I'm managing Windows VMs in AWS ASGs that are not attached to a domain. I want to run a script at shutdown (not logoff) to remove these nodes from Chef, and I want to create/register the scripts using Chef. I have the removal script ready, it's getting them to run at shutdown that I cannot find an implementation for.
I can do it manually via gpedit.msc Local Computer Policy -> Computer Configuration -> Windows Settings -> Scripts (Start/Shutdown) -> Shutdown. This places the scripts in C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Shutdown. Unfortunately:
- It looks like the scripts directories are only created when gpedit.msc is first run, and it's unclear if creating them manually is valid
- Just placing scripts there does not on its own seem to register them – they don't show up in gpedit.msc
- Placing the script and running
gpupdate /force(as suggested here) also doesn't cause it to show up in gpedit, though gpupdate did suggest a reboot may be required to apply some changes – that's not an option as a reboot in an ASG may cause instance termination and replacement
I'm aware of a possible use of Task Scheduler to run a script at shutdown, but (from my research at least) it seems that the key difference is that a task scheduler shutdown script only has as much time to run as the system takes to shutdown, whereas a GPO shutdown script will postpone shutdown until it finishes.
So, the question is: is there a way, via Chef (i.e. via PowerShell, DSC, or batch script) to register a GPO shutdown script on a machine not attached to AD without rebooting?
Best Answer
Try using this LGPO utility. You should be able to use the GUI to config the shutdown script on a pilot machine, back it up with LGPO, and then use LGPO to import it onto newly built systems.
https://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0/