Run a script when group policy is applied (not at login or startup)

powershell group-policy
11,090

Solution 1

Is there a way to run a script when the GPO is applied?

Yes. You can create a scheduled task that will trigger when a specific event occurs:

On an event

This trigger causes the task to run when specific event entries are added to an event log. You can choose between specifying basic event trigger settings or custom event trigger settings. If you choose the basic event trigger settings, a single event from a specific event log will trigger the task. You choose the event log that contains the event, the event publisher name, and specify the event identifier.

Source Triggers

The eventID you need for the trigger is probably 8006:

The Group Policy service reserves event IDs between 8000 and 8007 to indicate a particular type of Group Policy processing completed successfully.

enter image description here

Source Troubleshooting Group Policy Using Event Logs

Solution 2

It appears that the Group Policy Management Editor, in Computer Configuration/Preferences/Control Panel Settings/Scheduled Tasks, it allows you to create an "Immediate Task", specifically created for running things after a GPO refresh.

Configure an Immediate Task Item (At least Windows 7)

For computers that are running Windows Server® 2012 or Windows® 8, Immediate Task (At least Windows 7) preference items, ( Immediate Task (Windows Vista and later) preference items if running Windows Server® 2008 R2 or Windows® 7), allow you to create tasks to be run immediately and then removed each time Group Policy refreshes. Immediate Task preference items do not provide a selection of actions or triggers because they always create a task and then delete it after it has run.

The only gotcha was that I had to specify a valid user for it to run as ("NT AUTHORITY\SYSTEM" in this case), and it worked exactly like I wanted.

Share:
11,090

Related videos on Youtube

Jemenake
Author by

Jemenake

Updated on September 18, 2022

Comments

  • Jemenake
    Jemenake over 1 year

    How would I go about getting a Powershell script on a set of computers to run periodically throughout the day while the computer is on? (we already use the "at startup" or "at logon" but some of the computers are left on without logins for days. We also can't use a regular Scheduled Task because these scripts report data to a server, and we don't want 300 computers hitting the server all at the same second. We also would like to avoid having the script be left running, with the delays determined by the script, because it sometimes crashes.)

    Is there a way to either:

  • Run a script when the GPO is applied (I think 90-minute intervals after startup, which will be staggered throughout the building)?
  • Run a script at irregular intervals (eg. every next interval would be between 60-80 min) or at random ranges of times of day (eg. Every day sometime between 1pm and 2pm). I doubt this one is feasible?

    I guess one way to do this as a Scheduled Task would be to have a random delay of 0-5 min at the beginning of the script, but then we'd like to avoid that delay when testing or when invoked at startup or login.

  • Wes Sayeed
    Wes Sayeed almost 7 years
    If you scheduled a task to run every 90 minutes, it wouldn't be any different than a group policy trigger. It's still entirely possible that 300 clients could all refresh group policy at the same second. A group policy refresh is client initiated, and there is no coordination with the domain controller to time it on any specific interval.
  • Jemenake
    Jemenake almost 7 years
    Thanks! I forgot that Task Scheduler allowed you to have event triggers instead of chronological triggers. Looks like, in addition to having the event ID, you need to specify "Microsoft-Window-GroupPolicy/Operational" as the Log and "Microsoft-Windows-GroupPolicy" as the Source.

    • Recents

    Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
    How to troubleshoot crashes detected by Google Play Store for Flutter app
    Cupertino DateTime picker interfering with scroll behaviour
    Why does awk -F work for most letters, but not for the letter "t"?
    Flutter change focus color and icon color but not works
    How to print and connect to printer using flutter desktop via usb?
    Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
    Flutter Dart - get localized country name from country code
    navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
    Android Sdk manager not found- Flutter doctor error
    Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
    How to change the color of ElevatedButton when entering text in TextField

    Related

    powershell: script to start a program with parameters?
    Programmatically create machine startup script in local Group Policy: script executes but is not visible in Group Policy Editor
    List of GPO's
    How do I execute a powershell script via group policy?
    PowerShell startup script applied via GPO failing ambiguously
    Deploy binary hex registry via GPO or PowerShell
    Scheduled task deployed via GP, that runs a powershell script on a network share by a AD service account
    Why is my logon script not mapping any drives?
    How can I locate Registry key for Group policy settings?
    How can I create a windows shutdown script from powershell/command-line?