How to Schedule a GPO to Fire Off within certain time blocks

Jan
24
2011

Thanks to GPanswers.com member Bart for the meat of this tip !

You might have a situation where you want GPOs to apply to a collection of computers – but only within certain time blocks.

Sure, you could manually link and unlink the GPO when the proper times come. But you’re too busy for that.

Instead, use PowerShell, and automate the task!

First things first. Make sure the policy refresh interval on the workstations is set small enough to apply the activated GPO settings during the times you want. Normally, computers update every 90 – 120 minutes. To use this tip, you might want to tighten up the refresh interval – just for this collection (like a Training room OU or Kiosk OU or something.) I wouldn’t recommend you do this for your whole population. Do this using the policy settings located at “Computer Configuration | Administrative Templates | System | Group Policy | Group Policy refresh interval for computers.”

Where this came in handy was to activate and deactivate additional (outgoing) firewall rules – specifically for a classroom setup for specific classes.

To use, simply set up a scheduled task to LINK and UNLINK the GPOs as needed.

To Enable:
Powershell -importsystemmodules -command “& {set-gplink -name ‘GPO_Computer_Classroom Outgoing Firewall’ -target ‘ou=classroom,ou=computer management,dc=yourdomain,dc=local’ -linkenabled YES}”

To Disable:
Powershell -importsystemmodules -command “& {set-gplink -name ‘GPO_Computer_Classroom Outgoing Firewall’ -target ‘ou=classroom,ou=computer management,dc=yourdomain,dc=local’ -linkenabled NO}”

PS: For more information, the PowerShell Cmdlets for managing GPO’s come with Windows 7 and W2k8-R2. For an overview of all GPO Cmdlets have a look at the TechNet site: http://technet.microsoft.com/en-us/library/ee461027.aspx