Automate your IT with the Task Scheduler

In this tutorial we are going to take a look at how you can use the Task Scheduler to run your automation scripts and make your life easier. This means you can spend more time watching cat videos, and less time doing repetitive tasks every day. That’s important!

For me, I have a server called INSASC01. It’s a Windows Server that’s only purpose is to run our script automations. Every day, I need to log into the server and run two commands that will sync the scripts on the server with GitHub.com. The command looks like this:

git reset --hard
git pull

This will make sure that the scripts on the local server are in sync with updates that have been pushed to GitHub.com from our developers. Well, I’d much rather be watching a cat video than logging in and running these two commands… so let’s automate it!

As a bonus, how about we make it run once a minute so those scripts stay….. really up to date…. Overkill you say? Well, probably true.

What you need to make this work

There are a couple things we need to set up before this can be set up to run without any interaction on my end:

  • Write a script to sync with GitHub.com
  • Create a service account and a service account group
  • Create a GPO that allows the service account group members to run as a batch job
  • Create the scheduled task

Write a script to sync with GitHub.com

For this all I needed to do was download git-scm for windows and run the initial git clone of my repo so provide my user credentials. This step is kind of unrelated to you and very specific for my scenario.

But essentially I can now run two commands to make sure that my local folder matches what is uploaded to GitHub.com

git reset --hard
git pull
Local Vs Github.com
Local Vs Github.com

When I make changes and push them to GitHub.com, the command above will make sure that my local server has the same scripts as those hosted at GitHub.com.

I wrote a very simple batch (*.bat) script that will CD into the script directory then run those two commands:

Image 8
auto-git-pull.bat

Now when I run that script it will make sure that my scripts are all up to date no matter what the state of the local script repo:

Gitpull
Git pull script

Create a service account and a service account group

Before we can schedule this task, we should create a service account with limited permissions inside of our domain. We could use our user account, but this is generally a bad practice because…

  • You’re account was locked out
  • Your password expired
  • Your account was disabled
  • Your account was deleted
  • Your account lost the “log on as a batch job” user right

All of these scenarios will cause the scheduled task to fail. We could create an MSA (Managed Service Account), but for simplicities sake we are going to use an old fashioned AD user account.

If you’re doing this in a live / production network then you should consider reading up on the Top 10 Active Directory Service Accounts Best Practices in 2020.

I’m going to open the Active Directory Users and Computers console on my Domain Controller by clicking Tools > Active Directory Users and Computers in Server Manager:

Image 10
Starting the Active Directory Users and Computers Console

I created a zPowershell user and Service Accounts security group as shown below:

Image 9
Active Directory zPowershell user and Service Accounts group

I added the zPowershell user to the Service Accounts security group then I set that to its primary group. I removed the Domain User membership since the account won’t need that. I also configured the user so it cannot change its own password.

Service Accounts 1
Active Directory Service Account User

Create a GPO that allows the service account group members to run as a batch job

Now we need to configure our target computers to allow zPowershell to log in as a batch job. This permission is required if I want to run my scheduled task whether or not the user is logged in.

To accomplish this, I am going to open the Group Policy Management console on my Domain Controller by clicking Tools > Group Policy Management in Server Manager:

Image 11
Start the Group Policy Management Console

I’m going to create a GPO and link it to the OU where my domain computers are located. Im calling my GPO Service Account Rights and Restrictions:

Image 12
Service Account GPO Perimssions

Inside the GPO I am going to configure the following settings:

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment

  • Deny log on locally: Service Accounts
  • Deny log on through remote desktop services: Service Accounts
  • Log on as a batch job: Service Accounts

Screenshot below:

Image 14
Service Account GPO settings

Setting up service accounts can probably be a tutorial all on its own – so consider doing your own research into this to make sure you lock it down appropriately.

Create the scheduled task

I want to run my scripts from my INSASC01 script server, so I am going to switch over there. The important thing is that it is joined to the domain and will have access to the GPOs and the service account we just created.

To launch the Task Scheduler, simply click the Windows button and search “Task Scheduler”:

Image 15
Start the Task Scheduler

I like to create a new folder for my company so that my custom tasks are organized for other admins who come in behind me. So I just need to right-click on Task Scheduler Library and select New Folder

Image 16
Create a new folder in the Task Scheduler

I named this folder “Server Academy Tasks”. Inside of the folder I created a new Task

Image 17
Create a Basic Task in Windows Task Scheduler

On the general tab we need to configure a few settings.

  1. Enter a name for your task (this can’t be changed later)
  2. Change the user account to your AD account that is a member of the Service Accounts security group (mine is zPowershell)
  3. Select Run whether user is logged on or not
Image 18
Configure new task

Go to the Triggers tab and complete the following steps as shown below:

  1. Click New to make a new Trigger
  2. Check Repeat task every Set your repeat schedule (I am using 1 minute)
  3. Change for a duration of to Indefinitely
  4. Check Stop task if it runs longer than and set your desired time (my script takes a few seconds so I am using 30 seconds).
  5. Click OK.
Image 19
Configure Scheduled Task Triggers

Go to the Actions tab and complete the steps below:

  1. Click New
  2. Add your desired script under Program/script
  3. Click OK
Image 21
Create a new Action in the Task Scheduler

Now go to the Settings tab and do the following:

  1. Check the second checkbox so the task will run ASAP if it missed a schedule
  2. Check the Stop the task if it takes longer than and set it to your desired time. Since my script only takes a few seconds, I am setting it to 1 minute
  3. Click OK
Image 23
Configure the Task Scheduler Settings

Click OK again to save the new task. Now you will be prompted to enter the password for the user account you configured for the scheduled task:

Image 24
Configure your Scheduled Task user password

Now I have the new Scheduled Task created and it will keep my local repo in sync with GitHub.com!

Image 25
Scheduled Task

If I go to my script directory and delete all the scripts then my scheduled task will fix this within 1 minute!

Try one of our IT labs

Want to try one of our online IT labs? Enter your email below and we will send you an Active Directory IT lab!

Table of Contents
    Add a header to begin generating the table of contents
    Blogpostctadesktop

    Free trial to boost your IT skills

    Practice on REAL servers, learn from our video lessons, interact with the Server Academy community!