Hi All

I am trying to run a batch script via Group Policy that does the following

1. net stop wuauserv
2. rename c:\windows\SoftwareDistribution softwaredistribution.xxx
3. net start wuauserv

Steps 1 and 3 work fine but on Step 2 I get an Access Denied message when the policy is executed. The same happens when I run the batch file manually.

When I manually run the batch file, with an elevated command line, it works.

Is there a way I could execute an elevated command line through the GPO?

Thanks

Ivan

You can do this if you use a startup script, which executes as SYSTEM.

However, what is the purpose of this script?

Bill

Hi Bill

The purpose of the script is described in the steps. I have a ton of machines with corrupt windows updates and want to remove rename the C:\Windows\SoftwareDistribution folder. i am looking for a way to automate this through a GPO.

Ivan

In general you cannot rename or alter system folders in Group Policy.  Many of these are protected.

This si a one time fix.  Just do it remotely.  Use PowerSHell and run the commands:

$computer='MyPC'
$wu=Get-Service wuauserv  -computer $computer
Stop-Service -InputObject $wu -Force
rename-Item \\$computer\c$\windows\SoftwareDistribution \\$computer\c$\windows\SoftwareDistribution.XXX
Start-Service -InputObject $wu

You can get computer names from a file or from AD.

Group Policy is not a good way to do this.

I recommend checking what you are doing.  This is almost never needed on a large number of machines.  It is more likely that something in your network is not configured properly.

thanks for your reply

It is a new network the company I work for started to look after!

thanks for your reply

It is a new network the company I work for started to look after!

How does that change things?  Why would that cause you to have to delete all WU history?

Because the update log on most of the machines I have checked indicated that the updates that have been downloaded thus far have been corrupt....pointing it to a new WSUS server did not resolve the problem. I did some research and found that to be a solution.

Because the update log on most of the machines I have checked indicated that the updates that have been downloaded thus far have been corrupt....pointing it to a new WSUS server did not resolve the problem. I did some research and found that to be a solution.

What in the log says the updates are corrupt and that WSUS cannot recover them?

In any case remotely renaming the folder should not be attempted via GP.

I suspect it is the crypto key that is corrupt.

Try using the script I posted on one system and be sure it fixes the issue.  Deleting the folder has a pretty big impact so you don't want to do it arbitrarily.

Try the script first.  If it works you can unleash it on batches of machines safely.

Thanks for your comments, it is appreciated.

To be more specific - there is no way to elevate GP scripts.  They run in the context of the SYSTEM or of the user.  Elements that have access to alter the system are supported by services that assist in managing the machine.  You can see these things in the RSOP report.  There is not GP thing to manage WSUS.  GP can manage what it has a tool to use to manage the item.  It has no specific access to protected system components.

Running remotely as an administrator you will have more access to the system folders than much of Group Policy has. Just write and test your script against one machine.  Be sure to do rigorous error logging so you can analyze what is failing.  A bad disk or malware can subvert what you are trying to do. 

The ability to rename the folder may require a restart of the system after disabling the services.  This can be needed because the service may lock a file when it starts and the service will not release the file because it has thrown an exception.  To fix this disable the service, restart the system and then rename the folder.  You can restart the service after the rename.

How you approach and designs this maintenance is what Admin is all about.  You will have to design this to work around your normal operations.  None of us can show you how to do this as it is beyond the scope of this forum.  We can answer specific scripting "how-to" question.

Here is an article that may be of some use.  It is an advanced scripting article but does discuss many of the issues that you will have to deal with when running a very large (network-wide) update.  It may also be a good bootstrap into learning how to script.

http://blogs.technet.com/b/heyscriptingguy/archive/2013/08/19/powershell-workflow-for-mere-mortals-part-1.as