GPP for Scheduled Task

I'm trying to create a scheduled task via GPP.  This task calls a vbs file for a reboot time and it's scheduled weekly.  The vbs file is working fine.  In fact, if I run the VPS file as the user it works.  But, When I create the GPP it's loading however, it won't start unless there's an administrator logged in.  I've tried run as with an admin account and it still will not start.  The users have no rights on the machines. Is there anything I can do?
WellingtonISAsked:
Who is Participating?
 
McKnifeConnect With a Mentor Commented:
It's not an account thing. If scheduled tasks are used, they will not run interactively.
Again, as I wrote before, you will need to modify the script. You need to translate msg * to vbscript or embed the batch code into your vbscript. msg * did work as you could see.
0
 
phoenix5ireCommented:
What is GPP?  Group Policy Preference?
0
 
WellingtonISAuthor Commented:
yes
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
phoenix5ireCommented:
Do you have any events in the Application log on the computer that is running this ? Win7 OS?
0
 
WellingtonISAuthor Commented:
nope it just says in the scheduled task - could not start.
0
 
phoenix5ireCommented:
Have you verified the security options:

Configure the security context under which the task is run.
If the preference item is part of Computer Configuration , by default the task is run in the security context of the SYSTEM account.

If the preference item is part of User Configuration , by default the task is run in the security context of the logged-on user. Unless you provide credentials, the task is run only if the user is logged on to the computer, but can continue after the user logs off.

To run a task under the security context of a specified account (regardless of whether that account is logged on), click Change User or Group , enter credentials for the account, and then click Run whether user is logged on or not .

I would also enabled GPP scheduled task logging under (computer policy system/group policies/logging)
0
 
WellingtonISAuthor Commented:
I have it running under NT Authority/SYSTEM since it will not run under the computer account.  That is preferred - computer account.
0
 
phoenix5ireCommented:
Sounds like the computer doesn't have rights to run the task and the task should be run under computer vs user. I haven't visit the GPP settings in a while but see if running under computer is an option.

In the meanwhile, here's some light reading if it's relevant:
User GPP Scheduled Task item fails to apply

Any new details on the GPP task logging?
0
 
WellingtonISAuthor Commented:
NO strangely enough no logging... However, For an even stranger reason I can't see the Scheduled task since I changed the policy!
0
 
phoenix5ireCommented:
If there is no logging, logging is not enable. You may have to verify this option is set.
If you're unable to see the Schedule Task, you may have disable the View permission in the GPO? Verify...

..and do a gpupdate /force on the machine.
0
 
WellingtonISAuthor Commented:
OK I was able to see the scheduled task if I logged in as administrator, but it still refuses to run?  I'm not sure if there's away to run this on a system account or something that has permissions regardless of the user.  the strange thing is Adobe has an update that is scheduled and it's running under NT Authority/System.  I don't know how to "tap into that"
0
 
WellingtonISAuthor Commented:
I created a GPP and didn't use the Run as...So now it's running as NT AUTHORITY\System  I logged into the machine as an admin and I see the scheduled task.  This is created under the computer configuration for GPP task scheduler. The stranger thing is if I log in as the user, the schedule doesn't show up - which may or may not be ok and I'm saying that because Adobe has a scheduled task set up which runs every day to check for updates and I can't see it as the user.  So with this in mind I'm hoping for the same result.  We'll see.  I'm not sure why this is so difficult to accomplish.  The VB script works perfectly now matter who the user is so why the scheduled task is giving me such a hard time is not making any sense.
schedule.png
0
 
WellingtonISAuthor Commented:
OK I give up!  This isn't going to work no matter what I try.  It's a stupid scheduled task  that calls a VB script on a share!  I can't believe that this doesn't work.  ANyone know any other way I can create something to trigger a VB script once a week?
0
 
WellingtonISAuthor Commented:
I even tried creating a bat file to call the vbs and it runs but the script doesn't pop up like it should when I click on it???? WTF???? Does a scheduled task even work??? I'm starting to wonder.
0
 
phoenix5ireCommented:
Not that I'm giving up on this issue, evidently it is a permission issue. I'm sure there is something that's a missed but I know you want to do this via GPP but what are the chances of just creating a shutdown job locally on the computer using the shutdown.exe under C:\windows\system32?

Or you can replace/use the batch file instead of the vbs ?

Just in case:
How to shut down or restart the computer with a batch file
0
 
WellingtonISAuthor Commented:
Funny you s hould ask that because I tried that too and it runs however, the vbs file calls a popup every hour and it doesn't pop up
0
 
phoenix5ireCommented:
Unless you have a larger need to run a shutdown on many systems, a GPP would be ideal but if it's only a few, I find that the native shutdown is much easier to schedule and it takes seconds to copy. You can even go as far as shutdown a computer remotely via a script from your own computer and schedule that task:
Remote shutdown via Command Prompt
0
 
WellingtonISAuthor Commented:
I need to run this on over 1200 machines.  The frustrating part is it was working as the user and I can't seem to figure out what's changed.
0
 
McKnifeCommented:
Hi WellingtonIS.

I bet it would be solved in minutes if you only quoted what you did:
-path to script=? Is that path accessible by the executing account?
-Executing account left blank or modified)? If left blank and this is GPP below computer config, the system account would be used - do that.
0
 
WellingtonISAuthor Commented:
OK Let me trying explaining this better... I have  a share on the network... It's called commands.  Everyone has read and execute.  Inside that folder is a vb script called shutdown.  This vb script starts a 24  hour countdown to rebooting the machine.  Every hour It calls a pop window saying your machine will be rebooting in X hours do you want to reboot now Yes or No. Then at the 24th hour it says your machine will be rebooting in 60 seconds, please save your work.  My users basically have no rights on the machines except to do what they need.  Everyone has that drive that contains the commands folder mapped via log on script so everyone can access that folder.  If I'm logged in as the user I can access that folder and if I click on that VB script (shutdown) it works just fine as the user. For now I've taken out the restrictions so I can see the control panel and access the scheduled task.

Now it gets weird.  If I create a task as the user it works fine.  However, If I create a GPP to schedule the task it gets weird.  If I try to do it by machine it will not work no matter if I use a system account or administrator account. If I create the GPP by user - I create the scheduled task to start say 8:00 a.m.  I assign the user to this GPP.  I can't see the scheduled task, even though RSOP says it's assigned. It never runs.  But if I log in as administrator or an account that's an administrator I can see the task.

 I'm at my wits end, this should work.  What am I doing wrong?

OK stranger still... If I give the user admin rights to the machine, which is a NO, NO then I can see the scheduled task?  How can that be? So in order for a GPP to work the users have to be admins??? Something is wrong.   That would mean, you can't schedule a task on a machine that a user has no rights to?  And if I try to schedule this task using via the machine profile using the NT Authority/system account (not adding anything to run as) it doesn't work at all.  This is unbelievable.
rsopresults.png
scheduledtask.png
samemachine.png
0
 
WellingtonISAuthor Commented:
Finally found the logs!  The log states.  MREBOOT.Job (job for the reboot) (shutdown4.vbs) - the script - Invalid working direcory.. The specific error is: 0x00000003: The system cannot find the path specified.  Verify that the directory exists and try again.  OK the drive is mapped as K:\...  I even tried with \\servername\share\shutdown4.vbs  I don't understand this one.
0
 
phoenix5ireCommented:
I think the problem is, it doesn't know what your mapped "K" drive is, the GPP happens before the "K" is mapped. I would put your .vbs script to the Domain DFS, i.e,.. (\\yourdomain.com\sysvol\netlogon\Shutdown), and have your GPP point to this.

Note:
The "Shutdown" folder, you'll have to create in your Domain DFS, just make sure you use FQDN when referencing the path of your .vbs

Try that.
0
 
WellingtonISAuthor Commented:
Well the drive is mapped on the user machine as K:\welshare\commands\shutdown4.vbs.  I tried to map by \\servername\share\...  The script is on my file server not my DC?  does it need to be on my DC?
0
 
phoenix5ireCommented:
Let's do this, make sure you have domain Admin rights. Go to Start, Run, type in: \\yourdomain.com\sysvol\netlogon, in this folder create a folder, name it Shutdown (or whatever), copy/paste your shutdown.vbs into this folder.

In your GPP policy, point the path to  \\yourdomain.com\sysvol\netlogon\ShareFolder\shutdown.vbs

*double-check your user Read/Execute permission on this folder. The folder should have the same user permissions as any of your login script that's under \\.....\netlogon.
0
 
WellingtonISAuthor Commented:
Stupid question before I do all this.  What is the difference if I have a script on a share on a file server as opposed to having the script on the domain controller.  The folder on the share has the required permissions and the users are all mapped to that share and can access that folder that contains the script?  Does it make a difference?  Even if I put the script on the local machine I'm  having the same issue.
0
 
phoenix5ireCommented:
To put the .vbs on the Domain DFS, you'll going to need Domain Admin rights.
0
 
WellingtonISAuthor Commented:
I understand that however, I'm not sure what the difference is between putting this script on the DC or putting this on a file server?  I'm not a domain admin I'm an admin of an OU in a bigger domain.  OK here's what I KNOW...
If I create the task as the user on the local machine with the same share it works fine.  My idea was to do this via GPP but for whatever reason the GPP doesn't work.  If I create the GPP for the user I SHOULD be able to see the scheduled task as that user  I CAN NOT.  IF I create the scheduled task as the machine it can't find the file.  I think I'm going to have no choice but I go around to 1200 machines and do it manually!  THE GPP stuff only seems to work for local admins and not for general users.
0
 
phoenix5ireCommented:
There's a lot of information to dissect but I think the problem is, your policy doesn't know what "K" is. Example, the K drive doesn't get map until the user is logon to the computer. The shutdown policy is applied to the system, the policy gets applied BEFORE the user logon. I don't know how much security is applied to the computer or user.

Question, when the user logon, can they run the shutdown.vbs manually?

There's not a lot of difference where you put the script, as long as your permissions are set accurately. Assuming your 1200 computers are not in the same building, putting a script on the domain DFS enables faster execution no matter where the computer is, lessen the network traffic.
0
 
WellingtonISAuthor Commented:
Yes they can run shutdown.vbs manually. Even if I try to use \\servername\share\shutdown.vbs it's still not coming up.  It is however, showing up if I log in as myself - I'm an  admin on that  machine.  that too me doesn't make sense.
0
 
McKnifeCommented:
Let's test with another task.
Create a test GPO, in it open the preferences section of the computer configuration and create a task, have it start at system start (trigger: system start) and use the action
msg * Testmessage /time:0
Leave the executing account empty, so system should be used.

This will display a popup message "Testmessage" on every start of the machine. Does that run succesfully?
0
 
WellingtonISAuthor Commented:
I have the action however, it's asking me for Run: I set that to C:\  is that ok?
0
 
McKnifeCommented:
Ok, so what style of policy are we talking about? "run:" is the old style like task scheduler 1.0, suitable for xp also. run: has to be populated with the action
C:\Windows\system32\msg * /time:0 testmessage
[sory, last time, the parameter /time was at an incorrect position]
0
 
WellingtonISAuthor Commented:
OK that worked.  So what do you think my issue is with my script?
0
 
McKnifeCommented:
I don't know the contents of the script. Quote it here.
0
 
WellingtonISAuthor Commented:
Well perhaps I worded that wrong.  The script works because I've tested it by clicking it on the machine.  I'll attach it for you.  Please remember this resides on a share that everyone has read/execute permissions.  Here's how I have it in the GPP for the machine
Shutdown.vbs
gpp.png
0
 
McKnifeCommented:
Ok... could it be that the script does indeed run but only the messaging part does not work as expected, i.e. that the messages are not visible? I am not experienced with the messaging command in vbscript.
0
 
WellingtonISAuthor Commented:
click on that script you'll see it pops up a message every hour asking you if you want to reboot your machine.  I know the script work because if I schedule it manually it works.
0
 
McKnifeCommented:
Yes, the script is ok.
But if I use a scheduled task that runs it with the system account as executioner, no messages appear. That could be, because if we use the command msg *, the "*" means, send it to all sessions. Without the *, it sends only to its own session, so system sends to system and that will NOT be seen by anyone but system. That could be your problem. You would need to modify your script so that it sends messages to all sessions.
0
 
WellingtonISAuthor Commented:
OK thanks.  But my only issue with that is the error messages saying it can't find the path and could not start?  I'll check the script and see what we can modify.
0
 
McKnifeCommented:
Right. Please try to simulate it interactively. Download psexec.exe and with it, from an elevated shell (run cmd.exe via rightclick-option "run as administrator"), fire the command
psexec -s -i cmd
Now a new shell pops up and you are impersonating the system account in that shell. Now try to run your script and se if there are path errors.
0
 
phoenix5ireCommented:
Have you tried testing / running it under a domain admin credential ? This would at least eliminate the permission issue.
0
 
WellingtonISAuthor Commented:
you mean psexec \\machine name  -s -i cmd script.vbs?
0
 
WellingtonISAuthor Commented:
I'm not a domain admin unfortunately, I'm an admin in an OU of a huge enterprise
I'm doubt it's a permission issue because the user has access to the folder, the share and the script and if I run the script as the user from any machine it works perfectly.
0
 
WellingtonISAuthor Commented:
Humm... windows can not access \\servername\share\shutdown.vbs?  OK so how do you designate a server\share to start a program? I tried copying the vbs script to system32 and that didn't work either???
0
 
McKnifeCommented:
Slowly. So You started The shell as System. Inside, try to reach The share where The script is in. Is it accessible?
0
 
WellingtonISAuthor Commented:
Correct. So I copied that script into System32 (default) and it worked.  I modified the GPP and set it for windows\system32 under the system account.  I have it set for 11 a.m. est. fingers crossed!
0
 
WellingtonISAuthor Commented:
Didn't work nothing happen I was logged in as the user - but the task scheduler says running so maybe the message didn't pop up?
0
 
phoenix5ireCommented:
I'm just a little confuse deciphering some information:
the user has access to the folder, the share and the script and if I run the script as the user from any machine it works perfectly.
Are you saying psexec is giving you this error now?
windows can not access \\servername\share\shutdown.vbs?

Here's a question:
Initially, you said it worked. So what's changed that it stop working??

Just saw your last update, Maybe we need to have a conf. call? lol  :D
0
 
WellingtonISAuthor Commented:
LOL It worked on 3 test machines.  I had the GPP running as the user.  I think perhaps my testing was flawed because I ran it as myself and 2 others that were local admins.  Now I've copied the script to system32 and I'm running it under a system account however, the process is running but the message isn't popping up.  I did pop up when i ran PSExec.
0
 
WellingtonISAuthor Commented:
Apparently the SYSTEM account runs in a non-interactive session. In other words, it doesn't have a keyboard so it can't run this?
0
 
McKnifeCommented:
The system account is used interactively using psexec -s -i.
Because -i stands for interactively. Task scheduler will not let the script run interactively because of security concerns - normal behavior.
0
 
phoenix5ireCommented:
Ditto on McKnife on the -i comment.
Now I've copied the script to system32 and I'm running it under a system account however, the process is running but the message isn't popping up.
So are you saying the task is executing now w/o error but the user message is not prompting the users ?
0
 
WellingtonISAuthor Commented:
OK so what account can I use short of a system account to run this darn thing so it will pop up for everyone?
0
 
WellingtonISAuthor Commented:
OK thanks.  Back to the drawing board.
0
 
WellingtonISAuthor Commented:
thanks so much everyone for your suggestions and input.  I'm going to close this and perhaps open another question to see if someone can help me modify the script.
0
 
WellingtonISAuthor Commented:
I'm closing this because it will not work as shown by this post.  Thanks again everyone for all your suggestions.
0
 
WellingtonISAuthor Commented:
I know this is closed but if anyone is struggling with this As I WAS here's the answer.  You have to run this type of schedule task as the user I WAS able to accomplish this by using my vb script on a network share.  It took me weeks.  I used the account as follows domain\%username% this actually allowed the user to have access to the scheduled task.  IN addition I made the user a part of the users group on the local PC.  For XP I used the following script if the GPP didn't work this is the script I used.
SCHTASKS /Create /SC Weekly /D THU /TN Reboot /ST 08:00:00 /TR Path to file /RU domain/%username% /RP Password.  this works on XP machines as the user.  Run the  task just to be sure and it it doesn't work just point it again to the path.  this worked for me thankfully.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.