CJSmith dot me

I dump stuff I find useful here

Category: Windows Server 2008

Windows 2008 – Alert on Scheduled Job Failure

Published / by Chris Smith / Leave a Comment

First we need to enable logging for the Windows Task Scheduler, open Event Viewer (Put “eventvwr.msc” in Run) and browse to TaskScheduler as below.


Right click the Operational log and click properties and ensure the “Enable Logging” is checked

Windows is now setup to log Scheduled tasks to the Event Viewer, now we need to setup a scheduled task.
Open Task Scheduler and Create a “New Basic Task”

Create a task with a relevant name, ensure the task is run as the “SYSTEM” user and Run with highest privileges ticked.

Create two triggers as below with Event ID’s 329 and 111

Create an action to send an email as below using an smtp server which whitelists this server and only allows internal emails

Windows 2008: Task Scheduler causes account lockout when policy locks account after one attempt

Published / by Chris Smith / Leave a Comment

I encountered a very odd issue where I was attempting to amend a scheduled task on a Windows 2008 R2 server. When attempting to amend to a “service” account it locked out immediately. This account has a policy where it is locked out if the password is incorrect once. After several attempts and having to unlock the account every time, we spotted that every time a task was changed two event log entries were added instead of one.
It turns out the Task Scheduler in Windows 2008/2008 R2 was causing this, it first attempts to login with a blank password and then a second attempt is made with the valid password.
This causes the below (An error has occured for task . Error message: The following error was reported: 2147944309.) as the first attempt locks the account out.

The Event Log also has the following entries

An error has occured for task <SCHEDULEDTASKNAME>.  Error message: The following error was reported: 2147944309.
Audit Failure      26/11/2018 13:48:39       Microsoft Windows security auditing.     4625       Logon
 
An account failed to log on.
 
Subject:
                Security ID:                         SYSTEM
                Account Name:                 <MACHINENAME$>
                Account Domain:                              <DOMAIN>
                Logon ID:                             0x3e7
 
Logon Type:                                       4
 
Account For Which Logon Failed:
                Security ID:                         NULL SID
                Account Name:                 <USERNAME>
                Account Domain:                              <DOMAIN>
 
Failure Information:
                Failure Reason:                 Unknown user name or bad password.
                Status:                                  0xc000006d
                Sub Status:                         0xc000006a
 
Process Information:
                Caller Process ID:              0x14c
                Caller Process Name:      C:\Windows\System32\svchost.exe
 
Network Information:
                Workstation Name:         <MACHINENAME>
                Source Network Address:             -
                Source Port:                       -
 
Detailed Authentication Information:
                Logon Process:                  Advapi  
                Authentication Package:               Negotiate
                Transited Services:          -
                Package Name (NTLM only):        -
                Key Length:                        0
 
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
 
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
 
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
 
The Process Information fields indicate which account and process on the system requested the logon.
 
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
 
The authentication information fields provide detailed information about this specific logon request.
                - Transited services indicate which intermediate services have participated in this logon request.
                - Package name indicates which sub-protocol was used among the NTLM protocols.
                - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
 
 
 
An account failed to log on.
 
Subject:
                Security ID:                         SYSTEM
                Account Name:                 <MACHINENAME$>
                Account Domain:                              <DOMAIN>
                Logon ID:                             0x3e7
 
Logon Type:                                       4
 
Account For Which Logon Failed:
                Security ID:                         NULL SID
                Account Name:                 <USERNAME>
                Account Domain:                              <DOMAIN>
 
Failure Information:
                Failure Reason:                 Account locked out.
                Status:                                  0xc0000234
                Sub Status:                         0x0
 
Process Information:
                Caller Process ID:              0x14c
                Caller Process Name:      C:\Windows\System32\svchost.exe
 
Network Information:
                Workstation Name:         <MACHINENAME>
                Source Network Address:             -
                Source Port:                       -
 
Detailed Authentication Information:
                Logon Process:                  Advapi  
                Authentication Package:               Negotiate
                Transited Services:          -
                Package Name (NTLM only):        -
                Key Length:                        0
 
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
 
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
 
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
 
The Process Information fields indicate which account and process on the system requested the logon.
 
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
 
The authentication information fields provide detailed information about this specific logon request.
                - Transited services indicate which intermediate services have participated in this logon request.
                - Package name indicates which sub-protocol was used among the NTLM protocols.
                - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Rather annoyingly the fix is no longer available, it is now included in a Convenience Rollup available from Microsoft Support. I can’t however see any mention of it in this. Thanks to Andrew Bainger from ABF for pointing me towards this.

Remotely remove a broken user profile from another computers registry when the user folder is deleted

Published / by Chris Smith / Leave a Comment

I recently had an issue where someone had deleted my admin user profile from a remote server by deleting its folder.
The logon then failed as Windows still expected the folder to be there, as obviously the registry entries were not removed.
Rather than manually checking HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList for the SID and then removing it WMIC can be used. A user called Tommylotmanagement posted an answer and I found it worked if the user folder profile has been deleted as well.

wmic /node:<Server> path win32_UserProfile where LocalPath="c:\\users\\<ADUsername>" Delete 2>>c:\windows\temp\wmic.err

It should then show:
Deleting instance \\<Server>\root\cimv2:Win32_UserProfile.SID=”<SID>”
Instance deletion successful

If it fails check the file c:\windows\temp\wmic.err in a text editor.

Credit: Tommylotmanagement

I have also found this has worked to correct issues where accounts keep generating TEMP or TEMP. folders.

Display advanced properties of scheduled tasks in command line

Published / by Chris Smith / Leave a Comment

The following command requests a detailed display of the tasks on the local computer. It uses the /v parameter to request a detailed (verbose) display and the /fo LIST parameter to format the display as a list for easy reading. You can use this command to verify that a task you created has the intended recurrence pattern.
Before running increase the command prompts screen buffer (Right click the Window, go to properties, go to Layout and set the Screen Buffer Height to 9999). If this is not done you will find due to the amount of Windows scheduled tasks, that the tasks you want are cleared from thje screen buffer.

schtasks /query /fo LIST /v

 
SchTasks.exe displays a detailed property list for all tasks. I normally will then copy everything into the clipboard (Ctrl + A) and pout it into a text editor, I then delete anything after “Folder: \Microsoft” so I then only have my list of scheduled tasks.

Credit: Technet

Filtering in Event Viewer Windows Server 2008 onwards

Published / by Chris Smith / Leave a Comment

The Event Viewer from Server 2008 onwards is XML based.
Filters based on XML syntax can be used such as:

<QueryList>
  <Query Id="0" Path="System">
    <Select Path="System"> 
                 *[EventData[Data and (Data='<Search Parameter>')]] 
              </Select>
  </Query>
</QueryList>
 
<QueryList>
  <Query Id="0" Path="Application">
    <Select Path="Application">
                 *[EventData[Data and (Data='<Search Parameter>')]] 
              </Select>
  </Query>
</QueryList>

You can search for anything which appears in the data section such as service names, error messages etc..

- <EventData>
  <Data Name="param1">Service Display Name</Data> 
  <Data Name="param2">Details</Data> 
  <Data Name="param3">Details</Data> 
  <Data Name="param4">Service Name</Data> 
  </EventData>
  </Event>

Notes:
MS Technet