-
Notifications
You must be signed in to change notification settings - Fork 21
Script Info: New TaskRegistration
Tool Server Configuration automation.
This script will config the scheduled tasks on the tool server to run the other scripts on the schedule you define.
This script must be run as administrator on your tool server to create the Scheduled Tasks to automate the running of the other test scripts in the module.
Note - The scheduled tasks this script creates have been updated to account for the changes to scripts required to make this module. Full testing of the change has not been completed.
Local PowerShell configurations using Register-ScheduledJob
N/A
N/A
N/A
N/A
Authors: Greg Onstot
The expectation is that you run these scripts on a separate Tier0 Tool server, to monitor your AD.
It must be a Tier0 systems as the service account monitoring AD should be in Domain Admin to perform a number of these tasks.
This tool server must have the RSAT tools installed. Run the following command to install the tools if you have not done so previously.
Add-WindowsFeature RSAT-AD-PowerShell,RSAT-AD-AdminCenter
Here are some references in case you are unfamiliar with the Tier Model: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material https://blogs.technet.microsoft.com/askpfeplat/2017/09/11/securing-privileged-access-for-the-ad-admin-part-1/ https://www.microsoft.com/en-us/download/details.aspx?id=36036 https://www.irongeek.com/i.php?page=videos/derbycon8/track-2-01-from-workstation-to-domain-admin-why-secure-administration-isnt-secure-and-how-to-fix-it-sean-metcalf
The service account must also be granted the Logon as Batch right. If you don't want to configure that manually you can use a module like Carbon to grant the service account logon as a batch file:
http://get-carbon.org/about_Carbon_Installation.html
Import-Module .\Carbon\Carbon
Grant-Privilege -Identity Domain\ServiceAccount -Privilege SeBatchLogonRight
Grant-Privilege -Identity Domain\ServiceAccount -Privilege SeServiceLogonRight
Alternatively you could use the following, or one of many other options:
https://gallery.technet.microsoft.com/scriptcenter/Grant-Revoke-Query-user-26e259b0
This is not an endorsement of those modules, just including for awareness.
- Copy-Scripts
- Get-ADConfig
- Get-ADLastBackupDate
- Get-DCDiskSpace
- Restore-PSADHealthConfig
- Set-PSADHealthConfig
- Test-ADConfigMailer
- Test-ADObjectReplication
- Test-ADReplication
- Test-ADServices
- Test-DCsOnline
- Test-ExternalDNSServers
- Test-ExternalTimeSync
- Test-InternalTimeSync
- Test-SRVRecords
- Test-SYSVOLReplication