none
Scheduled Tasks GPO- from User or Computer Config?

    Question

  • hello,

    I have a GPO for computers daily shutdown @ xxx time ("c:\windows\system32\shutdown.exe" ; argument: -f -s -t 180 )

    I linked and enforced the policy to 'computers' OU, removed 'Authenticated Users' from security filtering and added only 'head office staff' global security group i.e. I want all those workstations in 'Computers' OU to receive this policy ONLY IF the logged on user is a member of 'head office staff' group.

    I used computer configuration scheduled tasks choosing Windows Vista and later then set Configured for: Windows 7.  Rebooted couple of clients (win 8, server 2008, 8 nodes) but none received the update in task scheduler. I now copied the scheduled task from computers config to users config i.e. it's at both end now, still clients can't get it.

    The same GPO worked well when I was testing on a temporary computers OU but security filtering was default 'Authenitcated users' now that is removed and only 'head office staff' is there, plus there is an 'exclude shutdown' group where i added privileged users to keep away from this GPO.

    PS: 'The head office staff' group was one of the E2k10 mail distribution group which I converted to global security (still Outlook GAL can pick it ) carrying all HO staff.  I had used converted groups on differant GPOs never had a problem   (if it all matters)

    What went wrong?



    Insaf Muhammed


    • Edited by Insaf Muhammed Sunday, November 10, 2013 2:40 PM corrections
    Sunday, November 10, 2013 2:36 PM

Answers

  • There is no way you can easily target a computer setting based on the user that is logged onto the computer (however opposite is true if you use loopback) as the security filtering group only has users in it and you are applying it to the computer object. You must create a second group that has all the computer that are the "head office staff" computers.

    Hope it helps


    Alan Burchill (MVP)
    http://www.grouppolicy.biz

    @alanburchill

    Sunday, November 10, 2013 9:49 PM
  • > a) In this case can I move the Shutdown task only to 'User
    > Configuration' since Scheduled Tasks feature is available at both end??
    > Would it work coz the security filtering is easy here !?
     
    Yes. You can filter the whole User GPO for your headoffice group, and
    within the Task definition, you can item level target for a security
    group containing your computers in question. Or LDAP filtering for the
    OU the computer resides in.
     
    > b) I am reading on 'loopback processing' can't get enough, how do I
    > simply enable it if it's useful with my current policy scenario?
     
    Don't do it if you don't need to and don't know _exactly_ what will
    happen ;-)
     
     
     

    Martin

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    • Marked as answer by Insaf Muhammed Thursday, November 14, 2013 9:28 AM
    Monday, November 11, 2013 3:44 PM

All replies

  • There is no way you can easily target a computer setting based on the user that is logged onto the computer (however opposite is true if you use loopback) as the security filtering group only has users in it and you are applying it to the computer object. You must create a second group that has all the computer that are the "head office staff" computers.

    Hope it helps


    Alan Burchill (MVP)
    http://www.grouppolicy.biz

    @alanburchill

    Sunday, November 10, 2013 9:49 PM
  • There is no way you can easily target a computer setting based on the user that is logged onto the computer (however opposite is true if you use loopback) as the security filtering group only has users in it and you are applying it to the computer object. You must create a second group that has all the computer that are the "head office staff" computers.

    Hope it helps


    Alan Burchill (MVP)
    http://www.grouppolicy.biz

    @alanburchill

    Thanks Alan,  if you'd not mind to answer the following :(

    a) In this case can I move the Shutdown task only to 'User Configuration' since Scheduled Tasks feature is available at both end?? Would it work coz the security filtering is easy here !?

    b) I am reading on 'loopback processing' can't get enough, how do I simply enable it if it's useful with my current policy scenario?

    of course I can create a 'Head Office computers'  group and pull all workstation there (hard part..), and add this group to stay TOGETHER WITH 'Head office Users' in the security filtering...that means the policy gets applied to 'All computers' only if they are logged in by one 'head office staff' member .....   is that right?

    Sorry if it all sounds odd...


    Insaf Muhammed




    Monday, November 11, 2013 5:22 AM
  • > a) In this case can I move the Shutdown task only to 'User
    > Configuration' since Scheduled Tasks feature is available at both end??
    > Would it work coz the security filtering is easy here !?
     
    Yes. You can filter the whole User GPO for your headoffice group, and
    within the Task definition, you can item level target for a security
    group containing your computers in question. Or LDAP filtering for the
    OU the computer resides in.
     
    > b) I am reading on 'loopback processing' can't get enough, how do I
    > simply enable it if it's useful with my current policy scenario?
     
    Don't do it if you don't need to and don't know _exactly_ what will
    happen ;-)
     
     
     

    Martin

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    • Marked as answer by Insaf Muhammed Thursday, November 14, 2013 9:28 AM
    Monday, November 11, 2013 3:44 PM
  • Thanks Alan and Martin :)

    Alan, I created  relevant computers security group that has all HO computers in the policy filter together HO users group (may be unnecassary).  The GPO applies but has another problem now if you could take a loot at


    Insaf Muhammed

    Tuesday, November 12, 2013 8:29 AM
  • Thanks Alan and Martin :)

    Alan, I created  relevant computers security group that has all HO computers in the policy filter together HO users group (may be unnecassary).  The GPO applies but has another problem now if you could take a loot at


    Insaf Muhammed

    Issue solved :)

    Insaf Muhammed

    Thursday, November 14, 2013 9:17 AM