Score:0

Script not running on startup for GPO

za flag

I have seen many posts on this website about something similar but none of them have had the resources to fix my issue so I will go into as much detail as I can. If I leave any information out let me know.

We have a server with an exe file on it to start an update for a software called Bluebeam. I wrote a script file to start that exe on startup and placed it in the same directory as the exe. Nothing happened when I did that, I would start up a computer that I know has delegation and run gpupdate /force to get it going and restart the computer, nothing happens. I then made it so when there was a user logon it would do the same. Same result. I made sure "enforced" was enabled, I enabled "always wait for the network at computer startup and logon," and finally I also enabled "configure scripts policy processing"

None of those helped. I looked into the script files again and I noticed that when I clicked "show files" under my GPO, the script I wanted wasn't there. So I added it manually and forced the update again, nothing.

I am only running this under a test environment right now so I am not pushing this to my domain controllers, servers, or really any users. I am pushing this to 2 different computers right now and they are not working.

I will show you photos of everything I have and if you all have any questions let me know.

Image showing GPs on the test environment

delegation to a computer called dantest, the one I am trying this with

the script at startup

the script at logon

cn flag
Does the host have the Apply Group Policy permission?
za flag
@GregAskew where do I check that?
za flag
@GregAskew, never mind I found it and yes it does
joeqwerty avatar
cv flag
Startup Scripts only run at computer startup. Have you rebooted the test computers since fixing the GPO? Are the computer accounts in the Scope of Management of the GPO?
za flag
@joeqwerty yes to both. I have restarted the computer many times as well as forcing the group policy update through a command line. And the GPO is linked to my test environment and the DANTEST computer I am updating/restarting is delegated as a computer within the scope of my GPO
joeqwerty avatar
cv flag
Have you verified that the script and the executable run as expected outside of the context of the GPO?
za flag
@joeqwerty yep the script runs exactly as expected locally on the machine. only having problems when I try to push it our through GP
SamErde avatar
gg flag
Does the script / installer run silently, or does it actually launch a windowed installer application? Also, does it require any input from a user?
Score:1
cn flag

Forget about the Startup Script in "Computer Configuration" because the script you set there is executed by the System even before anyone is logged in.

This is typically not interactive (you can add scripts to cleanup certain directories, or configure something on the computer, but you can't start an end-user application here, the app will not show but may be running in the background).

Well, you configured the Logon Script in "User Configuration" too, that's better because the scripts here are executed in the user's context, however, since Windows 8.1 the Logon Scripts don't run for five minutes after a user logs on. This is by design to speed up the loading of the user's desktop. However you can change that:

If you want the logon scripts to run at user logon without any delay, you should configure the Configure Logon Script Delay setting to Disabled in the Computer Configuration\Administrative Templates\System\Group Policy location.

But, still, this is not the preferred way of achieving what you want, as Microsoft says:

This mechanism allows administrators to perform various maintenance and management tasks on client computers, including (but not limited to) collecting diagnostic information, invoking security scans, cleaning or resetting system state, and installing tools.

you are out of scope because you don't want to "perform various maintenance and mangement tasks" with your use case.

I recommend you to deploy a Run Registry Key instead. You can still deploy that with Group Policy:

If you want to deploy this on a Computer (so that it applies to everyone logging in on the computer), then, in your GPO, go to Computer Configuration -> Preferences (not "Policies") -> Windows Settings -> Registry -> New Registry Item, and create a new REG_SZ value under the path shown in the documentation (HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run), give it a meaningful Value name, and set the Value data to be the path of the executable on the computer.

If you want to deploy this setting on a per-user basis, then use the same method but on User Configuration instead of Computer Configuration (and HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run instead of HKLM).

Don't forget to link the Group Policy on an O.U containing your Users if you are using User Configuration, or on a Computer O.U if you are using Computer Configuration (same for the Delegation rights, add users if you are working with User Configuration or Computers if you are working with Computer Configuration)

za flag
I did what you said and made a registry, forced an update, and waited for some time and still nothing happened. With the registry is there something I need to click in order for it to activate on the computer. I clicked "apply" when I made it and then clicked ok and closed out of GP editor. Also, should I delete the other configurations I have? Thanks!
Swisstone avatar
cn flag
@Nick Run this command as admin on a client computer and see if you can see your GPO `gpresult /h c:\temp\report.html` it will export a report and you'll be able to see if your policy applies to the computer or not. Additionally, can you see the registry key on the client computer
za flag
there is nothing underneath the preferences -> windows setting tab except for drive maps. No registry or anything of the like
Swisstone avatar
cn flag
@Nick If you created the registry configuration under "User Configuration", ensure the GPO is linked to an O.U containing your users. If you create the registry configuration under "Computer Configuration", ensure the GPO is linked to an O.U containing your computers.
za flag
It is linked and there is nothing. https://docs.google.com/document/d/1HcCG7Rem-pO8FksjGFgpbDin9a0LohGgBfQ-kU5xGNY/edit?usp=sharing
Score:0
gg flag

You're close, but missing one important thing: based on your screen shot, no objects have the "Apply" permission for this GPO. The default GPO would grant the 'Read' and 'Apply' permissions to the "Authenticated Users" group. I'm guessing that you removed this from the security filtering setting so you could apply it only to your test machine.

To fix the startup script policy and still keep it only applicable to your "DANTEST" computer, edit the GPO, open its properties, and go to the security settings. Add the computer account for DANTEST and grant it the 'Apply' permission (in addition to the 'Read' permission).

If you want to use the logon script, follow the same process to add the 'Apply' permission for the user who is testing the script. Then move the logon script out of the Computer Settings section of the GPO and into the User Settings of the GPO.

Finally, when you're done testing, you can simply add "Authenticated Users" with the "Read and Apply" permissions, which is the default security filtering.

za flag
Tried this. The "Read (from security filtering)" automatically applies it, each of them has the apply permission checked in the security tab already.
za flag
As for the ones that say "read," only the "CREATOR OWNER" user did not have apply set, I made sure it did and it did not change anything
SamErde avatar
gg flag
What information does your group policy processing event log contain?
za flag
No errors and nothing about the update even happening. Its like there is no gpo actually getting pushed out
SamErde avatar
gg flag
Do you have the GPO linked to the OU where the test computer lives or to the domain root?
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.