ScheduledTask resource Credential parameter with Domain\ prefix

[ewhitesides]

I have a job as following, but it reports the state as incorrect because of the credential. It appears I am setting it as 'username' but then the scheduled task is taking that and just setting it as DOMAIN\username, leading to a mismatch. I think I can probably hack it to work somehow, but ideally the scheduledtask resource should probably evaluate DOMAIN\username the same as username.

ScheduledTask 'DRBackup' {
TaskName = 'DRBackup'
TaskPath = '\8203Jobs'
ActionExecutable = 'C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe'
ActionArguments = "-Command $BackupJob_Cmd1 $BackupJob_Cmd2"
ScheduleType = 'Daily'
StartTime = Get-Date '3am'
ExecuteAsCredential = $DomainAdminCred
RunLevel = 'Highest'
DependsOn = '[cPowerShellModuleManagement]EventLogTools','[xEventLog]CustomLog','[cPowerShellModuleManagement]DRBackupTools'
}

Verbose Output from Test
VERBOSE: [NOAA8203-MGMT1]: LCM: [ Start Resource ] [[ScheduledTask]DRBackup]
VERBOSE: [NOAA8203-MGMT1]: LCM: [ Start Test ] [[ScheduledTask]DRBackup]
VERBOSE: [NOAA8203-MGMT1]: [[ScheduledTask]DRBackup] Testing scheduled task 'DRBackup' in '\8203Jobs'.
VERBOSE: [NOAA8203-MGMT1]: [[ScheduledTask]DRBackup] Getting current scheduled task values for task 'DRBackup' in '\8203Jobs'.
VERBOSE: [NOAA8203-MGMT1]: [[ScheduledTask]DRBackup] Task 'DRBackup' found in '\8203Jobs'. Retrieving settings, first action, first trigger and repetition
settings.
VERBOSE: [NOAA8203-MGMT1]: [[ScheduledTask]DRBackup] Detected schedule type 'Daily' for first trigger.
VERBOSE: [NOAA8203-MGMT1]: [[ScheduledTask]DRBackup] Current scheduled task values for task 'DRBackup' in '\8203Jobs' retrieved.
VERBOSE: [NOAA8203-MGMT1]: [[ScheduledTask]DRBackup] Testing DSC parameter state.
VERBOSE: [NOAA8203-MGMT1]: [[ScheduledTask]DRBackup] MATCH: Value (type 'System.String') for property 'StartTime' does match. Current state is
'2019-12-02T03:00:00' and desired state is '2019-12-02T03:00:00'.
VERBOSE: [NOAA8203-MGMT1]: [[ScheduledTask]DRBackup] MATCH: Value (type 'System.String') for property 'ActionExecutable' does match. Current state is
'C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe' and desired state is 'C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe'.
VERBOSE: [NOAA8203-MGMT1]: [[ScheduledTask]DRBackup] MATCH: Value (type 'System.String') for property 'ActionArguments' does match. Current state is '-Command
Start-DRBackup -DPMProtectionGroupName DisasterRecovery -Destination \noaa8203-ds1817\DRBackup -Verbose *>&1 | % {$i++;Write-StreamToEventLog -ID $i -Stream $_ -Logname Application
-Source DRBackupTools}' and desired state is '-Command Start-DRBackup -DPMProtectionGroupName DisasterRecovery -Destination \noaa8203-ds1817\DRBackup -Verbose *>&1 | %
{$i++;Write-StreamToEventLog -ID $i -Stream $_ -Logname Application -Source DRBackupTools}'.
VERBOSE: [NOAA8203-MGMT1]: [[ScheduledTask]DRBackup] NOTMATCH: Value (type 'System.String') for property 'ExecuteAsCredential' does not match. Current state is
'NOAA8203\powershelljobs_svc' and desired state is 'powershelljobs_svc'.
VERBOSE: [NOAA8203-MGMT1]: [[ScheduledTask]DRBackup] MATCH: Value (type 'System.String') for property 'TaskPath' does match. Current state is '\8203Jobs' and
desired state is '\8203Jobs'.
VERBOSE: [NOAA8203-MGMT1]: [[ScheduledTask]DRBackup] MATCH: Value (type 'System.String') for property 'ScheduleType' does match. Current state is 'Daily' and
desired state is 'Daily'.
VERBOSE: [NOAA8203-MGMT1]: [[ScheduledTask]DRBackup] MATCH: Value (type 'System.String') for property 'TaskName' does match. Current state is 'DRBackup' and
desired state is 'DRBackup'.
VERBOSE: [NOAA8203-MGMT1]: [[ScheduledTask]DRBackup] MATCH: Value (type 'System.String') for property 'RunLevel' does match. Current state is 'Highest' and
desired state is 'Highest'.
VERBOSE: [NOAA8203-MGMT1]: [[ScheduledTask]DRBackup] Test-DscParameter result is 'False'.
VERBOSE: [NOAA8203-MGMT1]: LCM: [ End Test ] [[ScheduledTask]DRBackup] False in 0.5940 seconds.

Details of the scenario you tried and the problem that is occurring

Verbose logs showing the problem

Suggested solution to the issue

The DSC configuration that is used to reproduce the issue (as detailed as possible)

# insert configuration here

The operating system the target node is running

Version and build of PowerShell the target node is running

Version of the DSC module that was used ('dev' if using current dev branch)

[ewhitesides]

I flipped it around, I provided 'DOMAIN\username' and now the state is reporting as false, indicating it is looking for just 'username'.

VERBOSE: [NOAA8203-HV3]: [[ScheduledTask]SnapshotCleanup] NOTMATCH: Value (type 'System.String') for property 'ExecuteAsCredential' does not match. Current state is 'powershelljobs_svc' and desired state is 'NOAA8203\powershelljobs_svc'.

[ewhitesides]

I think I may have solved this - solution was to run OS updates. perhaps something was changed in Task Scheduler, but now the username is lining up when I specify it as DOMAIN\username. will continue to monitor this.

[ewhitesides]

now seeing the following

It looks like even though I set SynchronizeAcrossTimeZone to be $true, it changes to $false. Then it modifies StartTime, which then tests incorrectly.

ScheduledTask "MarineForecastDownload_pm" {
TaskName = "MarineForecastDownload_pm"
TaskPath = '\8203Jobs'
ActionExecutable = 'C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe'
ActionArguments = "-Command $MarineForecast_Cmd1 $MarineForecast_Cmd2"
ScheduleType = 'Daily'
StartTime = $StartTime
SynchronizeAcrossTimeZone = $true
ExecuteAsCredential = $DomainAdminCred
RunLevel = 'Highest'
DependsOn = '[cPowerShellModuleManagement]EventLogTools','[xEventLog]CustomLog','[cPowerShellModuleManagement]DownloadTools'
}

VERBOSE: [NOAA8203-APPPR1]: [[ScheduledTask]MarineForecastDownload_pm] Testing DSC parameter state.
VERBOSE: [NOAA8203-APPPR1]: [[ScheduledTask]MarineForecastDownload_pm] NOTMATCH: Value (type 'System.String') for property 'StartTime' does not match. Current
state is '2019-12-04T07:15:00' and desired state is '2019-12-04T07:15:00-05:00'.
VERBOSE: [NOAA8203-APPPR1]: [[ScheduledTask]MarineForecastDownload_pm] MATCH: Value (type 'System.String') for property 'ActionExecutable' does match. Current
state is 'C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe' and desired state is 'C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe'.
VERBOSE: [NOAA8203-APPPR1]: [[ScheduledTask]MarineForecastDownload_pm] MATCH: Value (type 'System.String') for property 'ActionArguments' does match. Current
state is '-Command Start-DownloadTools -Product MarineForecast -Verbose *>&1 | % {$i++;Write-StreamToEventLog -Stream $_ -ID $i -LogName Application -Source DownloadTools}' and desired
state is '-Command Start-DownloadTools -Product MarineForecast -Verbose *>&1 | % {$i++;Write-StreamToEventLog -Stream $_ -ID $i -LogName Application -Source DownloadTools}'.
VERBOSE: [NOAA8203-APPPR1]: [[ScheduledTask]MarineForecastDownload_pm] MATCH: Value (type 'System.String') for property 'ExecuteAsCredential' does match. Current
state is 'NOAA8203\powershelljobs_svc' and desired state is 'NOAA8203\powershelljobs_svc'.
VERBOSE: [NOAA8203-APPPR1]: [[ScheduledTask]MarineForecastDownload_pm] MATCH: Value (type 'System.String') for property 'TaskPath' does match. Current state is
'\8203Jobs' and desired state is '\8203Jobs'.
VERBOSE: [NOAA8203-APPPR1]: [[ScheduledTask]MarineForecastDownload_pm] NOTMATCH: Value (type 'System.Boolean') for property 'SynchronizeAcrossTimeZone' does not
match. Current state is 'False' and desired state is 'True'.
VERBOSE: [NOAA8203-APPPR1]: [[ScheduledTask]MarineForecastDownload_pm] MATCH: Value (type 'System.String') for property 'ScheduleType' does match. Current state
is 'Daily' and desired state is 'Daily'.
VERBOSE: [NOAA8203-APPPR1]: [[ScheduledTask]MarineForecastDownload_pm] MATCH: Value (type 'System.String') for property 'TaskName' does match. Current state is
'MarineForecastDownload_pm' and desired state is 'MarineForecastDownload_pm'.
VERBOSE: [NOAA8203-APPPR1]: [[ScheduledTask]MarineForecastDownload_pm] MATCH: Value (type 'System.String') for property 'RunLevel' does match. Current state is
'Highest' and desired state is 'Highest'.
VERBOSE: [NOAA8203-APPPR1]: [[ScheduledTask]MarineForecastDownload_pm] Test-DscParameter result is 'False'.
VERBOSE: [NOAA8203-APPPR1]: LCM: [ End Test ] [[ScheduledTask]MarineForecastDownload_pm] False in 0.5310 seconds.

[ewhitesides]

i solved this by removing SynchronizeAcrossTimeZone = $true

i remember from previous experience that ScheduledTasks by default have the 'Sync across timezone' checkbox checked by default.

Powershell jobs, do not sync across timezones by default.

[danielboth]

I think I may have solved this - solution was to run OS updates. perhaps something was changed in Task Scheduler, but now the username is lining up when I specify it as DOMAIN\username. will continue to monitor this.

Just to share here as well, I also noticed a difference between scheduledtask behaviour on W2016 after recent updates (I think November 2019). On W2016 before November 2019 UserId would be returned as 'USER' after updates, it is returned as 'DOMAIN\User'.

I was unable to find any references in Microsoft changelogs to this bugfix (what I believe it is, as on W2012 it always returned the proper 'DOMAIN\User'), so if anyone has any reference / contact at Microsoft who can confirm this fix, that would be great!

In time, we might want to remove this workaround:

ComputerManagementDsc/DSCResources/MSFT_ScheduledTask/MSFT_ScheduledTask.psm1

Line 1443 in f709d86

There is a difference in W2012R2 and W2016 behaviour,

[PlagueHO]

I've not been able to track this down, but there are many strange behaviors around how UserIds are stored in the Task Scheduler principal object that is returned.

For example, setting the ExecuteAsCredential to 'BUILTIN\Users' (through code or the UI) and it will always return 'Users' in the principal. This occurs in the UI too. However, setting 'DOMAIN\Users' returns the correct value.

I'm not going to try and spend too much time picking this behavior apart because unfortunately ScheduledTask behaves differently in every OS. Instead I'm going to add some information to the Known Issues section with some guidance.