Event-based Triggered tasks

Benno Zelders — Thu, 16 Jul 2009 15:58:57 +0000

A while ago Otto Helweg wrote how to use the Task Scheduler shipped with Vista and Windows Server 2008 to create triggers based on certain events logged in the eventlogs. This post explains how to use event specific data in a triggered action to automate almost everything you can think of.

For example:

In company X, a drive mapping to a certain UNC share is based upon Group Membership.

There are 2 Groups that map the letter P. If the user is member of the Group Sales, he gets the mapping \\server1\sales. If the user is member of the Group Reception, he gets the mapping \\server1\reception.

What happens if the user is member of these 2 groups? Well that depends on the scripting capabilities of the IT department (or the way Group Policy Preferences is used).

I can tell you that something is not right…

What would you do?

At the moment, you depend on the user to report this so an administrator can remove the user from the other group.

My suggestion would be to automatically let the user be removed from the other group! (user is added to sales -> remove user from reception and vice versa).

This is all possible by using the task scheduler! I’ll try to explain how you can accomplish this in 6 steps.

1: Create the Task

Open the Event viewer on the Windows 2008 Domain Controller, and look for the event “4732″. (this is the event generated when a user is added to a domain local group).
This event can be found in the Security container. Right click the event and select “Attach Task To This Event…”

You are prompted to fill in a wizard. The only part of the wizard that requires some kind of input is the “Action” part. It doesn’t really matter what you do here, because we will change it later.

After the wizard is complete, open the task scheduler (start, type in task and press enter).
You can see the following is added:

2: Export the Task

From within Task Scheduler, export the task (as an XML file).

3: Modify the Task so it only reacts on specific 4732 events.

Currently the trigger is activated with every “Local Group membership change”.
We don’t need that!!! To fix this, we need to edit the exported XML with notepad and change the following text:

      true

      <QueryList><Query Id=”0″ Path=”Security”><Select Path=”Security”>*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4732]]</Select></Query></QueryList>

to:

      true

      <QueryList><Query Id=”0″ Path=”Security”><Select Path=”Security”>*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4732]] and *[EventData[Data[@Name="TargetUserName"]=”SALES”]]</Select></Query></QueryList>

By adding this line, the scheduled task is only responding to event 4732 if the value TargetUserName equals SALES (in this case this is the Local Security Group Name).

*[EventData[Data[@Name="TargetUserName"]=”SALES”]]

For example: If you would like to filter on certain users, you can use “MemberName” instead of “TargetUserName”).

If you look at the XML view of an event, you will see how the filter works (open an event -> details -> XML view).

4: Modify the Task so we can use certain data from the event

Now we can add some lines to use the data from the event to pass along to the action we will configure later. First we have to determine which information we want to use.
This is the Event in XML view (for me the only interesting part is the EventData section):

                CN=Benno Zelders,DC=TEST,DC=lan

                S-1-5-21-4012033790-4084158397-284283626-1332

                SALES

                TEST

                S-1-5-21-4012033790-4084158397-284283626-1333

                S-1-5-21-4012033790-4084158397-284283626-1206

                administrator

                TEST

                0×55193

                -

I personally find it very useful to use , because it shows which user is added to the group. To allow the eventdata parameter to pass along to the action, we need to add the following lines to the XML just before the line:

Event/EventData/Data[@Name='MemberName']

The end result of the part of the XML is:

true

<QueryList><Query Id=”0″ Path=”Security”><Select Path=”Security”>*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4732]] and *[EventData[Data[@Name="TargetUserName"]=”SALES”]]</Select></Query></QueryList>

Event/EventData/Data[@Name='MemberName']

Now we can use the $(MemberName) variable in an action!.

5: Import the “Modified XML” in task scheduler

First we have to delete the original task from the task scheduler.

After this is done, we can import the modified XML by right clicking folder “Event Viewer Tasks” and select “Import Task”

6: Create the action using the variable

First remove the action created in the wizard (open the task, go to “Actions” and remove the existing action. Now we can create the action to automatically remove the user from the “RECEPTION” group after he is added to the “SALES” group. (Click New and select “Start a program”). This can be accomplished running a command by using the Active Directory extensions for powershell from QUEST (to automatically load the Quest snap-in, see this page).

Program/script: Powershell.exe
Add arguments: -command Remove-QADGroupMember –identity RECEPTION –member ‘$(MemberName)’

And click ok twice.

Now the user is automatically removed from the group RECEPTION after it is added to the SALES group. (if it doesn’t work, check the “Run with highest privileges” option in the tab “General”. UAC can block this action).

Of course this can be fine-tuned, but you get the idea right? Now it is possible to create all sort of tasks that use data passed through from an event!

Regards,
Benno Zelders

Innovative Technology Weblog » Windows 2008

Event-based Triggered tasks