Latest posts by Josh Rickard (see all)
- Understanding Group Policy order - Mon, Jun 26 2017
- Run PowerShell scripts as Immediate Scheduled Tasks with Group Policy - Mon, Jun 12 2017
- Add and remove users to AD groups with Group Policy - Wed, Jun 7 2017
Other useful features are that the PowerShell script runs right after applying the Group Policy. In addition, the script only runs once because each time Group Policy refreshes, it will remove the task.
To work with Immediate Scheduled Tasks, you must join your endpoints to your Active Directory (AD) domain. You will also need Remote Server Administration Tools (RSAT) installed on your workstation (please do not do this on your Domain Controller).
After fulfilling these prerequisites, you will need to open up your Group Policy Management Console (GPMC). Navigate to the location in your AD forest that contains the systems to which you would like to apply this Immediate Scheduled Task. Then right-click and select "Create a GPO in this domain, and Link it here." When prompted, assign a descriptive name to this GPO:
Once you have created that GPO and linked it to your selected organizational unit (OU) or root domain, right-click it and select Edit.
This will bring up your Group Policy Object for which we will set this policy's conditions. With this policy open, we should navigate to the following location:
Computer Configuration -> Preferences -> Control Panel Settings -> Scheduled Tasks
On the right-hand side, you will have a blank area in the Scheduled Tasks pane. You should either right-click in the blank area or right-click on the Scheduled Tasks tree item on the left-hand side. Next, we will then select:
New -> Immediate Task (At least Windows 7)
Once you have selected the Immediate Task (At least Windows 7), a New Task pane prompts us to configure our task. These settings include a Name, Description, Account to run from, Run with highest privileges checkbox, and the Configure For: drop-down menu. First, we will need to give your new task a Name and Description (recommended).
Next, let's go to the bottom and select "Windows 7, Windows Server 2008R2" in the Configure For: drop-down list. This will make sure this task will work on Windows 7 and higher systems (Windows 7's Task Scheduler has significantly changed since Windows XP). Additionally, we will need to make sure that we select the Run with highest privileges checkbox.
Next, we will select the Change User or Group… button. For this example, I am going to use the built-in NT Authority/System account on the local machine that will run this Immediate Task. You can, and the recommended approach is to use a separate account that has this right/authorization on your endpoint systems since the SYSTEM account has what I like to call "god" permissions. To select this account, simply type out SYSTEM in the "Enter the object name to select:" pane and click OK.
We will now move on to the Actions tab on the New Task (At least Windows 7) Properties pane. We will make sure that the following pane has these values:
- Action = "Start a program"
- Program/Script = C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
- Add Arguments (optional) = -ExecutionPolicy Bypass -command "& C:\Path\To\Script.ps1"
We will keep the Start a program action and include the path to the Windows PowerShell executable in the Program/Script field. The Add Arguments (Optional) we will include a few things here that will make sure that our script runs. The first is the -ExecutionPolicy Bypass string. This will ensure your PowerShell execution policy doesn't prevent your script from running.
The second piece here is the -command "& C:\Path\To\Script.ps1" string. We are using the Command parameter to run our actual script. The "&" symbol inside the quotes ensures that our script runs and does not simply open or just load into memory. Your Add Arguments (Optional) field should look like the string above with all the hyphens and spaces.
Next, we will move to the Common tab and select the Apply once and do not reapply option since we want our Immediate Task to apply only once and not continually (unless you would like that).
Close out of all open windows in the GPMC. The next time your systems reboot, your Immediate Task will run. In my example, I am referencing a location on the individual endpoint systems, but you could also use a network share like \\networkshare01\scripts\scripts.ps1 in the -command “&” string.
If the desired script does not reside on the local system, we can add another setting to our Group Policy Object that can copy the intended script to our local machines. To do this, Edit our existing Immediate Task Group Policy Object and navigate to:
Computer Configuration -> Preferences -> Windows Settings -> Files
Right-click in the Files pane and select New -> File. We will first select Create in the Action drop-down menu. Then we will select our Source file (either on a network share or our local machine), and then for the Destination File, we will either type in or select the file path:
If we look at one of our workstations, we can see that the system copies the file to the C:\Path\To\Script.ps1 location.
I have added the following code inside my C:\Path\To\Script.ps1 file so that I can see if it works as expected:
New-Item -Path C:\Path\To\ -ItemType File -Name log.log
Add-Content -Path C:\Path\To\log.log -Value "$(Get-Date) - C:\Path\To\Script.ps1 has run as an Immediate Scheduled Task"
With this code, I should see the creation of a C:\Path\To\log.log file created with some simple text.
Additionally, if you are working with Windows 10, you can see that your Immediate Task ran by looking at the Event Viewer under Applications and Services Logs -> Windows PowerShell
With Immediate Scheduled Tasks you can run scripts on your endpoints quickly and resolve any configuration issues to help both yourself and your end users.