Solved

GPP for Scheduled Task

Posted on 2013-06-25
57
1,317 Views
Last Modified: 2013-08-02
I'm trying to create a scheduled task via GPP.  This task calls a vbs file for a reboot time and it's scheduled weekly.  The vbs file is working fine.  In fact, if I run the VPS file as the user it works.  But, When I create the GPP it's loading however, it won't start unless there's an administrator logged in.  I've tried run as with an admin account and it still will not start.  The users have no rights on the machines. Is there anything I can do?
0
Comment
Question by:WellingtonIS
  • 33
  • 14
  • 10
57 Comments
 
LVL 3

Expert Comment

by:phoenix5ire
ID: 39274980
What is GPP?  Group Policy Preference?
0
 

Author Comment

by:WellingtonIS
ID: 39274988
yes
0
 
LVL 3

Expert Comment

by:phoenix5ire
ID: 39275002
Do you have any events in the Application log on the computer that is running this ? Win7 OS?
0
 

Author Comment

by:WellingtonIS
ID: 39275072
nope it just says in the scheduled task - could not start.
0
 
LVL 3

Expert Comment

by:phoenix5ire
ID: 39275205
Have you verified the security options:

Configure the security context under which the task is run.
If the preference item is part of Computer Configuration , by default the task is run in the security context of the SYSTEM account.

If the preference item is part of User Configuration , by default the task is run in the security context of the logged-on user. Unless you provide credentials, the task is run only if the user is logged on to the computer, but can continue after the user logs off.

To run a task under the security context of a specified account (regardless of whether that account is logged on), click Change User or Group , enter credentials for the account, and then click Run whether user is logged on or not .

I would also enabled GPP scheduled task logging under (computer policy system/group policies/logging)
0
 

Author Comment

by:WellingtonIS
ID: 39275214
I have it running under NT Authority/SYSTEM since it will not run under the computer account.  That is preferred - computer account.
0
 
LVL 3

Expert Comment

by:phoenix5ire
ID: 39275400
Sounds like the computer doesn't have rights to run the task and the task should be run under computer vs user. I haven't visit the GPP settings in a while but see if running under computer is an option.

In the meanwhile, here's some light reading if it's relevant:
User GPP Scheduled Task item fails to apply

Any new details on the GPP task logging?
0
 

Author Comment

by:WellingtonIS
ID: 39275428
NO strangely enough no logging... However, For an even stranger reason I can't see the Scheduled task since I changed the policy!
0
 
LVL 3

Expert Comment

by:phoenix5ire
ID: 39276369
If there is no logging, logging is not enable. You may have to verify this option is set.
If you're unable to see the Schedule Task, you may have disable the View permission in the GPO? Verify...

..and do a gpupdate /force on the machine.
0
 

Author Comment

by:WellingtonIS
ID: 39277752
OK I was able to see the scheduled task if I logged in as administrator, but it still refuses to run?  I'm not sure if there's away to run this on a system account or something that has permissions regardless of the user.  the strange thing is Adobe has an update that is scheduled and it's running under NT Authority/System.  I don't know how to "tap into that"
0
 

Author Comment

by:WellingtonIS
ID: 39278017
I created a GPP and didn't use the Run as...So now it's running as NT AUTHORITY\System  I logged into the machine as an admin and I see the scheduled task.  This is created under the computer configuration for GPP task scheduler. The stranger thing is if I log in as the user, the schedule doesn't show up - which may or may not be ok and I'm saying that because Adobe has a scheduled task set up which runs every day to check for updates and I can't see it as the user.  So with this in mind I'm hoping for the same result.  We'll see.  I'm not sure why this is so difficult to accomplish.  The VB script works perfectly now matter who the user is so why the scheduled task is giving me such a hard time is not making any sense.
schedule.png
0
 

Author Comment

by:WellingtonIS
ID: 39278683
OK I give up!  This isn't going to work no matter what I try.  It's a stupid scheduled task  that calls a VB script on a share!  I can't believe that this doesn't work.  ANyone know any other way I can create something to trigger a VB script once a week?
0
 

Author Comment

by:WellingtonIS
ID: 39279027
I even tried creating a bat file to call the vbs and it runs but the script doesn't pop up like it should when I click on it???? WTF???? Does a scheduled task even work??? I'm starting to wonder.
0
 
LVL 3

Expert Comment

by:phoenix5ire
ID: 39279201
Not that I'm giving up on this issue, evidently it is a permission issue. I'm sure there is something that's a missed but I know you want to do this via GPP but what are the chances of just creating a shutdown job locally on the computer using the shutdown.exe under C:\windows\system32?

Or you can replace/use the batch file instead of the vbs ?

Just in case:
How to shut down or restart the computer with a batch file
0
 

Author Comment

by:WellingtonIS
ID: 39279281
Funny you s hould ask that because I tried that too and it runs however, the vbs file calls a popup every hour and it doesn't pop up
0
 
LVL 3

Expert Comment

by:phoenix5ire
ID: 39279318
Unless you have a larger need to run a shutdown on many systems, a GPP would be ideal but if it's only a few, I find that the native shutdown is much easier to schedule and it takes seconds to copy. You can even go as far as shutdown a computer remotely via a script from your own computer and schedule that task:
Remote shutdown via Command Prompt
0
 

Author Comment

by:WellingtonIS
ID: 39279486
I need to run this on over 1200 machines.  The frustrating part is it was working as the user and I can't seem to figure out what's changed.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39280031
Hi WellingtonIS.

I bet it would be solved in minutes if you only quoted what you did:
-path to script=? Is that path accessible by the executing account?
-Executing account left blank or modified)? If left blank and this is GPP below computer config, the system account would be used - do that.
0
 

Author Comment

by:WellingtonIS
ID: 39281134
OK Let me trying explaining this better... I have  a share on the network... It's called commands.  Everyone has read and execute.  Inside that folder is a vb script called shutdown.  This vb script starts a 24  hour countdown to rebooting the machine.  Every hour It calls a pop window saying your machine will be rebooting in X hours do you want to reboot now Yes or No. Then at the 24th hour it says your machine will be rebooting in 60 seconds, please save your work.  My users basically have no rights on the machines except to do what they need.  Everyone has that drive that contains the commands folder mapped via log on script so everyone can access that folder.  If I'm logged in as the user I can access that folder and if I click on that VB script (shutdown) it works just fine as the user. For now I've taken out the restrictions so I can see the control panel and access the scheduled task.

Now it gets weird.  If I create a task as the user it works fine.  However, If I create a GPP to schedule the task it gets weird.  If I try to do it by machine it will not work no matter if I use a system account or administrator account. If I create the GPP by user - I create the scheduled task to start say 8:00 a.m.  I assign the user to this GPP.  I can't see the scheduled task, even though RSOP says it's assigned. It never runs.  But if I log in as administrator or an account that's an administrator I can see the task.

 I'm at my wits end, this should work.  What am I doing wrong?

OK stranger still... If I give the user admin rights to the machine, which is a NO, NO then I can see the scheduled task?  How can that be? So in order for a GPP to work the users have to be admins??? Something is wrong.   That would mean, you can't schedule a task on a machine that a user has no rights to?  And if I try to schedule this task using via the machine profile using the NT Authority/system account (not adding anything to run as) it doesn't work at all.  This is unbelievable.
rsopresults.png
scheduledtask.png
samemachine.png
0
 

Author Comment

by:WellingtonIS
ID: 39282238
Finally found the logs!  The log states.  MREBOOT.Job (job for the reboot) (shutdown4.vbs) - the script - Invalid working direcory.. The specific error is: 0x00000003: The system cannot find the path specified.  Verify that the directory exists and try again.  OK the drive is mapped as K:\...  I even tried with \\servername\share\shutdown4.vbs  I don't understand this one.
0
 
LVL 3

Expert Comment

by:phoenix5ire
ID: 39282415
I think the problem is, it doesn't know what your mapped "K" drive is, the GPP happens before the "K" is mapped. I would put your .vbs script to the Domain DFS, i.e,.. (\\yourdomain.com\sysvol\netlogon\Shutdown), and have your GPP point to this.

Note:
The "Shutdown" folder, you'll have to create in your Domain DFS, just make sure you use FQDN when referencing the path of your .vbs

Try that.
0
 

Author Comment

by:WellingtonIS
ID: 39282476
Well the drive is mapped on the user machine as K:\welshare\commands\shutdown4.vbs.  I tried to map by \\servername\share\...  The script is on my file server not my DC?  does it need to be on my DC?
0
 
LVL 3

Expert Comment

by:phoenix5ire
ID: 39282533
Let's do this, make sure you have domain Admin rights. Go to Start, Run, type in: \\yourdomain.com\sysvol\netlogon, in this folder create a folder, name it Shutdown (or whatever), copy/paste your shutdown.vbs into this folder.

In your GPP policy, point the path to  \\yourdomain.com\sysvol\netlogon\ShareFolder\shutdown.vbs

*double-check your user Read/Execute permission on this folder. The folder should have the same user permissions as any of your login script that's under \\.....\netlogon.
0
 

Author Comment

by:WellingtonIS
ID: 39282559
Stupid question before I do all this.  What is the difference if I have a script on a share on a file server as opposed to having the script on the domain controller.  The folder on the share has the required permissions and the users are all mapped to that share and can access that folder that contains the script?  Does it make a difference?  Even if I put the script on the local machine I'm  having the same issue.
0
 
LVL 3

Expert Comment

by:phoenix5ire
ID: 39282573
To put the .vbs on the Domain DFS, you'll going to need Domain Admin rights.
0
 

Author Comment

by:WellingtonIS
ID: 39282579
I understand that however, I'm not sure what the difference is between putting this script on the DC or putting this on a file server?  I'm not a domain admin I'm an admin of an OU in a bigger domain.  OK here's what I KNOW...
If I create the task as the user on the local machine with the same share it works fine.  My idea was to do this via GPP but for whatever reason the GPP doesn't work.  If I create the GPP for the user I SHOULD be able to see the scheduled task as that user  I CAN NOT.  IF I create the scheduled task as the machine it can't find the file.  I think I'm going to have no choice but I go around to 1200 machines and do it manually!  THE GPP stuff only seems to work for local admins and not for general users.
0
 
LVL 3

Expert Comment

by:phoenix5ire
ID: 39282642
There's a lot of information to dissect but I think the problem is, your policy doesn't know what "K" is. Example, the K drive doesn't get map until the user is logon to the computer. The shutdown policy is applied to the system, the policy gets applied BEFORE the user logon. I don't know how much security is applied to the computer or user.

Question, when the user logon, can they run the shutdown.vbs manually?

There's not a lot of difference where you put the script, as long as your permissions are set accurately. Assuming your 1200 computers are not in the same building, putting a script on the domain DFS enables faster execution no matter where the computer is, lessen the network traffic.
0
 

Author Comment

by:WellingtonIS
ID: 39284036
Yes they can run shutdown.vbs manually. Even if I try to use \\servername\share\shutdown.vbs it's still not coming up.  It is however, showing up if I log in as myself - I'm an  admin on that  machine.  that too me doesn't make sense.
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 
LVL 53

Expert Comment

by:McKnife
ID: 39284212
Let's test with another task.
Create a test GPO, in it open the preferences section of the computer configuration and create a task, have it start at system start (trigger: system start) and use the action
msg * Testmessage /time:0
Leave the executing account empty, so system should be used.

This will display a popup message "Testmessage" on every start of the machine. Does that run succesfully?
0
 

Author Comment

by:WellingtonIS
ID: 39284261
I have the action however, it's asking me for Run: I set that to C:\  is that ok?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39284315
Ok, so what style of policy are we talking about? "run:" is the old style like task scheduler 1.0, suitable for xp also. run: has to be populated with the action
C:\Windows\system32\msg * /time:0 testmessage
[sory, last time, the parameter /time was at an incorrect position]
0
 

Author Comment

by:WellingtonIS
ID: 39284345
OK that worked.  So what do you think my issue is with my script?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39284373
I don't know the contents of the script. Quote it here.
0
 

Author Comment

by:WellingtonIS
ID: 39284383
Well perhaps I worded that wrong.  The script works because I've tested it by clicking it on the machine.  I'll attach it for you.  Please remember this resides on a share that everyone has read/execute permissions.  Here's how I have it in the GPP for the machine
Shutdown.vbs
gpp.png
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39284406
Ok... could it be that the script does indeed run but only the messaging part does not work as expected, i.e. that the messages are not visible? I am not experienced with the messaging command in vbscript.
0
 

Author Comment

by:WellingtonIS
ID: 39284417
click on that script you'll see it pops up a message every hour asking you if you want to reboot your machine.  I know the script work because if I schedule it manually it works.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39284450
Yes, the script is ok.
But if I use a scheduled task that runs it with the system account as executioner, no messages appear. That could be, because if we use the command msg *, the "*" means, send it to all sessions. Without the *, it sends only to its own session, so system sends to system and that will NOT be seen by anyone but system. That could be your problem. You would need to modify your script so that it sends messages to all sessions.
0
 

Author Comment

by:WellingtonIS
ID: 39284458
OK thanks.  But my only issue with that is the error messages saying it can't find the path and could not start?  I'll check the script and see what we can modify.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39284504
Right. Please try to simulate it interactively. Download psexec.exe and with it, from an elevated shell (run cmd.exe via rightclick-option "run as administrator"), fire the command
psexec -s -i cmd
Now a new shell pops up and you are impersonating the system account in that shell. Now try to run your script and se if there are path errors.
0
 
LVL 3

Expert Comment

by:phoenix5ire
ID: 39284514
Have you tried testing / running it under a domain admin credential ? This would at least eliminate the permission issue.
0
 

Author Comment

by:WellingtonIS
ID: 39284516
you mean psexec \\machine name  -s -i cmd script.vbs?
0
 

Author Comment

by:WellingtonIS
ID: 39284529
I'm not a domain admin unfortunately, I'm an admin in an OU of a huge enterprise
I'm doubt it's a permission issue because the user has access to the folder, the share and the script and if I run the script as the user from any machine it works perfectly.
0
 

Author Comment

by:WellingtonIS
ID: 39284540
Humm... windows can not access \\servername\share\shutdown.vbs?  OK so how do you designate a server\share to start a program? I tried copying the vbs script to system32 and that didn't work either???
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39284591
Slowly. So You started The shell as System. Inside, try to reach The share where The script is in. Is it accessible?
0
 

Author Comment

by:WellingtonIS
ID: 39284597
Correct. So I copied that script into System32 (default) and it worked.  I modified the GPP and set it for windows\system32 under the system account.  I have it set for 11 a.m. est. fingers crossed!
0
 

Author Comment

by:WellingtonIS
ID: 39284631
Didn't work nothing happen I was logged in as the user - but the task scheduler says running so maybe the message didn't pop up?
0
 
LVL 3

Expert Comment

by:phoenix5ire
ID: 39284665
I'm just a little confuse deciphering some information:
the user has access to the folder, the share and the script and if I run the script as the user from any machine it works perfectly.
Are you saying psexec is giving you this error now?
windows can not access \\servername\share\shutdown.vbs?

Here's a question:
Initially, you said it worked. So what's changed that it stop working??

Just saw your last update, Maybe we need to have a conf. call? lol  :D
0
 

Author Comment

by:WellingtonIS
ID: 39284685
LOL It worked on 3 test machines.  I had the GPP running as the user.  I think perhaps my testing was flawed because I ran it as myself and 2 others that were local admins.  Now I've copied the script to system32 and I'm running it under a system account however, the process is running but the message isn't popping up.  I did pop up when i ran PSExec.
0
 

Author Comment

by:WellingtonIS
ID: 39284710
Apparently the SYSTEM account runs in a non-interactive session. In other words, it doesn't have a keyboard so it can't run this?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39284800
The system account is used interactively using psexec -s -i.
Because -i stands for interactively. Task scheduler will not let the script run interactively because of security concerns - normal behavior.
0
 
LVL 3

Expert Comment

by:phoenix5ire
ID: 39284827
Ditto on McKnife on the -i comment.
Now I've copied the script to system32 and I'm running it under a system account however, the process is running but the message isn't popping up.
So are you saying the task is executing now w/o error but the user message is not prompting the users ?
0
 

Author Comment

by:WellingtonIS
ID: 39284866
OK so what account can I use short of a system account to run this darn thing so it will pop up for everyone?
0
 
LVL 53

Accepted Solution

by:
McKnife earned 500 total points
ID: 39284889
It's not an account thing. If scheduled tasks are used, they will not run interactively.
Again, as I wrote before, you will need to modify the script. You need to translate msg * to vbscript or embed the batch code into your vbscript. msg * did work as you could see.
0
 

Author Comment

by:WellingtonIS
ID: 39284910
OK thanks.  Back to the drawing board.
0
 

Author Comment

by:WellingtonIS
ID: 39285073
thanks so much everyone for your suggestions and input.  I'm going to close this and perhaps open another question to see if someone can help me modify the script.
0
 

Author Closing Comment

by:WellingtonIS
ID: 39285077
I'm closing this because it will not work as shown by this post.  Thanks again everyone for all your suggestions.
0
 

Author Comment

by:WellingtonIS
ID: 39376911
I know this is closed but if anyone is struggling with this As I WAS here's the answer.  You have to run this type of schedule task as the user I WAS able to accomplish this by using my vb script on a network share.  It took me weeks.  I used the account as follows domain\%username% this actually allowed the user to have access to the scheduled task.  IN addition I made the user a part of the users group on the local PC.  For XP I used the following script if the GPP didn't work this is the script I used.
SCHTASKS /Create /SC Weekly /D THU /TN Reboot /ST 08:00:00 /TR Path to file /RU domain/%username% /RP Password.  this works on XP machines as the user.  Run the  task just to be sure and it it doesn't work just point it again to the path.  this worked for me thankfully.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This Micro Tutorial will teach you the basics of configuring your computer to improve its speed. It will also teach you how to disable programs that are running in the background simultaneously. This will be demonstrated using Windows 7 operating…
This Micro Tutorial will give you a basic overview of Windows Live Photo Gallery and show you various editing filters and touches to photos you can apply. This will be demonstrated using Windows Live Photo Gallery on Windows 7 operating system.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now