Greetings,
I have a bit of code that collects event logs from domain controllers:
Invoke-Command -ComputerName (Get-ADDomainController -filter * | select -ExpandProperty name) -ScriptBlock {
xcopy ‘E:\Maintenance*.evt’ “\XXXXXXXXX\SecurityLogs$$env:computername” /y /z
del ‘E:\Maintenance*.evt’
}
When I rdp to the server that has this script and run it manually as a domain administrator then it works fine. On that same server I have created a scheduled task to run this script as a domain administrator account and it fails, presumably with access denied. The scheduled task has the “run with highest privileges” checkbox ticked. Why would running it manually work but not via a scheduled task please?
Thanks
David Z
What does you your scheduled task look like? are you trying to call powershell.exe then run the .ps1 file?
I have seen it work setting execution policy to bypass when running the script
Thanks for that. Yes I am using powershell.exe. I added ‘bypass’ as you suggested and it worked - sort of. The script ran three times overnight and twice the ‘copys’ worked and once it didn’t. Very strange - but as long as it works sometimes that will do.
Cheers
David Z
Now its not working at all. This is really weird. I’m trying to run this:
Invoke-Command -ComputerName (Get-ADDomainController -filter * | select -ExpandProperty name) -ScriptBlock {
$logfile = Get-WmiObject -Class win32_NTEventlogFile -Filter "logFileName='Security'"
$dt = get-date -format "yyyyMMdd-HHmmss"
$savelog = "E:\Maintenance\$env:computername-Security-$dt.evt"
$logfile.ClearEventlog($savelog)
move-item 'E:\Maintenance\*.evt' "\\xxxxx\SecurityLogs$\$env:computername" -force
}
and its failing on the move-item with:
“The system detected a possible attempt to compromise security.”
I though this might be a credssp thing but it has worked outside of a scheduled task so that cant be it.