Question: Can you query the rules associated with the start of an ARS Automation Workflow, and return information about whether or not runas is used within the workflow start conditions?
Reasoning: I have a unique problem I'm tracing the source of our production domain proxy account lockout.
I have all-but eliminated scheduled tasks as a source of this bad password activity. Subsequent lockouts occur only when our 3 strikes threshold is crossed.
Which is about - 2 or 3 times a day.
Checking domain controller lastbad password attempts shows that every hours ( of every day ) - at :53 minutes past the hour, a bad password attempt is sent from our JOB server for our proxy account.
We have no scheduled tasks with a precise start or finish time around that value -
If we stop the service on that lone host ( of 8 servers using the same config ), the bad password attempts stop. So, the issue is inside the house.
Now I turn to workflows as a potential source - I wrote this PS> line to pull the current state of the workflow enable/disable status …
(get-qadobject -SEARCHROOT "CN=Workflow,CN=Policies,CN=Configuration" -IncludedProperties EDSAWORKFLOWISDISABLED | SELECT NAME, edsaWorkflowIsDisabled)
I tried -includedallproperties in the search - and exported to a file so I could query for any instance of 'runas' on the workflow … and found no reference.