Accurate and Reliable revocation/re-instatement of a shortcut via GP on a schedule

I have spent the last few days trying to work out a technique to do something very simple:

Remove a Desktop and a Start Menu shortcut for a period of time, and then have it return.

The objective

Remove the desktop and start menu Icons, that are at present deployed via GP, while I do a software update from 08:00 to 08:30

The Rules

It must be reliable as it is in a healthcare environment where medical staff will need to access patient records reliably by restoring the shortcuts after the update, so I can't expect them to just run GPUpdate to get their shortcuts back.

What I have found so far

  • It works as long as I do a gpudpate on the client machine.
  • If a machine is offline and a user powers it on and logs in at 08:03 the shortcuts are present circumventing (it could be timing, i.e. do I need to allow time for the full GP+targeting criteria to be deployed to all clients?)
  • It works on it's own but the timing but the dpearture and arrival of the shtrcuts can vary a fair bit.
I can only assume I am making the same mistake using targeting to achieve this.

NOT between 08:00 and 08:30

I have tried the same techniques on Server 2008R2, SBS2011, Server 2012+R2, Server 2016.  Can someone put me out of my misery with a suggestion or prove it can't be done.

It was something I was able to do ironically in NT4/2000 GP deployments back in the days, but am struggling to come up with a technique now
LVL 8
mbkitmgrAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Joseph HornseyPresident and JanitorCommented:
That's a very interesting scenario; I've never looked at anything like that.

One thing that jumps out at me is your comment: "It works as long as I do a gpudpate on the client machine".

If I remember correctly, clients update GPOs every 90 minutes and there's a random offset in there to keep requests from overlapping.  They also update at startup, but I think you need something a lot more surgical (pardon the pun), so maybe a scheduled task?

Check out this article.
0
Shaun VermaakTechnical SpecialistCommented:
Look at the very last part of my article. I suggest a PowerShell that moves or deletes/recreates shortcut. The timing logic can be done via a SYSTEM scheduled tasks deployed via GPP
https://www.experts-exchange.com/articles/31687/Windows-Firewall-as-Code.html
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
McKnifeCommented:
One proven way: https://www.experts-exchange.com/articles/25379/Make-GPOs-work-timebound.html
One GPO would create and another would delete.
You set 1 to be active in one time slot and 2 the rest o the time.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

mbkitmgrAuthor Commented:
Thanks Shaun and McKnife.  I hadnt thought of these methods.

I did try
  • Targeting using "NOT 08:00 to 08:30", this worked but too inacurate
  • Adding GPO that added a task to taks scheduler on the local machines to run GPUPDATE at 08:00 and again at 08:30 : some machines failed to execute the GP update, they did remove the shortcut say 15mins into the time window

I have to take the Chief cook out for lunch in the vinyards, will try as soon as I get back tonight
0
mbkitmgrAuthor Commented:
HI McKnife and Shaun.

I hit two issues
No. 1 When I create the schedule task it retains some default properties :
Below shows the settings on the "Conditions Tab" of a task where I have turned some off in the GPMC configuration of the task GP.
GP Task defaults
  • "Start the task if the computer is idle for xx mins"
  • and "Wait for Idle  hour"
  • and "Stop if the computer switches to battery power"
In each case a check of the details of the GP shows they remain.  
GP Settings previewThis sees the Task fail to execute on some machines becasue the user is on and active, or the device is a Surface Pro and on Battery
How did you overcome this?

No. 2 The timing stills seems an issue I am struggling with
I follow the sequence :
  1. Use targeting at 08:00:00 to turn off the Icon.
  2. at 08:00:50 the GPUpdate runs to execute GP update to retrieve the GP detail for the icon.
  3. at 08:30:00 the targeting turns off the Icon
  4. at 08:30:50 the GPUpdate runs to execute GP update to retrieve the GP detail that turns the icon on.

Overall issue 2 may be due to the defaults being deployed shown in issue 1.
0
McKnifeCommented:
You are mixing both recommended methods, please try each one. So if you try mine, please don't use targeting as well.
0
mbkitmgrAuthor Commented:
Hi McKnife.

Same result.  I set a schedule on the Server to Link/Unlink the GP at the appropriate time, and still needed to execute GP update on the client, which I cant have the users execute - many wouldn't know how or just ignore it.  The end result is I stll need to set a task on the client machine to execute GPupdate.

The underlying issue is with Tasks created in GP that are retaining some default values.  If a user is active on the machine, say reading email, and/or the device is a tablet/laptop on battery power, the task of GPupdate fails to execute.

One other option I'll test later is to use PSEXEC64 on the server in the following way
  • Set the timing in Targeting
  • Set scheduled task on the server to execute PSEXEC to remote GPUpdate, before (to hide) and after (to restore) the icon.
I have used PSEXEC at other larger sites with good effect so hopefully it will circumvent the issue with tasks scheduled via GP
0
McKnifeCommented:
If one GPO creates a shortcut and the other deletes it, what can go wrong? I will reproduce that here.
0
McKnifeCommented:
Works as expected.
0
McKnifeCommented:
Hi Seth.

Effort of all experts should be honored if found suitable. I did not look at Shaun's linked article, but I am pretty sure it will apply - did you have a reason to exclude it? I will leave it up to Shaun to object.

@mbkitmgr
It is pretty sad to see a question with so much feedback being abandoned, please return.
0
Shaun VermaakTechnical SpecialistCommented:
#a42494651 is a perfectly valid solution too. Schedule a task that moves shortcut away from Desktop at a specific time, then move it back at another time.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2016

From novice to tech pro — start learning today.