Task Scheduler being dumb

I am attempting to create a Task that will copy a directory of files from the server to the local PC when a user logs in. Should be a fairly straightforward setup.

Security options: runs as NT/SYSTEM; run only when user logged on (this is confusing … which user? the one logging in or the SYSTEM user?); run with highest privileges

Configured for Windows 10

Trigger for At logon > Any user > Delay for 1 minute to make sure the user actually gets logged in > Enabled

Action Tab: Start a Program

(Here I have tried many various combinations of commands to get it working)

Program/script: cmd.exe

Add Arguments: c:\task\runbatchfile.bat

Start In: c:\windows\system32\

I have tried calling the bat file in the program/script option. I have tried running “copy” as the program/script and adding the variables in the “add arguments” section.

When I manually Run the task, the status changes to “The Task is currently running (0x41301)”, but nothing happens. The files don’t get copied and I definitely don’t see a cmd window open or any indication that the command is processing.

When you manually start a script (powershell calling robocopy), do you get a message along the lines of “Script execution is disabled on this system”?

For reference:

robocopy <source> <target> /e /z /W:3 /R:3

/e is to include subdirectories

/z is to make this restartable should something happen (this is over network after all)

/W:3 /R:3 set the number of attempts and delay between attempts to 3 and 3 seconds respectively
Robocopy documentation

For troubleshooting I’d start with something simple inside the runbatchfile.bat. Just add a single line such as ‘echo test > c:\task\testfile.txt’ and see if it creates the text file when the user logs in. Once you verify task scheduler is actually calling the script I’d look toward the something in your original batch file being the problem.

Edit: Remove useless information

1 Like

And keep in mind you’re running the copy operations as NT SYSTEM. So unless your copy tool has an option to preserve file permissions, even a user with administrative rights won’t be able to edit or delete the file without taking ownership and resetting permissions.

maybe the hangup is the “copy” command.

I’m using " copy /d /y \servername\netlogon\spark\security*.* %appdata%\spark\security "

Manually running that batch file works fine. I have even tried separating out the commands in the program/script and arguments sections to no avail.

I have tried every solution that I have been able to find on the internet. I am now getting a return code of (0x1), but the batch file DOES NOT execute, unlike everyone else that gets a (0x1) where the batch file executes and performs it’s actions, but a 0x1 is returned anyway.

Task Scheduler returns that it completed the task, but it’s not.

well, this works. I created a bat that does the echo command and it created the text file. So this leads me back to my other thought that the MS cmd.exe “copy” command is now the issue. It just won’t activate it.

The point of this exercise is we rolled out an update to Spark, an IM program inside our company. But for some reason the new version looks for the certificates in the %appdata% of the user logged on instead of the users\public\ like it did before. So if someone different uses that machine, we have to manually recopy the cert files to that users %appdata%. So what I thought would be the easiest solution is to generate a task that I can copy out that will copy the certificates over to the current logged in users %appdata% at login and just overwrite without prompt everytime. But task scheduler is proving to be dumb.

Let me see if I can get that batch working with robocopy, which apparently comes with Windows now, I didn’t realize this.

That’s going to be where you’re running into the problem. %appdata% is a variable that points to the currently logged in user’s AppData folder. Since you’re running the script at NT SYSTEM that isn’t valid and won’t apply it to the user that just logged in.

Is this a domain environment? If so you can either use the Files section in Group Policy to specify individual files to copy (and variables such as %appdata% or something similar) will work. Or if you need to run a batch you can use a Login Script applied at the user level.

Edit: Or just change the task to run as the user currently logged in.

Yes, it’s a domain enviro. I am testing this with a basic default domain account, NOT as my admin account.

But if the user is logged in, %appdata% is a valid folder and therefore it should copy. But that doesn’t seem to be the issue, Task Scheduler just WILL NOT run any command in the batch file that is an executable.

Yes, it’s valid for the user when they launch the batch file. But you’re asking task scheduler to trigger and run the task at NT SYSTEM. When the batch is running as NT SYSTEM that variable does not point to the user who just logged in. You’re asking task scheduler to trigger and run the script “when a user logs in”… but the script doesn’t know who just logged in since it’s running as NT SYSTEM.

Ok. So I’ve even tried running it as a spare admin account we use for testing, it still doesn’t do it.

And it’s not going to. There is no way that I know of to have a scheduled task run as the user that just logged on when configured locally on the workstation. What you are trying to accomplish really needs to be done through group policy… and it’s not too complicated if you have existing policies. Off the top of my head I can think of using Files, Logon Scripts, or Scheduled Tasks to accomplish this but they all need to be applied at the User Configuration level.

If you don’t have any existing group policies in place (and don’t want to venture down that road) then you could just drop the batch file in C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp. And it will run as the user that just logged in.

I’ve been trying to get it to work with the old GPO for the Spark deployment assigned to a single workstation for testing. I’m not getting errors, but the files are copying either.

I edit the GPO, Computer Config, Preferences, Windows Settings > Files > add the list of files to copy. Can I use \server\ style directory or does it have to have a drive letter? It didn’t tell me I couldn’t do it. I used the replace option and gave it the directory to copy them to … nothing.

ETA: I’ll pick this up tomorrow. Thanks for the help 404

Unfortunately it’s not going to work from “Computer Config” either. It needs to come from User Configuration section and has to be applied on a User OU or using loopback processing.

If your GPs are only being applied to computer OUs then you’ll want to enable loopback processing. This will allow the User Configuration polices to be applied to any user who logs on.

And here’s how to configure the Files policy in User Configuration.

Sleep well :slight_smile:

  1. In the Group Policy Microsoft Management Console (MMC), select Computer Configuration .
  2. Locate Administrative Templates , select System , select Group Policy , and then enable the Loopback Policy option.

Well, that doesn’t seem to exist in our templates.

NVM, I found it. It just wasn’t listed that way in the template.

Ok. I got the Files policy setup to copy the necessary files. I also have Loopback turned on as Merge. the GPO is linked to the domain and under Security Filtering it’s linked to the Deployment GPO, of which the only member of that GPO is the test workstation.

I gave it 10 mins to propogate in the domain, of which there are only 2 DC’s. I logged in to the test machine and … nothing. No files copied. So I ran gpresult on the workstation and the report doesn’t show that the GPO is being applied but it also doesn’t show that it’s being denied either.

I really don’t like GPO’s :slight_smile:

Well you’re definitely getting closer but I doubt I can be much help troubleshooting why it’s not applying. But I can help speed up the propagation and make troubleshooting a little less painful.

On the computer you are editing GP, look at the top left pane in gpedit to see which writable DC you are communicating with. Then RDP to the that DC and issue “gpupdate /force”. This will propagate the changes you just made to the other DC.

Lastly, you can also issue “gpupdate /force” on the test workstation to pull the latest policy from the domain.

Yeh, I run gpudate on the workstation to help it along, but it just doesn’t seem to by applying.

Also, I’ve been trying to get some help over on the /r/sysadmin reddit … people there seem to reply once or twice and then just ghost, almost as if “they should have gotten my vague condescending instructions, i’m outta here away from these lesser minds”.

Politeness and how focused the questions are usually what determines how involved I want to get. But on the other hand I just recently moved and have taken a two month sabbatical so maybe I’m just bored and should start looking for a job :joy:

If you’d like post a screenshot of the Files entry properties I’ll be happy to check your syntax. But I’m not sure how much more help I can be otherwise.