Solved

How do I configure GPO on a Server 2008 DC to set a task scheduler to restart computers in a specific OU?

Posted on 2015-01-25
16
433 Views
Last Modified: 2015-02-14
Please view my screenshot to see what I have configured, and tell me if it's proper. I also listed some questions in the screenshot as well, so hopefully, someone can help guide me. Seems like the GPO is not working. What I want to happen is to have computers in the "Managed Computers" OU have a task scheduler set from the GPO to reboot computers in the "Managed Computers" OU. For example, if I were to log into "KSOLEXCH01" which is in the "Managed Computers" OU, and go to the task scheduler, I would see a scheduled task for "Daily System Reboot" which was distributed from GPO.

I ensured that I did a "GPUPDATE" from the DC. I also read in an article, that you must have "Log on as Batch" rights. Do anyone know anything about setting that up?

GPO
0
Comment
Question by:joukiejouk
  • 6
  • 5
  • 4
  • +1
16 Comments
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
Answers:
1 You can enforce GPO, that's not an problem
2 select update, then select win 7
3 action parameter could be shutdown -r -t 00 -f
4 from windows 2008 and above you need to open GPO from GPMC console, if you are on 2003 DC, you will get that tab
In order to create task for 2003 in same window add one more task and this time select 2003 for 2003 server with same commands and once task preference item created go to its properties\common tab and enable item level targeting based on operating system so that task will apply on to 2003 computer only
http://trekker.net/archives/targeting-os-platform-bitness-with-group-policy-preferences/
0
 
LVL 24

Expert Comment

by:VB ITS
Comment Utility
1. I can't see any reason to Enforce this GPO so leave it as No, it's not needed in this scenario
2. Agree with Mahesh, leave it as Update and Windows 7
3. The /r switch needs to be in the Add arguments (optional) field. I would also add the /f switch in there to force applications to close, otherwise you may find that Windows won't shut down without user intervention
4. That Group Policy tab isn't even used in Server 2003 as it prompts you to use the GPMC, so it would make sense that the tab is no longer there in 2008 and onwards.

Sorry Mahesh but I don't agree with the link you provided as the instructions will cause the GPO to target all 32-bit machines, not just Windows Server 2003 machines.

I would personally do it this way:
- Right click Scheduled Tasks in GPMC then click on New Scheduled Task
- Configure it with the same settings as your Windows 7 GPO
- Click on the Common tab
- Tick Item-level targeting
- Click on the Targeting... button
- In the Targeting Editor window that appears, click on New Item
- Select Operating System from the list
- Click on the Product dropdown list and select Windows Server 2003 or Windows Server 2003 R2, whichever applies to you
Item-Level-Targeting.png- Click OK when done

Now run gpupdate /force on all the workstations (or wait for them to reboot) then use gpresult to confirm the Daily System Reboot policy has applied. Also confirm the tasks are visible on each of the machines.
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
Hello VB ITS,
The purpose of link is to just show item level targeting, I have already explained what to select in Item level targeting
Anyways you have shade more light on exact steps to be taken
lastly either you enforce GPO or not, it will not make any difference because there are no other conflicting GPOs, this is brand new unique GPO, that is why I told that you can enforce GPO if wanted to.
0
 

Author Comment

by:joukiejouk
Comment Utility
Thanks guys, so far the GPO seems to be working on a few Windows 7 test systems. I also have 1 Win 2003 Server and a couple of Windows 8 OS. Will this GPO work for Win 8? I dont really care about Win 8 or 2003 as the majority of systems (500) are on Win 7. Do you see an issue applying this to 500 systems?

I included a screen shot. My question about time zone is, the DC server is here in California, but we also have some Win 7 machine in Texas (2 hours ahead), If I select "synchronize across time zone", will it still execute the scheduled time properly for the system to reboot?

time zone
See screenshot in regards to linked order, lets say there are more GPO objects defined for "Managed Computers" OU, would I have to toggle "Daily System Reboot" policy to the top of the order for it to take effect?

Linked order
My final question is about GPUPDATE. To execute this scheduled task to all 500 mahines, from my DC, all I simply have to do is run "GPUPDDATE /force" right? There should not be a need to go to all 500 machines to do a "GPUPDATE", or reboot 500 machines for the policy to pick up.
0
 
LVL 24

Accepted Solution

by:
VB ITS earned 250 total points
Comment Utility
Thanks guys, so far the GPO seems to be working on a few Windows 7 test systems. I also have 1 Win 2003 Server and a couple of Windows 8 OS. Will this GPO work for Win 8? I dont really care about Win 8 or 2003 as the majority of systems (500) are on Win 7. Do you see an issue applying this to 500 systems?
It should work fine for Windows 8. For Server 2003 you'll need to create a new Scheduled Task and not Scheduled Task (Windows Vista and later), then use the Item-level targeting as mentioned in my previous post.
Scheduled-Task-for-2003-in-GPO.pngIf you only have the one 2003 server then it's probably not worth the trouble in creating the task through Group Policy - just create it manually instead. It'll be quicker.

I included a screen shot. My question about time zone is, the DC server is here in California, but we also have some Win 7 machine in Texas (2 hours ahead), If I select "synchronize across time zone", will it still execute the scheduled time properly for the system to reboot?
I believe the Synchronize across time zone option will set the task to run at UTC time, so change the time of the task to run accordingly. Test this on a few workstations first, I've seen varying degrees of success with this setting.

See screenshot in regards to linked order, lets say there are more GPO objects defined for "Managed Computers" OU, would I have to toggle "Daily System Reboot" policy to the top of the order for it to take effect?
You only need to change the Link Order if the other policies that may have conflicting settings. Generally though there's no need to change the order in most cases where you only have a few policies applying to the OU.

My final question is about GPUPDATE. To execute this scheduled task to all 500 mahines, from my DC, all I simply have to do is run "GPUPDDATE /force" right? There should not be a need to go to all 500 machines to do a "GPUPDATE", or reboot 500 machines for the policy to pick up.
I only suggested running gpupdate if you wanted the policy to apply straight away :)

For that many workstations it's better to just wait for AD replication to do its job then reboot the PCs to ensure the policies apply. You do not run gpupdate on the DC, you just need to make sure AD replicates properly to your other sites (if you have DCs in these sites) then the machines will be able to pick up the new policy.
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
By default, Group Policy on the domain controllers is updated every five minutes.
However I would prefer to run gpupdate /force on DC so that it will note GPO change activity immediately

On client computers no need to run gpupdate on each computer unless you need to apply GPO immediately
The GPO will get applied on workstations during logon \ restart depending upon GPO type (computer config OR user config)

In case of priority if you have multiple GPOs latched to OU, the policy with higher link order (say 3)have list priority because it will get applied 1st
The policy with lower link order (say 1) have highest priority because it will applied last

As stated earlier, if you want to flow task in location with different time zone, you need to select synchronize across timezones setting. This will convert time based on UTC (Coordinated universal time zone) and then it will get converted to appropriate local time zone in that location
having said that you might need to create TWO separate task with separate time defined or you should OK with timezone differences
Ex:
You set time 11.00PM to run task with checkbox synchronize across timezones selected
Now at your location, the tsk will get executed based on your time zone
The other location where time is 2 HRS ahead, task will start with 2 HRS difference
0
 

Author Comment

by:joukiejouk
Comment Utility
For whatever reason, the policy is not applying in Production environment. I ran gpupdate /force on the DC, but when i checked task scheduler by logging into a few workstations, i do not see the scheduled task that should be applied. What am i doing wrong here? Once you do a gpupdate /force from the DC, shouldnt it apply the policy?
0
 
LVL 24

Expert Comment

by:VB ITS
Comment Utility
Once you do a gpupdate /force from the DC, shouldnt it apply the policy?

Running gpupdate on your DC has absolutely no effect on GPOs you want to apply to the rest of your computers in the domain. All it does is force your DC to check for any new GPOs that apply to it, no different to any other workstation in your environment.

How did you enable the policy for your production environment? As this is a computer level setting, you need to link the policy to an OU containing the computers you want to apply these settings to.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
On any client computer run gpupdate /force and make sure that policy is able to create schedule task as required, otherwise upon logon \ start policy will not apply
If its not, then you need to further troubleshoot
0
 

Author Comment

by:joukiejouk
Comment Utility
So I found the reason why the policy did not apply properly in Production was because of an inbound/outbound statement that needs to be inserted in the firewall level. The network team will work on getting that part done.

My question now is:

1. Does this GPO put a scheduled task on each of the 400 machines? What if I disable or delete the GPO from the DC, will it also remove the scheduled task for the 400 machines?

2. Since I have to do a GP Update on all 400 machines, is there a script that you can share (e.g. - .bat) where I can use psexec to push gpupdate to all 400 machines?
0
 
LVL 23

Expert Comment

by:NVIT
Comment Utility
1.
Yes. The task is placed, disabled, or removed on each computer in your OU.

2.
Computer Group Policy is updated in the background every 90 minutes by default, with a random offset of 0 to 30 minutes. Computer Group Policy is always updated when the system starts.
Do you still need a script?
0
 

Author Comment

by:joukiejouk
Comment Utility
Yes, I need a script.
0
 
LVL 24

Expert Comment

by:VB ITS
Comment Utility
Have a read of this article to use the PsExec tool to remotely run gpupdate on a list of machines you specify in a text file: http://support.microsoft.com/kb/556027
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 250 total points
Comment Utility
U can remove schedule task without any issue, when you don't require it go to schedule task properties under GP Preferences and select action "Delete"
This will delete task from all computers during next policy refresh

1st ensure that task is able to populate on every machine and from your DC server check If its able to access client machines on TCP 445 (In short file print sharing exception should be enabled on every machine in order to Psexec tool to work

Then export all your computer list with below command
dsquery computer -o rdn -limit 0 > C:\Allcomputers.txt
 

Open in new window

Then remove quotes from output
It should look like below
Comp1
Comp2
Comp3
Comp4

Open in new window


Then pass this file to psexec command some thing like below
PsExec @C:\AllComputers.txt gpupdate /force

OR

PsExec @C:\AllComputers.txt gpupdate /force > C:\Gpupdate.txt
This command will give you output and you will be able to track missing computers hopefully

Open in new window

0
 

Author Comment

by:joukiejouk
Comment Utility
So when I executed the command, this is what I get (below screen shot ). What does error code -1 mean?  I know error code -0 mean it's successful. You mentioned PORT TCP 445 need to be open. How would I open that port on all the 490 remote machines?

psexec error -1
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
U are right
For file print sharing you need to push another GPO which would enable file print exception on those machines

Navigate to computer configuration\windows settings\security settings\windows firewall with advanced security and under inbound rules, add predefined rule for file print sharing and allow it
After that reboot all machines at least once to make the policy effective

I know after reboot there is no reason to run gpupdate through Psexec, however next time if you want to run Psexec for any other purpose, , it will run smoothly
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now