Solved

Deploy scheduled task with group policy - Access denied

Posted on 2014-11-03
16
3,495 Views
Last Modified: 2014-11-04
I am trying to use group policy to deploy a scheduled task however it is not showing up in the endpoint computer's task scheduler. I checked the even log on the endpoint and i see an error that 'the specific item in my GP object did not apply because access is denied.' Anyone know why?
Here are 2 screenshots of the scheduled task in GP.
Note:
users 'rebootadmin' is a domain administrator
C:\WeeklyReboot  is shared out to the network and rebootadmin has full permissions

task schedule - general optionsTask Scheduler - Actions
0
Comment
Question by:tabush
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 7
16 Comments
 
LVL 55

Expert Comment

by:McKnife
ID: 40420157
Hi.

And that setting was made in the computer config section? Has to be.
0
 
LVL 2

Author Comment

by:tabush
ID: 40420200
Yes.
0
 
LVL 55

Expert Comment

by:McKnife
ID: 40420213
Are you very sure? https://support.microsoft.com/kb/2447414?wa=wsignin1.0 sounds just like what you see.
Please screenshot the GP management console to show the location of the task.
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 2

Author Comment

by:tabush
ID: 40420288
See screenshot
scheduled task screenshot
0
 
LVL 2

Author Comment

by:tabush
ID: 40420297
Few notes to add:
I tried opening the share to everyone as a test but still got the same error
I originally had the action set to "replace" rather than create but neither worked

Here is the error from event log:
Event log warning
0
 
LVL 55

Accepted Solution

by:
McKnife earned 500 total points
ID: 40420304
I think you run an unpatched server* and that's the problem. The option you set: "run whether the user is logged on or not" should not even be selectable. please use the system account instead and it will work out at once.

*some options in task scheduler got patched away for security reasons some time ago.
0
 
LVL 2

Author Comment

by:tabush
ID: 40420338
Yes that did it!
However, my server is fully patched (2012 r2). Unless its this one optional update im missing KB2995388
0
 
LVL 55

Expert Comment

by:McKnife
ID: 40420344
If yours were fully patched, it would look just like mine... ;)
Look at mine:
 Screenie
0
 
LVL 2

Author Comment

by:tabush
ID: 40422614
The setting "run only when user is logged on," does that refer to the user specified above (in your case haha) or does that mean any user is logged on?

Reason im asking is because i continued testing and the script did not execute even though its in task scheduler. I looked in the logs and found error with event ID 101. Researched and found this article: http://social.technet.microsoft.com/wiki/contents/articles/1454.event-id-101-task-properties.aspx 

The user i create (rebootadmin) would never be logged on. Only purpose we created it was to run this script.
0
 
LVL 55

Expert Comment

by:McKnife
ID: 40422632
The user "system" is always logged on. Take system.
If you selected some other user (as you can see in my screenshot) that task would only run if that user was logged on while the task is triggered.
0
 
LVL 2

Author Comment

by:tabush
ID: 40422636
*removed my last commend

I fully patched my server. When i open a new task the option is greyed out but then when i select a user account it is no longer greyed out.
0
 
LVL 2

Author Comment

by:tabush
ID: 40422692
Now the logs show that the task completed but it didnt actually work. The cmd file it running should prompt the user then reboot in 30 seconds. Neither actually happened.
If i leave "...use the following user account" blank will it execute as the logged in user? Maybe that will work. Only downside is i need to open that share to all users however if that's the only way ill do it and make it a hidden share.
0
 
LVL 55

Expert Comment

by:McKnife
ID: 40422709
Sorry, use the system user... :) Why would you need some admin? The system account has all you need and is the best you can do.
0
 
LVL 2

Author Comment

by:tabush
ID: 40422738
Is this the user you are referring to? This is what i was using.
screenshot
0
 
LVL 55

Expert Comment

by:McKnife
ID: 40422763
This is what you were using? Then it would work. The system account is capable of doing anything at the remote machines, including reboots. I have never seen this fail and use it frequently.
As task action, simply use
shutdown -f -r -t 0
0
 
LVL 2

Author Comment

by:tabush
ID: 40422902
Yea not sure why that doesnt work. Maybe because when you run as system it runs silently and since my action has /c it isnt working. Running a few more tests, however I think it got it working running as "Builtin\Users"
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question