Query on Group policy

Glenn Maxwell 10,551 Reputation points
2024-05-21T13:14:03.46+00:00

Hi All,

I want to capture Scheduled Task Event logs, i.e., when a scheduled task is created, updated, modified, or deleted.

Can I achieve this using the below GPO?

Computer Configuration --> Policies --> Windows Settings --> Security Settings --> Advanced Audit Policy Configuration -->

Audit Policies --> Object Access --> Audit Other Object Access Events.

Where can I see the logs after enabling the GPO? In the Event Viewer, I have expanded Application and Services Logs, but I don't see anything related to Task events.

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,542 questions
Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,418 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,442 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,084 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,764 questions
0 comments No comments
{count} votes

Accepted answer
  1. Daisy Zhou 20,461 Reputation points Microsoft Vendor
    2024-05-21T14:10:15.4033333+00:00

    Hello Glenn Maxwell,

    Thank you for posting in Q&A forum.

    Where can I see the logs after enabling the GPO? In the Event Viewer, I have expanded Application and Services Logs, but I don't see anything related to Task events.
    A: Windows Security logs.

    User's image

    You can see the event ID here.

    User's image

    For example:

    After you enable the GPO above, you can run gpupdate /force on the machine that applies this gpo, and after you create a scheduled task, then you can go to security log to find event ID 4698.

    For more information, please refer to link below.

    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-other-object-access-events

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

0 additional answers

Sort by: Most helpful