I resolved this issue by assigning a local server user account to the automated task instead of the domain account.
Turns out get-wmiobject doesn't place nice in an automated task being run by a domain user.
Get-WmiObject returns nothing in a PowerShell script running as scheduled task
This isn't a question, it's more of an answer. But after coming across whatever happened in
https://social.technet.microsoft.com/Forums/Windows/en-US/51ba12ae-fe5e-4664-b7e9-c48c819979c5/getwmiobject-returns-nothing-in-a-powershell-script-running-as-scheduled-task?forum=Offtopic
(top google result) I wanted to just chuck this on the forum.
I was running a PowerShell script via Windows Task scheduler that was doing so;
$services = Get-WmiObject win32_service
The goal of this was to pop the array into a file after filtering out some services and making some changes to what's returned.
I created a domain service account domain\account and was running a scheduled powershell task invoking the relevant script, however
$services | Out-File -Filepath 'E:\Monitoring\Svc_Accounts\Services.txt'
was returning an entirely blank .txt file.
Running ISE as the service account and then running the script was producing results in the file, leading to a bit of confusion.
I resolved this issue by assigning a local server user account to the automated task instead of the domain account.
Turns out get-wmiobject doesn't place nice in an automated task being run by a domain user.
Hope this helps!
2 answers
Sort by: Most helpful
-
Elamari 1 Reputation point
2022-03-02T14:40:06.083+00:00 -
MotoX80 32,911 Reputation points
2022-03-03T14:21:31.17+00:00 Try checking "Run with highest privileges" on the task.
I would have expected a local account, and domain account, who are both members of the Administrators group to produce the same results. Unfortunately, I no longer have access to a domain to test with.
This script will display service control manager permissions.
$MySDDL = (sc.exe sdshow scmanager) $NewAcl = New-Object System.Security.AccessControl.DirectorySecurity $NewAcl.SetSecurityDescriptorSddlForm($MySDDL) $NewAcl.Access # show who has access
When you logon with any account you are "Interactive" which has the required permissions. Without "Run with highest privileges" you don't get Administrator access and instead the account is an "Authenticated User" which only has ReadData. That is not sufficient to enumerate the services.
I don't know what's different with the local account.
FileSystemRights : ReadData, AppendData, WriteExtendedAttributes, ReadPermissions AccessControlType : Allow IdentityReference : NT AUTHORITY\INTERACTIVE IsInherited : False InheritanceFlags : None PropagationFlags : None FileSystemRights : ReadData AccessControlType : Allow IdentityReference : NT AUTHORITY\Authenticated Users IsInherited : False InheritanceFlags : None PropagationFlags : None FileSystemRights : ReadData, CreateFiles, AppendData, ReadExtendedAttributes, WriteExtendedAttributes, ExecuteFile, Delete, ReadPermissions, ChangePermissions, TakeOwnership AccessControlType : Allow IdentityReference : BUILTIN\Administrators IsInherited : False InheritanceFlags : None PropagationFlags : None
If you don't want to run the task with "Run with highest privileges", then you can use my script in this post to grant access to another group that you can add the domain account to.