Solved

How do I configure GPO on a Server 2008 DC to set a task scheduler to restart computers in a specific OU?

Posted on 2015-01-25
16
491 Views
Last Modified: 2015-02-14
Please view my screenshot to see what I have configured, and tell me if it's proper. I also listed some questions in the screenshot as well, so hopefully, someone can help guide me. Seems like the GPO is not working. What I want to happen is to have computers in the "Managed Computers" OU have a task scheduler set from the GPO to reboot computers in the "Managed Computers" OU. For example, if I were to log into "KSOLEXCH01" which is in the "Managed Computers" OU, and go to the task scheduler, I would see a scheduled task for "Daily System Reboot" which was distributed from GPO.

I ensured that I did a "GPUPDATE" from the DC. I also read in an article, that you must have "Log on as Batch" rights. Do anyone know anything about setting that up?

GPO
0
Comment
Question by:joukiejouk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 4
  • +1
16 Comments
 
LVL 37

Expert Comment

by:Mahesh
ID: 40568957
Answers:
1 You can enforce GPO, that's not an problem
2 select update, then select win 7
3 action parameter could be shutdown -r -t 00 -f
4 from windows 2008 and above you need to open GPO from GPMC console, if you are on 2003 DC, you will get that tab
In order to create task for 2003 in same window add one more task and this time select 2003 for 2003 server with same commands and once task preference item created go to its properties\common tab and enable item level targeting based on operating system so that task will apply on to 2003 computer only
http://trekker.net/archives/targeting-os-platform-bitness-with-group-policy-preferences/
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40569325
1. I can't see any reason to Enforce this GPO so leave it as No, it's not needed in this scenario
2. Agree with Mahesh, leave it as Update and Windows 7
3. The /r switch needs to be in the Add arguments (optional) field. I would also add the /f switch in there to force applications to close, otherwise you may find that Windows won't shut down without user intervention
4. That Group Policy tab isn't even used in Server 2003 as it prompts you to use the GPMC, so it would make sense that the tab is no longer there in 2008 and onwards.

Sorry Mahesh but I don't agree with the link you provided as the instructions will cause the GPO to target all 32-bit machines, not just Windows Server 2003 machines.

I would personally do it this way:
- Right click Scheduled Tasks in GPMC then click on New Scheduled Task
- Configure it with the same settings as your Windows 7 GPO
- Click on the Common tab
- Tick Item-level targeting
- Click on the Targeting... button
- In the Targeting Editor window that appears, click on New Item
- Select Operating System from the list
- Click on the Product dropdown list and select Windows Server 2003 or Windows Server 2003 R2, whichever applies to you
Item-Level-Targeting.png- Click OK when done

Now run gpupdate /force on all the workstations (or wait for them to reboot) then use gpresult to confirm the Daily System Reboot policy has applied. Also confirm the tasks are visible on each of the machines.
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40569475
Hello VB ITS,
The purpose of link is to just show item level targeting, I have already explained what to select in Item level targeting
Anyways you have shade more light on exact steps to be taken
lastly either you enforce GPO or not, it will not make any difference because there are no other conflicting GPOs, this is brand new unique GPO, that is why I told that you can enforce GPO if wanted to.
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:joukiejouk
ID: 40569564
Thanks guys, so far the GPO seems to be working on a few Windows 7 test systems. I also have 1 Win 2003 Server and a couple of Windows 8 OS. Will this GPO work for Win 8? I dont really care about Win 8 or 2003 as the majority of systems (500) are on Win 7. Do you see an issue applying this to 500 systems?

I included a screen shot. My question about time zone is, the DC server is here in California, but we also have some Win 7 machine in Texas (2 hours ahead), If I select "synchronize across time zone", will it still execute the scheduled time properly for the system to reboot?

time zone
See screenshot in regards to linked order, lets say there are more GPO objects defined for "Managed Computers" OU, would I have to toggle "Daily System Reboot" policy to the top of the order for it to take effect?

Linked order
My final question is about GPUPDATE. To execute this scheduled task to all 500 mahines, from my DC, all I simply have to do is run "GPUPDDATE /force" right? There should not be a need to go to all 500 machines to do a "GPUPDATE", or reboot 500 machines for the policy to pick up.
0
 
LVL 24

Accepted Solution

by:
VB ITS earned 250 total points
ID: 40569890
Thanks guys, so far the GPO seems to be working on a few Windows 7 test systems. I also have 1 Win 2003 Server and a couple of Windows 8 OS. Will this GPO work for Win 8? I dont really care about Win 8 or 2003 as the majority of systems (500) are on Win 7. Do you see an issue applying this to 500 systems?
It should work fine for Windows 8. For Server 2003 you'll need to create a new Scheduled Task and not Scheduled Task (Windows Vista and later), then use the Item-level targeting as mentioned in my previous post.
Scheduled-Task-for-2003-in-GPO.pngIf you only have the one 2003 server then it's probably not worth the trouble in creating the task through Group Policy - just create it manually instead. It'll be quicker.

I included a screen shot. My question about time zone is, the DC server is here in California, but we also have some Win 7 machine in Texas (2 hours ahead), If I select "synchronize across time zone", will it still execute the scheduled time properly for the system to reboot?
I believe the Synchronize across time zone option will set the task to run at UTC time, so change the time of the task to run accordingly. Test this on a few workstations first, I've seen varying degrees of success with this setting.

See screenshot in regards to linked order, lets say there are more GPO objects defined for "Managed Computers" OU, would I have to toggle "Daily System Reboot" policy to the top of the order for it to take effect?
You only need to change the Link Order if the other policies that may have conflicting settings. Generally though there's no need to change the order in most cases where you only have a few policies applying to the OU.

My final question is about GPUPDATE. To execute this scheduled task to all 500 mahines, from my DC, all I simply have to do is run "GPUPDDATE /force" right? There should not be a need to go to all 500 machines to do a "GPUPDATE", or reboot 500 machines for the policy to pick up.
I only suggested running gpupdate if you wanted the policy to apply straight away :)

For that many workstations it's better to just wait for AD replication to do its job then reboot the PCs to ensure the policies apply. You do not run gpupdate on the DC, you just need to make sure AD replicates properly to your other sites (if you have DCs in these sites) then the machines will be able to pick up the new policy.
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40570109
By default, Group Policy on the domain controllers is updated every five minutes.
However I would prefer to run gpupdate /force on DC so that it will note GPO change activity immediately

On client computers no need to run gpupdate on each computer unless you need to apply GPO immediately
The GPO will get applied on workstations during logon \ restart depending upon GPO type (computer config OR user config)

In case of priority if you have multiple GPOs latched to OU, the policy with higher link order (say 3)have list priority because it will get applied 1st
The policy with lower link order (say 1) have highest priority because it will applied last

As stated earlier, if you want to flow task in location with different time zone, you need to select synchronize across timezones setting. This will convert time based on UTC (Coordinated universal time zone) and then it will get converted to appropriate local time zone in that location
having said that you might need to create TWO separate task with separate time defined or you should OK with timezone differences
Ex:
You set time 11.00PM to run task with checkbox synchronize across timezones selected
Now at your location, the tsk will get executed based on your time zone
The other location where time is 2 HRS ahead, task will start with 2 HRS difference
0
 

Author Comment

by:joukiejouk
ID: 40571319
For whatever reason, the policy is not applying in Production environment. I ran gpupdate /force on the DC, but when i checked task scheduler by logging into a few workstations, i do not see the scheduled task that should be applied. What am i doing wrong here? Once you do a gpupdate /force from the DC, shouldnt it apply the policy?
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40572051
Once you do a gpupdate /force from the DC, shouldnt it apply the policy?

Running gpupdate on your DC has absolutely no effect on GPOs you want to apply to the rest of your computers in the domain. All it does is force your DC to check for any new GPOs that apply to it, no different to any other workstation in your environment.

How did you enable the policy for your production environment? As this is a computer level setting, you need to link the policy to an OU containing the computers you want to apply these settings to.
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40572056
On any client computer run gpupdate /force and make sure that policy is able to create schedule task as required, otherwise upon logon \ start policy will not apply
If its not, then you need to further troubleshoot
0
 

Author Comment

by:joukiejouk
ID: 40572066
So I found the reason why the policy did not apply properly in Production was because of an inbound/outbound statement that needs to be inserted in the firewall level. The network team will work on getting that part done.

My question now is:

1. Does this GPO put a scheduled task on each of the 400 machines? What if I disable or delete the GPO from the DC, will it also remove the scheduled task for the 400 machines?

2. Since I have to do a GP Update on all 400 machines, is there a script that you can share (e.g. - .bat) where I can use psexec to push gpupdate to all 400 machines?
0
 
LVL 24

Expert Comment

by:NVIT
ID: 40572112
1.
Yes. The task is placed, disabled, or removed on each computer in your OU.

2.
Computer Group Policy is updated in the background every 90 minutes by default, with a random offset of 0 to 30 minutes. Computer Group Policy is always updated when the system starts.
Do you still need a script?
0
 

Author Comment

by:joukiejouk
ID: 40572121
Yes, I need a script.
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40572146
Have a read of this article to use the PsExec tool to remotely run gpupdate on a list of machines you specify in a text file: http://support.microsoft.com/kb/556027
0
 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 250 total points
ID: 40572198
U can remove schedule task without any issue, when you don't require it go to schedule task properties under GP Preferences and select action "Delete"
This will delete task from all computers during next policy refresh

1st ensure that task is able to populate on every machine and from your DC server check If its able to access client machines on TCP 445 (In short file print sharing exception should be enabled on every machine in order to Psexec tool to work

Then export all your computer list with below command
dsquery computer -o rdn -limit 0 > C:\Allcomputers.txt
 

Open in new window

Then remove quotes from output
It should look like below
Comp1
Comp2
Comp3
Comp4

Open in new window


Then pass this file to psexec command some thing like below
PsExec @C:\AllComputers.txt gpupdate /force

OR

PsExec @C:\AllComputers.txt gpupdate /force > C:\Gpupdate.txt
This command will give you output and you will be able to track missing computers hopefully

Open in new window

0
 

Author Comment

by:joukiejouk
ID: 40577883
So when I executed the command, this is what I get (below screen shot ). What does error code -1 mean?  I know error code -0 mean it's successful. You mentioned PORT TCP 445 need to be open. How would I open that port on all the 490 remote machines?

psexec error -1
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40577969
U are right
For file print sharing you need to push another GPO which would enable file print exception on those machines

Navigate to computer configuration\windows settings\security settings\windows firewall with advanced security and under inbound rules, add predefined rule for file print sharing and allow it
After that reboot all machines at least once to make the policy effective

I know after reboot there is no reason to run gpupdate through Psexec, however next time if you want to run Psexec for any other purpose, , it will run smoothly
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Here's a look at newsworthy articles and community happenings during the last month.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question