory.

To access the Scheduled Tasks, you need to follow these steps:

  1. Click on the Start button
  2. Then click on All Programs – Accessories – System Tools – Task Scheduler

This will launch the Task Scheduler window so you can see existing tasks and create new tasks. You can see the standard Task Scheduler in Figure 1.


Figure 1: Windows 7 Task Scheduler.

Creating Tasks in Task Scheduler

Windows 7 Task Scheduler comes with two options for task creation. There is a “Basic Task” option and a “Task” option. The Basic Task is very basic, only requiring a few entries for you to create the task. To create a Task, you need to input all aspects of your task manually. When it comes to continuous auditing of Active Directory using PowerShell, you can choose either option. Below is a summary of each type of task, then we will cover the details for creating your tasks for continuous auditing.

Creating a Basic Task

The basic task is just that, basic. It provides an easy and simple way to associate a task to an event or schedule with little other definitions. For the Basic task, you will simply define the following:

  • Task Name
  • Task Description
  • Task frequency
  • Event trigger (if not on frequency)
  • Task action (email, program, message)

This is wizard driven and very easy to setup. You can see the Basic Wizard in Figure 2, where it is asking you to define the event ID.


Figure 2: The Basic Task Wizard allows you to trigger the task based on an event ID.

Creating a Task (Standard, which is more detailed!)

The steps to get to a standard task are the same as a basic task, but the options within are dramatically different. When you launch the Create Task dialog box, you have many options to configure.

First, you will need to fill out the General tab, which is shown in Figure 3.


Figure 3: Create Task General tab.

Then, you will need to make decisions for the triggers by filling out the Triggers tab. To do this, you must add in new triggers by selecting the New button. When you do this, you will have the New Trigger dialog box show up, which is shown in Figure 4.


Figure 4: New Trigger dialog box, accessed from Triggers tab.

Next, you will need to define actions for your task. On the Actions tab you will select the New button and the New Action dialog box will appear, as shown in Figure 5.


Figure 5: New Action dialog box for your task.

Almost done, you need to fill out the Conditions tab. Here you configure whether the task should run based on the other criteria you have configured. The Conditions tab is shown in Figure 6.


Figure 6: Conditions tab for your task.

Finally, you have the Settings tab. This tab allows you to configure more details behavior of your task and actions for your Event Viewer events. You can see these options in Figure 7.


Figure 7: Settings tab for your task.

Creating Scheduled Task for PowerShell Cmdlet

When you create a task for your continuous audit of Active Directory using PowerShell, you will be able to create a Basic Task or Task, it will be up to you. The goal of the task is to have the task run in the middle of the night, so you have a report waiting for you in the morning. You will be able to create a separate file per audit control point, which will help you organize your data once you receive it.

We are going to use the PowerShell cmdlet we used in the previous article, so please read through that in order to get everything working properly on your Windows 7 computer. Don’t forget you need to configure your PowerShell to execute cmdlets created by others by setting the executionpolicy to remotesigned.

We are going to create a file that contains the members of the Domain Admins group. This is a great example, since the group name has a space and this can cause some pain when generating the Scheduled Task due to the space.

First, we will create a Basic Task. Follow the steps above and input the following information for your Basic Task:

Name:

DomainAdminsGroup

When do you want the task to start?

One time

Start:

Select date and time

What action do you want the task to perform?

Start a program

Program/script:

powershell.exe

Add arguments:

c:\pscmdlets\getadinfo.ps1 -domain braincore.net -group “\”domain admins”\” -tocsv c:\pscmdlets\domainadmins.csv

This will generate a comma delimited file with the name domainadmins.csv and place it under the c:\pscmdlets folder. Of course, you can change these variables to place the file where you want and give it a name that suites you.

For the Task of the same content, you would input the following information:

On the General tab:

 

Name:

DomainAdminsGroup

On the Triggers tab:

Select the New button, then input:

Settings:

One time

Start:

Select date and time

On the Actions tab:

Select the New button, then input:

Action:           

Start a program

Program/script:

powershell.exe

Add arguments:

c:\pscmdlets\getadinfo.ps1 -domain braincore.net -group “\”domain admins”\” -tocsv c:\pscmdlets\domainadmins.csv

Summary

You can now create a task for nearly every part of Active Directory that you want to continuously audit. You can generate your files of the data on a daily, weekly, monthly basis. In essence, whenever you need to generate data, you can do so. If you go back to the past few articles on continuous auditing, you can extrapolate what we gathered from those articles and input them into your PowerShell Scheduled Task. Just be sure you clear out the old files before new ones are generated!

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top