Variable text is blank in emails when using Scheduled Task to email event log notifications (Network Steve Forum)

Variable text is blank in emails when using Scheduled Task to email event log notifications

I am trying to use powershell to email notification when a user account gets locked. I am running the script from a server 2008 domain controller.

I have tried multiple scripts and I have the same issue every time. The script works fine when I run it directly from the powershell command line window.

However whenever I try running the exact same scripts from an event-triggered scheduled task, the script runs, however any content that generated from a variable is not added to the email. It is just left blank and ignored.

I have tried adding lots of permissions including domain administrator group membership to the account runs the task from and it doesn't include all the expected text unless I run it from the built-in domain administrator account.

The task runs and the email is sent, but the email is missing all the content generated by variables.

How can this be fixed?

Here is an example script.

$AccountLockOutEvent = Get-EventLog -LogName "Security" -InstanceID 4740 -Newest 1
$LockedAccount = $($AccountLockOutEvent.ReplacementStrings[0])
$AccountLockOutEventTime = $AccountLockOutEvent.TimeGenerated
$AccountLockOutEventMessage = $AccountLockOutEvent.Message
$messageParameters = @{
Subject = "Account Locked Out: $LockedAccount"
Body = "Account $LockedAccount was locked out on $AccountLockOutEventTime.`n`nEvent Details:`n`n$AccountLockOutEventMessage"
From = "lockout@domain.com"
To = "user1@domain.local"
SmtpServer = "exch2010.domain.local"
}
Send-MailMessage @messageParameters

------------------------------------------------------------------------------------

=================================================

Here is an example of task settings.

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Date>2015-03-25T21:40:28.8095226</Date>
<Author>DOMAIN\administrator</Author>
</RegistrationInfo>
<Triggers>
<EventTrigger>
<Enabled>true</Enabled>
<Subscription><QueryList><Query Id="0" Path="Security"><Select Path="Security">*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4740]]</Select></Query></QueryList></Subscription>
</EventTrigger>
</Triggers>
<Principals>
<Principal id="Author">
<UserId>DOMAIN\WilliamsD</UserId>
<LogonType>Password</LogonType>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>P3D</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>powershell.exe</Command>
<Arguments>-nologo -File "C:\powershell\l2.ps1"</Arguments>
</Exec>
</Actions>
</Task>

Edited by MyGposts 32 minutes ago

March 27th, 2015 2:32am

I'm assuming that by content generated by variables you mean this particular line and all the everything that's derived from this variable later on:

$AccountLockOutEvent = Get-EventLog -LogName "Security" -InstanceID 4740 -Newest 1

Have you tried determining whether that variable has anything when the script runs?

Does the user have enough rights to read the event log?

Could firewall be blocking it (are you running the script on a remote computer?)

Fausto

Free Windows Admin Tool Kit Click here and download it now

March 27th, 2015 2:47am

By variable text I mean everything that it generates by using a variable such as the user's name ($LockedAccount) and everything else such as $AccountLockOutEventTime and everything else that is generated from a variable.

Nothing like that appears in the email only hard coded text.

I am not running it remotely. I am logged directly onto the domain controller and I tried giving the account more and more permissions including domain administrator group membership with the same result.

When I run the exact same script on the same domain controller locally via the powershell CLI all of the info appears.

This is the info when the email is generated by running the script directly from the powershell CLI:

================================================

Account BondJ was locked out on 03/26/2015 20:42:18.

Event Details:

A user account was locked out.

Subject:

Security ID: S-1-5-18

Account Name: DC1$

Account Domain: DOMAIN

Logon ID: 0x3e7

Account That Was Locked Out:

Security ID: S-1-5-21-3440879815-2193117124-1719501250-1154

Account Name: BondJ

Additional Information:

Caller Computer Name: DC1

===================================================

====================================================

This the contents of the email when the same script runs via scheduled task trigger using any account I try other than the built-in domain Administrator account.

Account was locked out on .

Event Details:

===================================================

Just blank email body with the info above,

March 27th, 2015 3:05am

This topic is archived. No further replies will be accepted.