question

zahidhaseeb-8802 avatar image
0 Votes"
zahidhaseeb-8802 asked MotoX80 commented

task schedule is not working thru GPO

I have a powershell script which run fine. I want to deploy the script to machines thru GPO. Below is my configuration. But the endpoint machines are unable to get the schedule tasks
126690-2021-08-26-173215.png


126789-2021-08-26-173228.png


126706-2021-08-26-173243.png126720-2021-08-26-173302.png




Script Details:

$date = Get-Date -Format ddMMMMyyyy
Get-Date >> \\tps-bkp\Vyatta\AccessRightsReviews\$date
hostname >> \\tps-bkp\Vyatta\AccessRightsReviews\$date
echo " " >> \\tps-bkp\Vyatta\AccessRightsReviews\$date
net localgroup administrators >> \\tps-bkp\Vyatta\AccessRightsReviews\$date
echo "#######################################" >> \\tps-bkp\Vyatta\AccessRightsReviews\$date

windows-server
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hello @zahidhaseeb-8802

On a Windows computer, you can set an execution policy for the local computer, for the current user, or for a particular session. You can also use a Group Policy setting to set execution policies for computers and users.

Execution policies for the local computer and current user are stored in the registry. You don't need to set execution policies in your PowerShell profile. The execution policy for a particular session is stored only in memory and is lost when the session is closed.

The below link enables cmdlet descriptions and syntax for all Scheduled Tasks cmdlets. It lists the cmdlets in alphabetical order based on the verb at the beginning of the cmdlet.

https://docs.microsoft.com/en-us/powershell/module/scheduledtasks/?view=windowsserver2019-ps

Hope this answers all your queries, if not please do repost back.
If an Answer is helpful, please click "Accept Answer" and upvote it : )

Regards,

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

zahidhaseeb-8802 avatar image
0 Votes"
zahidhaseeb-8802 answered

Thanks for your words. I don't want to jump in details due to scripting knowledge. I have a simple query. My script is able to run via Task Schedule on local computer when I test. However when I want to run the same script from GPO > Schedule Task, it fails. Help me to verify where I am wrong. Further any log which I can check why the Schedule Task getting failed to run script thru GPO

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MotoX80 avatar image
0 Votes"
MotoX80 answered MotoX80 edited

127089-capture2.jpg

The default handler for a .ps1 file is notepad.exe. You have to tell the task scheduler to run Powershell.exe with the name of the script as an argument.

But the endpoint machines are unable to get the schedule tasks

If the task is not getting defined on the workstation, use the gpresult tool or rsop.msc to verify that the correct policies are being applied.

https://activedirectorypro.com/gpresult-tool/
https://docs.microsoft.com/en-us/troubleshoot/windows-server/group-policy/use-resultant-set-of-policy-logging

any log which I can check why the Schedule Task getting failed to run script thru GPO

Start by checking the task scheduler on the client workstation. In the Actions pane, you may need to enable "All Tasks History". Then try to run the task and check the events in the History tab for errors.

127067-capture.jpg

If the script is being launched, but Powershell is failing for some reason, then one debugging trick is use cmd.exe to capture the stdout and stderr that Powershell produces. This will require you to modify the task in the policy.

Schedule it to run cmd.exe with an argument like this. (Use whatever log folder you prefer.)

 /c Powershell.exe -file C:\AccessRightsReviewServers.ps1  1>c:\temp\AccessRightsReviewServers.log 2>&1

It should look similar to my test task. Run it and check the log for errors.


127078-capture3.jpg





capture2.jpg (29.0 KiB)
capture.jpg (121.2 KiB)
capture3.jpg (49.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

zahidhaseeb-8802 avatar image
0 Votes"
zahidhaseeb-8802 answered zahidhaseeb-8802 edited

I am still not able to see tasks which supposed to sync from Domain/GPO to endpoint machines.

127857-1.png127830-2.png127850-3.png127858-4.png127901-5.png



Program / Script = cmd.exe
Arguments = /c powershell.exe -ExecutionPolicy Bypass -File "\\xxxxxx.com\SYSVOL\xxxxxx.com\scripts\AccessReviews.ps1"
In case I try to troubleshoot, the logs are also not being generated by below syntax in arguments
Arguments = /c powershell.exe -ExecutionPolicy Bypass -File "\\xxxxxx.com\SYSVOL\xxxxxx.com\scripts\AccessReviews.ps1" 1>C:\GPOScripts\abc.log 2>&1


In the last snap the endpoint machine is unable to fetch the task from Domain/GPO


1.png (26.0 KiB)
2.png (9.3 KiB)
3.png (23.0 KiB)
4.png (20.8 KiB)
5.png (28.7 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MotoX80 avatar image
0 Votes"
MotoX80 answered MotoX80 edited

I no longer have access to an Active Directory environment where I can recreate your issue. Based on experience, it would appear that you have one of 2 problems.

  1. The task is getting created, but it is hidden.

  2. The Group Policy is not being applied to the pc.



From an admin command prompt on the client run these commands. Do you see your task name anywhere?

 dir  /s /a /b C:\Windows\System32\Tasks | findstr -i  accessreview
 pause
 dir  /s /a-d C:\Windows\System32\Tasks

Run regedit and search for the task name.

127952-capture.jpg



If you can't find it, then it would appear to be a group policy problem. From an admin command prompt run:

 gpupdate /force
 gpresult /r /v 

You should see the name of your policy in the output.

One other way to verify that the policy is being applied is to disable some service. In the policy where you defined the task, set some unused service like SNMP Trap or Telephony to disabled. Run gpupdate on the client and then check services.msc to see if the service startup type was changed.





https://blog.eldernode.com/apply-group-policy-to-a-computer-in-active-directory/

https://4sysops.com/archives/understanding-group-policy-order/


capture.jpg (26.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

zahidhaseeb-8802 avatar image
0 Votes"
zahidhaseeb-8802 answered MotoX80 commented

1- I am able to see the GPO is there. But I am not able to see task in the scheduler.
2- C:\Windows\system32>dir /s /a /b c:\windows\System32\Tasks | findstr -i accessreview
C:\Windows\system32>


C:\Windows\system32>gpresult /r /scope:computer

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
c 2013 Microsoft Corporation. All rights reserved.

Created on 8/31/2021 at 6:26:10 PM


RSOP data for xxxxxxonline\user01 on machine01 : Logging Mode



OS Configuration: Member Server
OS Version: 6.3.9600
Site Name: Default-First-Site-Name
Roaming Profile: N/A
Local Profile: C:\Users\user01
Connected over a slow link?: No


COMPUTER SETTINGS


 CN=machine01,OU=CIS,DC=xxxxxxonline,DC=com
 Last time Group Policy was applied: 8/31/2021 at 5:47:51 PM
 Group Policy was applied from:      DC5ME.xxxxxxonline.com
 Group Policy slow link threshold:   500 kbps
 Domain Name:                        xxxxxxonline
 Domain Type:                        Windows 2008 or later

 Applied Group Policy Objects
 -----------------------------
     CIS Policy
     Laps Plicy For Server
     Wsus Policy For Servers
     **ISO27001-AccessReview**
     Local Group Policy

 The computer is a part of the following security groups
 -------------------------------------------------------
     BUILTIN\Administrators
     Everyone
     BUILTIN\Users
     NT AUTHORITY\NETWORK
     NT AUTHORITY\Authenticated Users
     This Organization
     machine01$
     Domain Computers
     Authentication authority asserted identity
     System Mandatory Level

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Did the C:\GPOScripts\abc.log file get created?

In the ISO27001-AccessReview policy, try the "disable an unused service" trick to verify that you are getting the policy properly applied.

Do you see any related group policy events in the eventlog?

https://social.technet.microsoft.com/Forums/windows/en-US/8419575f-2b76-4a37-8f3c-608410912980/which-event-viewer-log-is-specific-to-gpo-events-and-where-is-this-log-located-within-event-viewer

What about events in application/system/security/task scheduler logs around the time when the task is scheduled to run?

0 Votes 0 ·
zahidhaseeb-8802 avatar image
0 Votes"
zahidhaseeb-8802 answered MotoX80 commented

127975-6.png


127976-7.png




I see that the COMPUTER GROUP name CIS COMPUTER GROUP is missing in "The computer is a part of following security group". However, the individual computer is there(coloured)


6.png (39.0 KiB)
7.png (5.0 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

So that's the problem?

Sorry, I don't know anything about your environment and what all you've done.

0 Votes 0 ·