Identifying scheduled tasks running as alternate users
There may be instances where you need to identify scheduled tasks that are running with non-default credentials. If a user leverages their identity to run a scheduled task, or you are leveraging a service account, you will need to identify its usage on a system. The Get-ScheduledTasks cmdlet has the Principal property, which contains information about the user account running the scheduled task. The UserID reflects the username of the account that is designated to run the scheduled task.
In addition to identifying the Principal UserId, you will need to filter out built-in Windows accounts. To perform this, you can create a switch statement to make multiple evaluations of the Principal UserIds. If the process owner username is NETWORK SERVICE, LOCAL SERVICE, $null, or System, you can skip reporting the username. If it doesn't match any of those values, it will use the default switch and report the user to a list. Since multiple scheduled...
