Automate your IT with the Task Scheduler

Paul Hill

October 19, 2020 • 7 min read

CONTENTS

    In this tutorial we are going to take a look at how you can use the Task Scheduler to run your automation scripts and make your life easier. This means you can spend more time watching cat videos, and less time doing repetitive tasks every day. That’s important!

    For me, I have a server called INSASC01. It’s a Windows Server that’s only purpose is to run our script automations. Every day, I need to log into the server and run two commands that will sync the scripts on the server with GitHub.com. The command looks like this:

    git reset --hard
    git pull

    This will make sure that the scripts on the local server are in sync with updates that have been pushed to GitHub.com from our developers. Well, I’d much rather be watching a cat video than logging in and running these two commands… so let’s automate it!

    As a bonus, how about we make it run once a minute so those scripts stay….. really up to date…. Overkill you say? Well, probably true.

    What you need to make this work

    There are a couple things we need to set up before this can be set up to run without any interaction on my end:

    • Write a script to sync with GitHub.com
    • Create a service account and a service account group
    • Create a GPO that allows the service account group members to run as a batch job
    • Create the scheduled task

    Write a script to sync with GitHub.com

    For this all I needed to do was download git-scm for windows and run the initial git clone of my repo so provide my user credentials. This step is kind of unrelated to you and very specific for my scenario.

    But essentially I can now run two commands to make sure that my local folder matches what is uploaded to GitHub.com

    git reset --hard
    git pull
    Local Vs Github.com
    Local Vs Github.com

    When I make changes and push them to GitHub.com, the command above will make sure that my local server has the same scripts as those hosted at GitHub.com.

    I wrote a very simple batch (*.bat) script that will CD into the script directory then run those two commands:

    Image 8
    auto-git-pull.bat

    Now when I run that script it will make sure that my scripts are all up to date no matter what the state of the local script repo:

    Gitpull
    Git pull script

    Create a service account and a service account group

    Before we can schedule this task, we should create a service account with limited permissions inside of our domain. We could use our user account, but this is generally a bad practice because…

    • You’re account was locked out
    • Your password expired
    • Your account was disabled
    • Your account was deleted
    • Your account lost the “log on as a batch job” user right

    All of these scenarios will cause the scheduled task to fail. We could create an MSA (Managed Service Account), but for simplicities sake we are going to use an old fashioned AD user account.

    If you’re doing this in a live / production network then you should consider reading up on the Top 10 Active Directory Service Accounts Best Practices in 2020.

    I’m going to open the Active Directory Users and Computers console on my Domain Controller by clicking Tools > Active Directory Users and Computers in Server Manager:

    Image 10
    Starting the Active Directory Users and Computers Console

    I created a zPowershell user and Service Accounts security group as shown below:

    Image 9
    Active Directory zPowershell user and Service Accounts group

    I added the zPowershell user to the Service Accounts security group then I set that to its primary group. I removed the Domain User membership since the account won’t need that. I also configured the user so it cannot change its own password.

    Service Accounts 1
    Active Directory Service Account User

    Create a GPO that allows the service account group members to run as a batch job

    Now we need to configure our target computers to allow zPowershell to log in as a batch job. This permission is required if I want to run my scheduled task whether or not the user is logged in.

    To accomplish this, I am going to open the Group Policy Management console on my Domain Controller by clicking Tools > Group Policy Management in Server Manager:

    Image 11
    Start the Group Policy Management Console

    I’m going to create a GPO and link it to the OU where my domain computers are located. Im calling my GPO Service Account Rights and Restrictions:

    Image 12
    Service Account GPO Perimssions

    Inside the GPO I am going to configure the following settings:

    Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment

    • Deny log on locally: Service Accounts
    • Deny log on through remote desktop services: Service Accounts
    • Log on as a batch job: Service Accounts

    Screenshot below:

    Image 14
    Service Account GPO settings

    Setting up service accounts can probably be a tutorial all on its own – so consider doing your own research into this to make sure you lock it down appropriately.

    Create the scheduled task

    I want to run my scripts from my INSASC01 script server, so I am going to switch over there. The important thing is that it is joined to the domain and will have access to the GPOs and the service account we just created.

    To launch the Task Scheduler, simply click the Windows button and search “Task Scheduler”:

    Image 15
    Start the Task Scheduler

    I like to create a new folder for my company so that my custom tasks are organized for other admins who come in behind me. So I just need to right-click on Task Scheduler Library and select New Folder

    Image 16
    Create a new folder in the Task Scheduler

    I named this folder “Server Academy Tasks”. Inside of the folder I created a new Task

    Image 17
    Create a Basic Task in Windows Task Scheduler

    On the general tab we need to configure a few settings.

    1. Enter a name for your task (this can’t be changed later)
    2. Change the user account to your AD account that is a member of the Service Accounts security group (mine is zPowershell)
    3. Select Run whether user is logged on or not
    Image 18
    Configure new task

    Go to the Triggers tab and complete the following steps as shown below:

    1. Click New to make a new Trigger
    2. Check Repeat task every Set your repeat schedule (I am using 1 minute)
    3. Change for a duration of to Indefinitely
    4. Check Stop task if it runs longer than and set your desired time (my script takes a few seconds so I am using 30 seconds).
    5. Click OK.
    Image 19
    Configure Scheduled Task Triggers

    Go to the Actions tab and complete the steps below:

    1. Click New
    2. Add your desired script under Program/script
    3. Click OK
    Image 21
    Create a new Action in the Task Scheduler

    Now go to the Settings tab and do the following:

    1. Check the second checkbox so the task will run ASAP if it missed a schedule
    2. Check the Stop the task if it takes longer than and set it to your desired time. Since my script only takes a few seconds, I am setting it to 1 minute
    3. Click OK
    Image 23
    Configure the Task Scheduler Settings

    Click OK again to save the new task. Now you will be prompted to enter the password for the user account you configured for the scheduled task:

    Image 24
    Configure your Scheduled Task user password

    Now I have the new Scheduled Task created and it will keep my local repo in sync with GitHub.com!

    Image 25
    Scheduled Task

    If I go to my script directory and delete all the scripts then my scheduled task will fix this within 1 minute!

    Coding and AutomationSystem AdministratorWindows

    Want to improve your IT skillset? Start with a free account and get access to our IT labs!

    Blogpostctadesktop

    Sign up free and start learning today!

    Practice on REAL servers, learn from our video lessons, interact with the Server Academy community!