Scheduled Tasks of Doom

In a SME where you may have less than a dozen servers, scheduling tasks to run as the local administrator is probably not a big deal, as you either don’t often change your Administrator password, or it’s there is a small enough number of servers that you can update the scheduled tasks rather easily.

However in an environment of dozens to hundreds to thousands of servers, many of which you are not considered the “gatekeeper” to, it’s quite easy for undocumented scheduled tasks to start appearing, and being scheduled to run as the local admin. They will work great – until someone updates the local administrator password.

Where I work there are at least 4 passwords for the local administrator account. I am currently working on making it only 1. Given the number of mission critical production machines this will affect, I need to work out what I will break. One of the first things thought of was scheduled tasks.

I needed a script to work out what scheduled tasks I would break. so I wrote one.

Here is a script that will iterate through all the servers in an Active Directory OU and report on which ones are running as the local administrator.

  • Pre-Requisite: Quest AD Management Tools must be installed. They are free and downloadable.
  • Administrator Rights: You must have administrator access to the machines you plan on running this script against.

As always, my script is provided as is, with no support or guarantees over the usage of the script. Common sense needs to be applied.

The script will query AD for the list of servers specified. Given my environment, I do subtree searches, though if your environment requires, you may need to change this to single-level search. The script will then iterate through each server on the list, running schtasks.exe with it’s output tested to see if any of the “Run As User” fields match “*Administrator”. The results are then reported to a file.

The script will indicate performance by outputting to the powershell console which host it is currently querying and if there are no scheduled tasks on that server.

You may wish to adapt this script as required for your environment 🙂