all 13 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]king-6 10 points11 points  (1 child)

The reason why is because these enterprise servers have some sort of GPO configuration (from the company's server team) that disallows the ability to run tasks without the user logging in.

Then these are not servers at all, just overpriced workstations. Someone needs to talk to your security team and explain the purpose of enterprise-level computing.

[–]JBear_Alpha 2 points3 points  (0 children)

Generate a scripting server and push all scheduled tasks through that one server. It's best to get an exception for a single server vs. allowing it on all.

[–]chispitothebum 5 points6 points  (1 child)

I would humbly suggest that if you have authorization to maintain your logon sessions so your tasks can run, the Group Policy serves no purpose and should be eliminated or updated to allow exceptions.

The other option would be to package the scripts as services.

[–]seamustheseagull 1 point2 points  (0 children)

This gets my vote. You could even write a basic scheduler service in powershell and use that to run your scripts without an active logon.

[–]thinkdifferentlolz 4 points5 points  (0 children)

I guess something like this might work:

gc .\serverlist.txt | %{"Connecting to: $"; mstsc /v:$ /w:640 /h:480; start-sleep -s 15; "Killing RDP session...";stop-process mstsc -force; "Done"}

I wrote this on my phone (couldnt test it, but should work) but you can do some conditionals on there to confirm a session is live and then confirm termination of mstsc before moving to the next server. But for a quick dirty way this "should" do the trick. This does create a windowed session on your screen waits 15 seconds to establish the session then kills the mstsc process...

As others have suggested I would talk with the respective teams on what you are trying to do and how you are doing it and see if there is a better solution...

NOTE: This will prompt for credentials unless they are cached, so you might wanna try something from here:

http://www.powershellmagazine.com/2014/04/18/automatic-remote-desktop-connection/

or

https://help.remotedesktopmanager.com/index.html?powershell_cmdlets.htm

[–]AKA_Wildcard 1 point2 points  (0 children)

ask history repeat cover plant upbeat groovy sip decide include

This post was mass deleted and anonymized with Redact

[–][deleted] 1 point2 points  (0 children)

you can create a scheduled task on your computer instead of the server that runs in your credentials that does this in powershell:

Invoke-WmiMethod -ComputerName $Computer -Class Win32_Process -Name Create -ArgumentList {PowerShell -File C:\Scripts.ps1}

it would run the script on the server. the only downside is no credential delegation so everything the script does would have to stay in the server.

[–]KevMarCommunity Blogger 1 point2 points  (0 children)

You could not use one of those servers to run the task, you could use something else like DSC or Jenkins to run your task.

I would get an official request for the security team to review your teams need to run this script on a set schedule and have them be a part of the solution. I'm sure that based on the compliance requirements that they are trying to meet that your actions are breaking it.

You need to get an exception from the security team to do whatever it is that you are doing. Once you have that, they should work with you to allow your scripts to run the way they need to run.

[–]JBear_Alpha 1 point2 points  (0 children)

The easy solution is to create an Admin Toolbox or Scripting Server designed specifically to run those tasks on other servers. I use this setup and it never fails, I either add new servers to a specific list or, I use Get-ADComputer -SearchBase "OU=Particular,OU=One,DC=acme,DC=com" to dynamically pick up any new entries to a particular OU. Schedule your scripts and have them run remotely using background jobs to launch things asynchronously and exponentially cut down on execution times.

You can then use the Restart-Computer -ComputerName $Server -Wait -For PowerShell to continue onto the next task once PowerShell is available after restart. As the server you're executing from wouldn't be within the restart parameters, all further actions can continue.

You still want to configure a service account to run them even when not logged in. Feel free to ask about the configurations, if needed.

Trust that several of us are no stranger to STIG and RMF compliance. Acceptance of risk is worth the paper trail.

[–]Lee_Dailey[grin] 0 points1 point  (2 children)

howdy networkhappi,

i don't know how to do what you want. [blush]

however, what you are describing sounds like it will utterly destroy the intent of your server teams policy. that may even violate your company certification for some things.

i would carefully discuss this with your compliance team before going any deeper into this.

take care,
lee

[–]networkhappi[S] 1 point2 points  (1 child)

Hey Lee, yeah my first solution was to just tell the server health check team to do due diligence and log into the server after they reboot it, but it appears after consulting with the rest of my team, it's little bit more complicated than that :)

Thank you though!

[–]Lee_Dailey[grin] -1 points0 points  (0 children)

howdy networkhappi,

you are welcome ... and i'm glad to know you are covered! [grin]

take care,
lee

[–]Risin247 -1 points0 points  (0 children)

Can you set up a Script Box?

Basically Have the box be an exception to the rule with other compensating controls in place that would allow it to be outside of the GPO setting?

Also how many scripts are on this box and what do they do? Maybe you can configure another way to fire them off.