Scheduled Task to run powershell script via GPO(computer on a particular day)

Harish Parameswaran 46

Hi Reader,

How to create a scheduled task to run a powershell script whether user is logged on or not during a specific time via GPO.

I have implemented it locally using the following settings(attached image), which prompts for the user account password while creating the scheduled task. And, the task executes perfectly.

however, when i configure the same task using GPO, it doesn't apply the policy in the endpoint and it doesn't prompt for a user account password. But when i select "Run only when user is logged on" the task gets created via GPO but it doesn't perform the action.

Any recommendation would be appreciated.

2 answers

Kazuki Masuda 81 Reputation points

2022-01-09T15:16:26.313+00:00
Hi,

If you'd like to set "Run whether user is logged on or not" at scheduled task's general tab, you need to set "NT AUTHORITY\SYSTEM" user. Please refer to related webpage below.

gpo-issue-deploying-a-scheduled-task-running-as-system -> The only way I’ve found to work around this issue is to:

Set the user as “NT AUTHORITY\SYSTEM” ～

If you'd like to set "Run only when user is logged on" at scheduled task's general tab, it is ok to set any users such as Domain\Administrator. But you need to enable execution of PowerShell in each client PC in advance, or PowerShell script may be failed to execute.

I hope this information will be of use to you.

Best Regards, Zaamasu
Please sign in to rate this answer.
Harish Parameswaran 46 Reputation points

2022-01-09T21:49:06.297+00:00

Hi Zaamasu, thanks for the feedback.

The GPO doesn't get applied(no schedule task is created) when I use,"Run whether user is logged on or not" even when I set user as "NT AUTHORITY\SYSTEM". I get an error message in the log, "Group Policy Object did not apply because it failed with error code '0x80070005 Access is denied".

Kazuki Masuda 81 Reputation points

2022-01-09T23:53:44.673+00:00

Hi HarishParameswaran-0523,
Thank you for your reply.

I have had the same experience then. I guess '0x80070005 Access is denied" means that your client(domain user) doesn't have a permission to execute PowerShell.

So, if you execute "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned" cmdlet at your client, this problem may be fixed.

about_Execution_Policies
about_execution_policies

I hope this information will be of use to you.

Best Regards,
Zaamasu

MotoX80 31,571 Reputation points

2022-01-10T00:21:39.213+00:00

That would only happen in the case where to task was successfully created in the group policy, successfully defined and executed on the client and the task ran and launched powershell.exe.

If the task isn't getting defined on the client, there is some other problem.

Try defining the task with just "SYSTEM".

Harish Parameswaran 46 Reputation points

2022-01-10T05:14:14.807+00:00

Thanks mate.

Kazuki Masuda 81 Reputation points

2022-01-10T14:32:17.55+00:00

Hi MotoX80,
Thank you for pointing it out.

I agree with you that if client can't get scheduled task, it may be other problems for getting it.

Kazuki Masuda 81 Reputation points

2022-01-10T14:33:33.207+00:00

Hi HarishParameswaran-0523,
Thank you for your reply.

If you can't fix by setting "NT AUTHORITY\SYSTEM" user, how about editing group policy's XML file by removing " <LogonType>InteractiveToken</LogonType>".
I verify this work around and client can get scheduled task even if I set <Domain>\Administrator user.

For more details, please refer to related webpage below.

GPO - Issue Deploying A Scheduled Task Running As “SYSTEM”
gpo-issue-deploying-a-scheduled-task-running-as-system

===Excerpt===

3. Manually edit the XML file that the policy creates, and remove the XML node <LogonType>InteractiveToken</LogonType> from the task in question(*).

You can check <GroupPolicyUniqueID> from GPMC(Group Policy Management Console).

Best Regards,
Zaamasu

Harish Parameswaran 46 Reputation points

2022-01-11T02:23:01.327+00:00

Running the task in NT AUTHORITY\SYSTEM works mate. However, I would prefer using a service account that has domain admin priv; Do you know why the task doesn't get created when I use such an account.

Kazuki Masuda 81 Reputation points

2022-01-11T15:54:31.957+00:00

Hi HarishParameswaran-0523,
Thank you for your reply.

To fix the problem, could you please share how to set Group Policy Preference (GPP) Scheduled Task ? I'd like to verify it based on your information as much as possible.

Which do you set scheduled task GPO "Computer configuration" or "User configuration"(*) ?

Could you share error message (including 0x80070005) you check when applying scheduled task?

Could you share how to set scheduled task GPO's each tab as much as possible (I hope to share only changes part)?

General

Triggers

Actions

Conditions

Settings

Common

I assumed you set it at "Computer configuration". But if you set it at "User configuration", please check this KB in advance.
user-gpp-scheduled-task-item-fails-apply

Best Regards,
Zaamasu

Harish Parameswaran 46 Reputation points

2022-01-11T21:54:29.237+00:00

Hi Zaamasu,

Computer configuration. 2.Group Policy Object did not apply because it failed with error code '0x80070005 Access is denied.' This error was suppressed.

General: ![164007-image.png][1] Triggers: first monday of each month. Actions: runs a powershell script locally. ![163987-image.png][2]

conditions: Default. Settings: Default. Common: Default [1]: /api/attachments/164007-image.png?platform=QnA [2]: /api/attachments/163987-image.png?platform=QnA

Kazuki Masuda 81 Reputation points

2022-01-13T09:20:27.68+00:00

Hi HarishParameswaran-0523,
Thank you for sharing some information.

According to my verification, I guess your domain\user account doesn't join local Administrators group.

"NT AUTHORITY\SYSTEM" account also has the highest privileges on the local computer that only users who have Administrator privileges may execute it such as scheduled task.
nt-authoritysystem

If you don't want to join domain\user account at local Administrators group, I think you have to set Scheduled Tasks General tab as below.

Set user account at "When running the task, use the following user account" box

Check "Run only when user is logged on"

I hope this information will be of use to you.

Kazuki Masuda 81 Reputation points

2022-02-15T16:27:35.17+00:00

Hi HarishParameswaran-0523,

If this information will be of use to you, please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.
Sign in to comment
Limitless Technology 39,351 Reputation points

2022-01-11T14:23:15.263+00:00

Hi there,

You can use PowerShell cmdlets to create schedule tasks that automate the PowerShell script. It involves following steps,

-Define time for the scheduler
-Set Actions to be performed during execution
-Save scheduler

New-SchdeuledTaskTrigger creates a scheduled task trigger object. Using this cmdlet, you can specify the starting time of a task or starting a task multiple times on a daily or weekly basis.

$Time=New-ScheduledTaskTrigger -At 4.00PM -Once

Here is a thread as well which discusses the same steps and you can try out some steps from this and see if that helps you to sort the Issue.
https://learn.microsoft.com/en-us/answers/questions/609608/gmsa-scheduled-task-run-whether-user-is-logged-in.html

--------------------------------------------------------------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept it as an answer--
Please sign in to rate this answer.
Harish Parameswaran 46 Reputation points

2022-01-11T21:55:15.927+00:00

Yep. Thanks mate.
Sign in to comment

Scheduled Task to run powershell script via GPO(computer on a particular day)

2 answers

3. Manually edit the XML file that the policy creates, and remove the XML node <LogonType>InteractiveToken</LogonType> from the task in question(*).