Turn on and off a specific group policy in Active Directory via batch, script, or some other scheduled option?

I have hosted servers at a colocation facility, Windows 2012 R2 active directory domain.  I have a policy that helps prevent things from installing as part of our malware defense, and it works fine.

But when I need to run windows updates, they fail.  I would like to be able to set a specific time and date for the servers to run windows update, but in order for this to happen, I'd also have to be able to somehow, programmatically, disable this one particular group policy object.  

I can set the servers to stagger their automatic updates and reboots over a Saturday early morning and a Sunday early morning to keep them from interfering with normal business operations, but unless I'm awake to manually turn off the group policy at that time (or turn it off much earlier the previous day and let it be disabled until I turn it back on) the updates would fail.

Is there some way I can script powershell, or a batch file, or something so that I can, for example, turn off the specified group policy object at X:XX time, and another to re-enable it at y:yy time?

Thanks for any suggestions
Network SpecialistsAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Manuel FloresCommented:
You can apply the GPObject to a given groups, users and devices using the gpmc.msc at Scope -> Filtering, so a given user (an admin) would be not affected for the policy.

I would try and investigate that options.

..MFlores..
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
NVITEnd-user supportCommented:
See the post by Dale, at the bottom... "After going through the whole threads, the error is due to..."

Your case would be like:

Import-Module GroupPolicy
Set-GPLink –Name myGPO –Target “ou=MyOU,dc=contoso,dc-com” –LinkEnabled No

Open in new window


https://social.technet.microsoft.com/Forums/scriptcenter/en-US/92100b09-4a5b-4b66-8903-fdd786a58f5e/enablingdisabling-a-gpo?forum=winserverpowershell

In that post, the solution worked using the GUID instead of the Name. So you may need to use GUID if Name doesn't work.

After you confirm it works manually, you can add it to a scheduled task to automate it. Your task action would be like:
powershell.exe -ExecutionPolicy Bypass -File c:\foldername\filename.ps1

Open in new window

0
Network SpecialistsAuthor Commented:
Thanks, never got the notification that this question had answers, so I'll be trying this stuff this week!

John
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Manuel FloresCommented:
Both solution would probably fix the question.  The requester should try both to see which is more convenient.
0
Network SpecialistsAuthor Commented:
Flores' shouldn't have been marked as an answer, since simply telling me that group policies can be applied to specific things did nothing to answer my actual question.  

NVIT, your answer was perfect.  Created two batch files to run a powershell.exe command with PS1 files, one to turn on, one to turn off, and it does exactly what I needed.  Thanks!
0
Manuel FloresCommented:
Hi networkspecialists,

Please, instead of giving a condescending response, you should have given that points to the people you agree with... on time!.  Your last comment was 2016-09-27.  Time enough to award the points to the person that gave the correct answer.  Like it or not, I gave some answer to your question spending my own time, please keep this in mind.

I agree if it is possible to revert the points awarded to me.

Regards,
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.