With Native AD Auditing
With ADAudit Plus
How to view tasks scheduled in the Task Scheduler with ADAudit Plus
To track scheduled tasks, you will have to enable auditing of your Active Directory. (See Step 1 of Native AD Audit tab)
In the ADAudit Plus console, go to 'Reports' tab and navigate to 'Process Tracking' on the left pane. This provides you a list of pre-configured reports on process activity within AD.
You can select the 'Scheduled Task Created' report to see any new tasks that were scheduled.
You can also create custom reports and export these reports in CSV, PDF, XSL, HTML formats.
Step 1: Enable Group Policy Auditing
Logon to your domain controller with administrative privileges and launch the Group Policy Management Console.
In the left pane, expand the 'Forest' and 'Domains' nodes to reveal the specified domain you want to track the changes for.
Expand the domain and right-click 'Default Domain Policy'. You can also choose a domain policy that is universal throughout the domain, or create a new GPO and link it to the Default Domain Policy.
Click on 'Edit' of the desired group policy, to open up the Group Policy Management Editor.
Expand the 'Computer Configuration'--->Policies---->Windows Settings----->Security Settings----->Advanced Policy Configurations----->Audit Policy------>Object Accesses----->Audit Other Object Accesses
Configure the properties for both 'success' and 'failure'. Exit Group Policy Management Editor.
In the GPMC, choose the modified GPO, and click 'Add' in the 'Security' section on the right pane. Type 'everyone' in the text box and click 'Check Names' to include the value. Exit the GPMC.
To enforce these changes throughout the domain, run the command 'gpupdate /force', in the "Run" console.
Step 2: Allow AD Auditing through ADSI Edit
From your 'Server Manager' go to 'Tools' and select 'ADSI Edit'.
Right click 'ADSI Edit' node from the left pane and select 'Connect to' option. This pulls up the 'Connection Settings' window.
Select the 'Default Naming Context' option from the 'Select a well-known Naming Context' drop down list.
Click 'OK' and return to the ADSI Edit window. Expand 'Default Naming Context' and select the associated 'DC' subnode. Right-click this subnode and click 'Properties'.
In the 'Properties' window, go to the 'Security' tab and select 'Advanced'. After that, select 'Auditing' tab and click 'Add'.
Click on ' Select a principal'. This will bring up a 'Select User, Computer or Group' window. Type 'Everyone' in the textbox and verify it with 'Check Names'.
The 'Principal' in the 'Auditing Entry' window now shows 'Everyone'. In the 'Type' drop-down select 'All' to audit for both 'success' and 'failure' events.
In the 'Select' drop-down choose 'This object and all descendant object's. This allows the auditing of the OU's descendant objects. Select 'Full Control' in the 'Permissions' section.
This selects all the checkboxes available. Unselect the following check boxes:
Read all properties
Step 3: View Events in Event Viewer.
You can monitor scheduled tasks by accessing 'Security Logs' in the 'Event Viewer'. You can filter your log to look for the following event.
Event ID: 4698 describes a task that has been scheduled.
Does native auditing become a little too much?
Simplify system event auditing and reporting with ADAudit Plus.Get Your Free Trial Fully functional 30-day trial
Active Directory Auditing just got easier!
ADAudit Plus comes bundled with more than 300 predefined reports that makes your AD auditing easier. The solution also sends real-time alerts for critical events and thereby help you to secure your network from threats and boost your IT security posture. Check out the capabilities of ADAudit Plus here.
Download ADAudit Plus