Skip to content

Script Info: New TaskRegistration

Mike Kanakos edited this page Apr 19, 2019 · 1 revision

SYNOPSIS

Tool Server Configuration automation. 

DESCRIPTION

This script will config the scheduled tasks on the tool server to run the other scripts on the schedule you define.

Script Type:

This script must be run as administrator on your tool server to create the Scheduled Tasks to automate the running of the other test scripts in the module.

Note - The scheduled tasks this script creates have been updated to account for the changes to scripts required to make this module. Full testing of the change has not been completed.

Connection type:

Local PowerShell configurations using Register-ScheduledJob

Automatic repair option:

N/A

EventID Definitions:

N/A

Alert Cleared Notice

N/A

Currently Configured Output Options:

N/A

NOTES

Authors: Greg Onstot

Additional Background, and other options

The expectation is that you run these scripts on a separate Tier0 Tool server, to monitor your AD.
It must be a Tier0 systems as the service account monitoring AD should be in Domain Admin to perform a number of these tasks. This tool server must have the RSAT tools installed. Run the following command to install the tools if you have not done so previously. Add-WindowsFeature RSAT-AD-PowerShell,RSAT-AD-AdminCenter

Here are some references in case you are unfamiliar with the Tier Model: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material https://blogs.technet.microsoft.com/askpfeplat/2017/09/11/securing-privileged-access-for-the-ad-admin-part-1/ https://www.microsoft.com/en-us/download/details.aspx?id=36036 https://www.irongeek.com/i.php?page=videos/derbycon8/track-2-01-from-workstation-to-domain-admin-why-secure-administration-isnt-secure-and-how-to-fix-it-sean-metcalf

The service account must also be granted the Logon as Batch right. If you don't want to configure that manually you can use a module like Carbon to grant the service account logon as a batch file:

http://get-carbon.org/about_Carbon_Installation.html

Import-Module .\Carbon\Carbon

Grant-Privilege -Identity Domain\ServiceAccount -Privilege SeBatchLogonRight

Grant-Privilege -Identity Domain\ServiceAccount -Privilege SeServiceLogonRight

Alternatively you could use the following, or one of many other options:

https://gallery.technet.microsoft.com/scriptcenter/Grant-Revoke-Query-user-26e259b0

This is not an endorsement of those modules, just including for awareness.

Clone this wiki locally