Link to home
Get AccessLog in
Avatar of hypercube
hypercubeFlag for United States of America

asked on

GPO to create a scheduled task not creating a task

I'm trying to set up a GPO that does a very simple thing:
run a command line:
shutdown -r
and apply this to all computers so they will reboot at the common scheduled time.

Some time ago, I "learned" that using the built-in GPO Computer Configuration structure would not work.  I believe it was:
Computer Configuration / Preferences / Control Panel Settings / Scheduled Tasks / Scheduled Task [name]
etc.
Anyway, in view of my recent problems, I tried it again and, sure enough, no task was created.
The task is a one-line .bat file stored on the DC at:
C:\Users\Public\Scripts\Scheduled Task Files\[fllename.bat
... because that seems to be where the GPO expects it to be.
Now, it does appear that this file has been stored in the target computer at:
C:\Users\Public\Scripts
So, I'd expect a scheduled task pointing at C:\Users\Public\Scripts\filename.bat.
But, no such luck.
Can it be confirmed that this approach doesn't work or that I'm doing something obviously wrong?

Alternately, I've been writing all of my Task Scheduler / Scheduled Tasks with a Startup Script.  This approach does this:
Creates a startup script using:
Computer Configuration / Policies / Windows Settings / Scripts (Startup / Shutdown)
The startup script writes the same simple .bat file to C:\Public\Scripts on the target workstations.  And, it creates a scheduled task using schtasks which executes that batch file.
This has been working - but not now it seems.
So, I'm trying to do a "reset" on how I approach this simple objective!!



Avatar of arnold
arnold
Flag of United States of America image

Why go seemingly through a two step process.

Why not simply schedule a task to run the command you want when you want it run, adding the -t 25 -f option to force the restart if sonething might be running and could prevent a reboot without this option.
Possibly the absence of -t 25 that sets the time after which, or use -t now...
Which might be the issue.

Try, on the system where this bat file exists, try to run it, does the system reboot.

Potentially, software restriction implemented as a preventative to ransoneware is impacting your situation.
Avatar of hypercube

ASKER

Arnold:  I would love to!!  Again, here is why one might not:
Some time ago, I "learned" that using the built-in GPO Computer Configuration structure would not work.  ... and I should have added "for Scheduled Tasks".
I've not been able yet to overcome this.  But, as I said, I did try.  Thus this question.
If you are using a central filename.bat

Does the issue relate to the sysvol based filename.dat that the GPO processing can not locate?

Has thought been given to create a local, within the GPO confines a processing.bat
That runs the sysvol based filename.bat

I think the restriction/issue you suggest deals with handling running a bat file from the network.

Another option might be to have the GPO bat file xcopyt/robocopy to get the sysvol based script copied into the GPO.

This way the filename.bat will be seen as a local file.

The Xcopy/robocopy will copy only when the file changes.
arnold:  I think I have all that covered now.  
But, I should ask:
The "best" location for some GPOs seems to be:
\\[domain]\SysVol\[domain]\Policies\{GUID}\Machine\Scripts\ ... etc....
Yet, in trying to create a scheduled task GPO, when I get into the GPO to see where the Action / Run a Program file is expected to be, it's:
C:\Users\Public\Scripts\Scheduled Task Files\
And, from earlier discussions I get the impression that this is NOT where I want it.

Most comments I've received say "put it in the GPO" without further detail.
I believe that a reasonable and fundamental question is:
If files are "put in the GPO", are there different locations for different types of GPOs?
I might imagine:
\\[domain]\SysVol\[domain]\Policies\{GUID}\
but are there multiple locations thereafter for different purposes?
I'm just wanting to understand what "in the GPO" means fully.

that is the path for the GPO, the shutdown/startup scripts have their location within the GPO scripts structure and the login/logout user GPO section has its own scripts section.

GPP scheduled tasks computer or user. the issue might related to the start in location.

perhaps that is what was missing.
you load the script from X, but the start in is left blank and then could default if missing to c:\windows\system32.....


user GPO scheduled task runs at user, such that it might not have rights to access/read the file.


the c:\users\public\scripts when created will be accessible by all users on a computer
the location is also has local users with modify access. meaning a user can alter the file you place there. highly insecure.
arnold:  Thank you!!
Well, I didn't say that the script didn't run.  Although that might be an issue one day.
Here, the problem was that the Scheduled Task wasn't created at all.

I didn't specify a "start in" - normally don't.  It would have to be a generic location for all computers.
I have always believed that Scheduled Tasks run as the account provided.  In this case, SYSTEM is provided.
the start in would commonly be where the script is if running/relying on a local location.

system will run under the computer configuration preferences. the user based one will commonly run as the user under whose privileges the GPO is processed ...
arnold:  Thank you again.
Yes, I've written a number of Scheduled Tasks and have a pretty good idea how they work.
The issue here is a GPO that doesn't do what is intended: to create a Scheduled Task.

I'm beginning to wonder if this isn't just a repeat of research I did a couple of years ago.  That's where I was informed that this feature in AD Group Policy does not work.  I was hoping that it had been overcome by events.
But nobody has confirmed that this is still the case, nor denied it either.
It seems odd that it isn't referred to all that often.
The workaround is a script using "schtasks".
GPMC is the only way to determine what might be going on.
Do you have multiple GPPs that are settings scheduled tasks?

what is the domain/forest functional level that you have?
which systems ?
I don't have multiple tasks because I was trying to get to the situation you suggested:
Why go seemingly through a two step process.

Why not simply schedule a task to run the command you want
I was hoping that you were suggesting that this would WORK.
So, far, I haven't figured out that it does any more than I'd learned a couple of years ago that it wouldn't.
All of the servers are Windows Server 2019 Standard on hardware.
All of the hosts are Windows 10 Pro.

Can you try using
Shutdown -rr -f  as the task.

Targeting a specific test system.
Run gpupdate /f
Then reboot the system and see whether the task is listed in
Schtasks /query
arnold: Thank you!
I *do* have a specific test system.  I *do* run gpupdate /f.  I *do* reboot the target system but don't recognize -rr, just -r.

I believe that I've found my problem:
Setting a Scheduled Task by GPO does work BUT it isn't going to work to "start a program" unless the program is there.
To do this, one of two things might be met:
(It now seems rather obvious)

1)  the "start a program" path in the GPO-constructed scheduled task points to a common local path for the program/script file that exists on each target computer AND the referenced file is in that path.  Of course, this then requires that some other process/GPO gets them there in the first place.  Rather "too hard".

2) the "start a program" path in the scheduled task points to  the GPO files and the file is in that path.  It works if the path:
\\[domain]\sysvol\[domain]\Policies\{GUID}\Machine\Scripts\[filename]
Is entered in the GPO-constructed scheduled task.

I rather assume that the idea that it will not work is the result of bad information floating around.  Or, perhaps, there *was* a problem that's been fixed.

Thanks arnold for helping!
It may be that you alluded to the answer and I just wasn't "getting it".





ASKER CERTIFIED SOLUTION
Avatar of hypercube
hypercube
Flag of United States of America image

Link to home
membership
This content is only available to members.
To access this content, you must be a member of Experts Exchange.
Get Access