- 0 minutes to read

How to Monitor Remote Scheduled Tasks

When monitoring remote Windows Scheduled Tasks with Nodinite, you may encounter permission issues, connectivity problems, or enumeration failures. This guide provides comprehensive troubleshooting steps to resolve common issues.

Note

Local vs Remote Monitoring: When the Nodinite Windows Server Monitoring Agent is installed on the same server as the scheduled tasks, no additional configuration is required. This guide applies only when monitoring remote Windows Servers.

Quick Checklist

Before diving into detailed troubleshooting, verify these essential requirements:

# Requirement Status
1 Service account has Administrator rights on remote server
2 Remote Registry service is running on remote server
3 Firewall rules allow "Remote Scheduled Task Management"
4 File and Printer Sharing is enabled on remote server
5 Task Scheduler service is running on remote server
6 RPC/EPMAP ports are open between agent and remote server
7 Remote Event Log Management enabled (required for viewing task history)

Common Error Messages

Error: "0 tasks and 0 subfolders" (HRESULT: 0x80070032)

Error message:

Remote Task Scheduler on 'ServerName' returned 0 tasks and 0 subfolders.
HRESULT: 0x80070032
This indicates a folder enumeration permission issue.

What this means: The connection succeeded (RPC endpoint responded), but the service account cannot enumerate the task folder tree. This is typically a permissions issue, not a connectivity problem.

Resolution: Follow steps in Service Account Permissions and Folder Enumeration Permissions.

Error: "Access Denied" (HRESULT: 0x80070005)

Error message:

Access is denied.
HRESULT: 0x80070005

What this means: The service account lacks sufficient privileges to access the remote Task Scheduler service.

Resolution: Follow steps in Service Account Permissions.

Error: "The RPC server is unavailable" (HRESULT: 0x800706BA)

Error message:

The RPC server is unavailable.
HRESULT: 0x800706BA

What this means: Network connectivity issue or firewall blocking RPC communication.

Resolution: Follow steps in Firewall Configuration and RPC Connectivity.

Service Account Permissions

The Nodinite Windows Server Monitoring Agent service account must have Administrator rights on every remote server being monitored.

Verify Administrator Membership

On the remote server, confirm the service account is in the local Administrators group:

  1. Open Computer Management (compmgmt.msc)
  2. Navigate to System ToolsLocal Users and GroupsGroups
  3. Double-click Administrators
  4. Verify the Nodinite service account is listed (e.g., DOMAIN\NodiniteAgent)

Administrators Group Example: Service account in local Administrators group.

Using PowerShell:

# Check if account is in Administrators group on remote server
Invoke-Command -ComputerName RemoteServerName -ScriptBlock {
    Get-LocalGroupMember -Group "Administrators" | Where-Object { $_.Name -like "*NodiniteAgent*" }
}

UAC Remote Token Filtering (Domain Controllers)

On domain controllers, UAC may filter administrative tokens for remote connections. If your service account is a domain admin but still gets "Access Denied":

Option 1: Use Domain Admin Account (Recommended) Ensure the service account is a member of Domain Admins or Enterprise Admins when targeting domain controllers.

Warning

Disabling UAC filtering reduces security. Only use this if you cannot use a Domain Admin account.

Set the following registry value on the remote server:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Name: LocalAccountTokenFilterPolicy
Type: DWORD
Value: 1

After changing registry, restart the server.

Remote Registry Service

The RemoteRegistry service must be running on the remote server for Task Scheduler enumeration.

Check and Start Remote Registry Service

On the remote server:

  1. Open Services (services.msc)
  2. Locate Remote Registry
  3. Verify Status is "Running"
  4. Set Startup type to Automatic (or Manual)

Remote Registry Service Example: Remote Registry service running.

Using PowerShell:

# Check service status on remote server
Get-Service -Name RemoteRegistry -ComputerName RemoteServerName

# Start the service if stopped
Start-Service -Name RemoteRegistry -ComputerName RemoteServerName

# Set to Automatic startup
Set-Service -Name RemoteRegistry -ComputerName RemoteServerName -StartupType Automatic

Note

The RemoteRegistry service is required for certain remote management APIs, including Task Scheduler enumeration via COM/WMI.

Firewall Configuration

Windows Firewall must allow Remote Scheduled Task Management and related RPC traffic.

Enable Required Firewall Rules

On the remote server, enable these inbound firewall rules:

  1. Open Windows Defender Firewall with Advanced Security (wf.msc)
  2. Click Inbound Rules
  3. Enable the following rules (if disabled):
    • Remote Scheduled Tasks Management (RPC)
    • Remote Scheduled Tasks Management (RPC-EPMAP)
    • File and Printer Sharing (SMB-In) (if needed for file shares)

Firewall Rules Example: Required firewall rules enabled.

Using PowerShell:

# Enable Remote Scheduled Tasks Management rules
Enable-NetFirewallRule -DisplayGroup "Remote Scheduled Tasks Management"

# Verify rules are enabled
Get-NetFirewallRule -DisplayGroup "Remote Scheduled Tasks Management" | 
    Select-Object DisplayName, Enabled, Direction

Expected output:

DisplayName                                    Enabled Direction
-----------                                    ------- ---------
Remote Scheduled Tasks Management (RPC)        True    Inbound
Remote Scheduled Tasks Management (RPC-EPMAP)  True    Inbound

Viewing Scheduled Task History

To view the history of scheduled tasks on remote servers (via the View History action), you must also enable Remote Event Log Management firewall rules:

On the remote server:

# Enable Remote Event Log Management firewall rules
Enable-NetFirewallRule -DisplayGroup "Remote Event Log Management"

# Verify rules are enabled
Get-NetFirewallRule -DisplayGroup "Remote Event Log Management" | 
    Select-Object DisplayName, Enabled, Direction

Expected output:

DisplayName                                    Enabled Direction
-----------                                    ------- ---------
Remote Event Log Management (NP-In)            True    Inbound
Remote Event Log Management (RPC)              True    Inbound
Remote Event Log Management (RPC-EPMAP)        True    Inbound

Note

History vs Monitoring: Remote Event Log Management rules are only required for viewing task execution history. Basic scheduled task monitoring (current state, enable/disable, run) does not require these rules.

Corporate Firewall Considerations

If remote servers are in different network segments or behind corporate firewalls:

  • RPC Endpoint Mapper (EPMAP): TCP port 135 must be open
  • RPC Dynamic Ports: TCP ports 49152-65535 (Windows Server 2008+) or 1024-5000 (older OS)
  • File and Printer Sharing: TCP port 445 (SMB) may be required

Consult your network team to ensure these ports are allowed between the Nodinite agent server and remote servers.

File and Printer Sharing

File and Printer Sharing must be enabled for remote management operations.

Enable File and Printer Sharing

On the remote server:

  1. Open Network and Sharing Center
  2. Click Change advanced sharing settings
  3. Expand the Domain profile (or Private if not domain-joined)
  4. Under File and printer sharing, select Turn on file and printer sharing
  5. Click Save changes

File and Printer Sharing Example: File and printer sharing enabled.

Using PowerShell:

# Enable File and Printer Sharing firewall rules
Set-NetFirewallRule -DisplayGroup "File and Printer Sharing" -Enabled True -Profile Domain

Task Scheduler Service

The Task Scheduler service (Schedule) must be running on the remote server.

Verify Task Scheduler Service

On the remote server:

  1. Open Services (services.msc)
  2. Locate Task Scheduler
  3. Verify Status is "Running"
  4. Verify Startup type is Automatic

Using PowerShell:

# Check Task Scheduler service status
Get-Service -Name Schedule -ComputerName RemoteServerName

# Start the service if stopped
Start-Service -Name Schedule -ComputerName RemoteServerName

RPC Connectivity

Remote Task Scheduler enumeration uses RPC (Remote Procedure Call) over TCP.

Test RPC Connectivity

From the agent server, test RPC connectivity to the remote server:

# Test RPC connectivity using portqry (download from Microsoft)
portqry.exe -n RemoteServerName -e 135

# Alternative: Test WMI connectivity (uses RPC)
Get-WmiObject -Class Win32_OperatingSystem -ComputerName RemoteServerName

Expected result: If RPC is working, you'll see the remote OS details.

RPC Port Configuration

By default, Windows uses dynamic RPC ports (49152-65535 on modern Windows). For locked-down environments, you can configure a restricted RPC port range:

On the remote server (requires restart):

# Set RPC port range to 50000-50100 (example)
netsh int ipv4 set dynamicport tcp start=50000 num=100

Then update firewall rules to allow this specific range.

Warning

Restricting RPC ports can affect other services. Consult your network team before making changes.

Folder Enumeration Permissions

If you get "0 tasks and 0 subfolders" but no explicit "Access Denied", the service account may lack permissions on the Task Scheduler folder tree.

Verify Folder Permissions

On the remote server, check ACLs on the Task Scheduler folder:

  1. Navigate to C:\Windows\System32\Tasks\
  2. Right-click the Tasks folder → PropertiesSecurity tab
  3. Verify Administrators group has Full Control
  4. Verify the Nodinite service account (or Administrators group) is listed

Task Folder Permissions Example: Administrators have Full Control on Tasks folder.

Using PowerShell:

# Check ACL on Tasks folder (run on remote server)
Get-Acl "C:\Windows\System32\Tasks" | Format-List

# Check specific account permissions
(Get-Acl "C:\Windows\System32\Tasks").Access | 
    Where-Object { $_.IdentityReference -like "*NodiniteAgent*" }

Verify Registry Permissions

Task metadata is stored in the registry under:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\

On the remote server:

  1. Open Registry Editor (regedit.exe)
  2. Navigate to the path above
  3. Right-click TreePermissions
  4. Verify Administrators group has Full Control

Using PowerShell:

# Check registry ACL (run on remote server)
Get-Acl "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree" | 
    Format-List

Repair Corrupted Permissions

If permissions are missing or corrupted:

Option 1: Reset to Default (run on remote server as Administrator):

# Reset Tasks folder permissions to default
icacls "C:\Windows\System32\Tasks" /reset /T /C

# Reset registry permissions to default
# (Manual via regedit: right-click → Permissions → Advanced → Replace all child permissions)

Option 2: Grant Explicit Permissions:

# Grant Administrators Full Control on Tasks folder
icacls "C:\Windows\System32\Tasks" /grant "Administrators:(OI)(CI)F" /T

Testing Remote Enumeration

Test with PowerShell Remoting

From the agent server, test if you can enumerate scheduled tasks remotely using the same service account credentials:

# Test remote enumeration using PowerShell Remoting
$cred = Get-Credential  # Enter service account credentials
Invoke-Command -ComputerName RemoteServerName -Credential $cred -ScriptBlock {
    Get-ScheduledTask | Select-Object TaskName, State, TaskPath | Format-Table
}

Expected result: If this returns tasks, remote access is working. If it fails, review permissions and firewall settings.

Test with MMC Task Scheduler Snap-in

From the agent server (logged in as the service account or using Run As):

  1. Open Task Scheduler (taskschd.msc)
  2. Right-click Task Scheduler (Local)Connect to Another Computer
  3. Enter the remote server name (e.g., RemoteServerName)
  4. Click OK

MMC Connect Example: Connecting to remote Task Scheduler via MMC.

Expected result: If you can see tasks in the MMC, the Nodinite agent should also succeed.

Domain Controller Specific Issues

When monitoring scheduled tasks on domain controllers, additional restrictions apply.

Domain Controller Considerations

  • Local accounts disabled: Domain controllers typically don't allow local accounts. Use a domain account for the Nodinite service.
  • Higher privilege requirements: Service account may need Domain Admins or Enterprise Admins membership.
  • Group Policy restrictions: Some organizations disable remote task enumeration on DCs via Group Policy.
  • Remote UAC filtering: Domain controllers apply stricter UAC filtering for remote connections.

Verify Domain Admin Membership

For domain controllers, confirm the service account is in the Domain Admins group:

# Check Domain Admins membership
Get-ADGroupMember -Identity "Domain Admins" | 
    Where-Object { $_.SamAccountName -like "*NodiniteAgent*" }

Check Group Policy Settings

On the domain controller, verify these Group Policy settings:

  1. Open Group Policy Management (gpmc.msc)

  2. Edit the Default Domain Controllers Policy

  3. Navigate to:

    Computer Configuration → Policies → Windows Settings → Security Settings → 
System Services → Task Scheduler

  4. Verify Task Scheduler is set to Automatic (not disabled)

Also check:

Computer Configuration → Policies → Windows Settings → Security Settings → 
Local Policies → User Rights Assignment → Access this computer from the network

Verify the service account (or Administrators group) is listed.

Advanced Diagnostics

Enable Task Scheduler Logging

On the remote server, enable detailed Task Scheduler logging:

  1. Open Event Viewer (eventvwr.msc)

  2. Navigate to:

    Applications and Services Logs → Microsoft → Windows → TaskScheduler → Operational

  3. Right-click OperationalProperties

  4. Set Maximum log size to a larger value (e.g., 10 MB)

  5. Check Enable logging

Task Scheduler Log Example: Task Scheduler Operational log enabled.

Monitor for errors when Nodinite attempts to enumerate tasks. Look for:

  • Event ID 103: Task Scheduler failed to start task
  • Event ID 322: Task Scheduler launch failure
  • Event ID 411: User did not have required privileges

Check DCOM Permissions

Remote Task Scheduler enumeration uses DCOM. Verify DCOM permissions:

On the remote server:

  1. Run dcomcnfg.exe (Component Services)
  2. Expand Component ServicesComputersMy Computer
  3. Right-click My ComputerProperties
  4. Click the COM Security tab
  5. Under Access Permissions, click Edit Default
  6. Verify Administrators group has Local Access and Remote Access

DCOM Permissions Example: DCOM permissions for remote access.

See Microsoft's guide: Setting DCOM Security to Allow a User to Access a Computer Remotely

Verify WMI Connectivity

Task Scheduler enumeration may use WMI. Test WMI connectivity:

# Test WMI from agent server to remote server
Get-WmiObject -Class Win32_ScheduledJob -ComputerName RemoteServerName

If WMI fails, review:

Known Limitations

Hidden System Tasks

Some Windows system tasks are hidden and only visible to:

  • SYSTEM account
  • TrustedInstaller account
  • High-privilege accounts (Domain Admins, Enterprise Admins)

If you expect more tasks than Nodinite displays, this may be the cause. Hidden tasks include many under \Microsoft\Windows\ folders.

Workaround: Use a highly privileged service account (Domain Admin) or accept that hidden system tasks won't be monitored.

Windows Server 2012 R2 and Earlier

Older Windows versions may have compatibility issues:

  • PowerShell WMF 5.1 required for some features
  • IIS 6 Metabase Compatibility required (see Prerequisites)
  • Legacy API differences may cause enumeration failures

Recommendation: Upgrade to Windows Server 2016 or later for best compatibility.

Cluster and Failover Scheduled Tasks

Monitoring scheduled tasks on failover clusters requires special configuration. See How to Monitor a Clustered Windows Service for guidance (similar principles apply).

Additional Resources

Microsoft Documentation

Community Resources

Next Step

Return to Scheduled Tasks Monitoring

Prerequisites for Windows Server Monitoring Agent
Windows Server Monitoring Agent
Troubleshooting Overview
Monitoring