none
Group Policy Scheduled Task -- Multiple Users Overwriting each other

    Question

  • Several months back we started rolling out a backup script to our users. We chose to do this using Group Policy from a server to create a scheduled task that runs this script a few times a day as the user (it only backs up changes to a user folder, not the whole machine, so this frequency doesn't cause an issue).

    We noticed, however, that our terminal server users (who access a terminal server using HP thin clients) didn't seem to be backing up. After looking around for a bit, I noticed that each user was overwriting the task, preventing the previous user from backing up.

    So for example:

    Bill logs in, the GPO creates a task called Backup, set to run ScriptX using Bill

    Joe logs in, the GPO updates the Backup task to run ScriptX using Joe

    The task no longer runs as Bill, and Bill doesn't get backed up. If Bill logs out and back in, the task updates to use his account again and Joe doesn't backup.

    Is there any way to configure the GPO so that each user has their own task? It doesn't sound to me like it's the best method, but the decision makers seem intent on using Scheduled Task with Group Policy. Using the backup script we created is a must, without third party software. If there is a way to deploy this script using a Windows Server and built in functionality, I'd love to hear it, and whether or not it uses Scheduled Task and/or Group Policy doesn't matter as I just need this to work without extra software.

    Any help would be much appreciated.

    Friday, May 15, 2015 7:56 PM

Answers

  • Well I found a method that should have been obvious to me. Add the %USERNAME% variable to the name of the task the group policy creates, tested and working.

    The obvious answer is always the last one you think of...

    • Marked as answer by Andrew Klein Tuesday, May 19, 2015 5:58 PM
    Tuesday, May 19, 2015 5:58 PM

All replies

  • Hi Andrew,

    Thanks for posting here. You mentoined that you use the scheduled task to run the backup script, would you please tell us what is the triger that you set to run the backup script?

    Besides, can you post us the command you use to create the backup script?  And in your post, you said that the later logged in user would overwrite the orignal use's backup, may I know if the backup folder name is the same?

    By the way, according to my understanding you can use a log off script instead of the scheduled task. In that way, you can create a backup for each user while he log off. But please be aware this would only backup the final version of the user folder.

    If I have any misunderstanding, feel free to post back.

    Best Regards,

    Elaine


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, May 18, 2015 9:14 AM
    Moderator
  • Thank you for the response Elaine, I'll answer your questions as best I can

    The script triggers at specific times during the day. It starts at a point in the morning (depending on which group you are in, a different 15 minute increment between 6am and 8am, to prevent the whole company backing up over the network simultaneously). It then runs again 6 and 12 hours after your morning backup. So, one group backs up a 6am/noon/6pm, while another runs at 7:15am/1:15pm/7:15pm, etc.

    By backup folder, I assume you mean the source or destination folder for the backup, and no those do not stay the same between different users. When the script runs, it uses the %USERPROFILE% environment variable to determine the source folder, and to create a destination folder (if one does not already exist from a previous backup) with the same name as the user profile on a NAS.

    We used to have this as a logoff script, but we found that too many people preferred to simply switch user or lock their computer instead of logging off, and it was decided that forced logoffs and/or shutdowns were not an option.

    I'm afraid I don't understand your question asking what command I use to create the backup script. Are you referring what type it is? If so, it is a VBScript file, sorry I forgot to mention that in my initial post.




    Monday, May 18, 2015 5:11 PM
  • > is a VBScript file, sorry I forgot to mention that in my initial post.
     
    What commandline are you invoking in your task? Is it user specific? If
    yes, then simply change it to be the same for all users on the computer.
    And if you need user specific things, enumerate them from within your
    script.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Tuesday, May 19, 2015 8:17 AM
  • The task is set to simply run the file, so it uses whatever is the default (I believe cscript).

    In the entire process, only two things are user specific. Which user the task runs as (which sets to whatever account updated group policy last, which is the problem on our multi-user machines like terminal servers), and inside the script itself determining what the source / destination folders are (which isn't the issue since it's the task itself that is a problem due to GPO not creating a new task for each user in a single group).

    The task has to run as the user we want backed up or else whenever the script pulls the %USERPROFILE% variable, it isn't going to get the user's profile as the source folder. This is where the problem lies, when multiple people use the same machine it changes the user the task runs with to whoever logged in last. I wish I could just change something in the script, but doing that would involve changing the script for every single computer in the company to not use variables, and instead specify the profile name to backup, which of course isn't an option.

    Basically I see two solutions, and I'm trying to find out if either one is possible.

    1) We have users in different groups based on when we want them backing up. Can we set the Group Policy to create a separate task for each user in Group A?

    OR

    2) Some way for Group Policy to deploy this script at specific points during the day without using Scheduled Task

    Tuesday, May 19, 2015 4:53 PM
  • Well I found a method that should have been obvious to me. Add the %USERNAME% variable to the name of the task the group policy creates, tested and working.

    The obvious answer is always the last one you think of...

    • Marked as answer by Andrew Klein Tuesday, May 19, 2015 5:58 PM
    Tuesday, May 19, 2015 5:58 PM
  • > The task has to run as the user we want backed up or else whenever the
     
    Why don't you simply run your task as "Builtin\Users"?
     
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Wednesday, May 20, 2015 8:47 AM
  • We don't want everyone backing up from every machine they ever log into. If a support tech logs into 20 computers today and 25 tomorrow, we don't want him backing up from 45 computers that probably have nothing more than software install files and updates.

    Unless I'm misunderstanding how running the task with BUILTIN\Users would work.

    Wednesday, May 20, 2015 3:06 PM
  • > We don't want everyone backing up from every machine they ever log into.
     
    Ok, got the picture :-)
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Wednesday, May 20, 2015 3:48 PM
  • Thanks for your help, even if I didn't implement the methods you suggested. I have basically no experience with Group Policy and am not the one that generally deals with it here, but I wrote the VBScript so I've been pulled into helping with the policy to push it out.

    I am curious, am I correct in saying that if I run a task as BUILTIN\Users (I assume you were referring to running the task as that group), it would run as every user on our domain that's under the User group? Or would it just run as domain users that have logged onto that machine before? Of course there's always the third option that I'm completely wrong and not even close to correct on how it works. I ask because I could definitely see that being helpful in other situations.

    Wednesday, May 20, 2015 4:29 PM
  • Hi Andrew,

    The BUILTIN\Users is a group named Users. After the initial installation of the operating system, the only member is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users group on the computer. Think about the below scenario, when you install a Windows Server, the only member of the local Users group is local group Authenticated Users.  Upon joining the server to your domain, the domain group Domain name\Domain Users would be also added to Users.

    Best Regards,

    Elaine


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, May 21, 2015 7:37 AM
    Moderator
  • > I am curious, am I correct in saying that if I run a task as
    > BUILTIN\Users (I assume you were referring to running the task as that
    > group), it would run as every user on our domain that's under the User
    > group? Or would it just run as domain users that have logged onto that
    > machine before?
     
    It would run for every user that's actually logged on, and it would run
    as this user.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Friday, May 22, 2015 8:46 AM