Monday, January 15, 2007



I was looking at Darren Mar-Elia's (MVP Group Policy) tool that makes it possible to update a REMOTE computers Group Policy settings using the command line (almost like the good "old" GPUPDATE, just on speed). You can get more info and download the tool here.
I thought it might be an idea to "wrap" the tool into a simple GUI application that should make it possible to select an Organizational Unit (OU) in a domain and run the RGPREFRESH for each computer object in the OU. I know you can use a FOR command, DSQUERY and other stuff, but "normal" admins etc. might not find this easy to do.
That made me start working on a "quick-and-dirty" HTA application which should let the user select an OU and the run the RGPREFRESH command with some checkboxes for the available switches... BUT, after a short time I decided to make the application more FLEXIBLE so the user can type ANY command that should be executed for a given number of computers (selected from an OU).
The tool can now be combined with most command line utilities, fx. the wonderful PSEXEC from Sysinternals.

The FlexCommand HTA application
So, let's take a look at the tool in its current state (version 1.0).

As you can see above the GUI is pretty simple. First we should select en Organizational Unit (must be done before the application can be executed):

After selecting a given OU (hopefully one with computer objects in it) there is 2 checkboxes that can be selected.
A. Also handle computers in sub-Organizational Units?
With this checkbox selected we use "SUBTREE" in the LDAP query behind the scenes, so all computer objects in the underlying OU's will be handled too!
B. Only run command if the computer is alive (WMI)?
With this checkbox selected we check to see if the remote computer is alive - by using a WMI PING (that unfortunately can be a bit slow when a remote computer is not responding - but still faster than commands that just wait to "timeout") - before actually executing a command against the remote computer.

Then we need to type in the command, the example below is a simple PING command. It's IMPORTANT to understand, that the computernames from the selected OU (or OU's) will be inserted instead of the "{C}" signature which MUST be entered before the application can be executed.

In some cases it will be necessary to specify a FULL PATH to the command line utility that must be run - remember to user the "quote signs" on each side of the file path.

Using the PING example above, the result is the following in my test domain, and this command is repeated for each computer (that is alive in the selected OU and Sub-OUs):

The tool can be downloaded here!

Future versions
Well, I haven't thought this through 100% yet (and I know the tool is not perfect yet) but I have thought about making the following changes whenever I have time:
1. Logging - write a logfile that shows the commands that where executed
2. Reporting - give a report at the end about number of successfully executed commands etc.
3. Testmode - checkbox where you can make a "what if" execution before running "the real thing"
4. Selection between a- or synchronous execution of commands
I hope you will enjoy this "as-is" tool - it's FREE for you to USE and MODIFY (one cool thing about HTA applications).
All comments and ideas are very welcome - just send me an email for info at heidelbergit dot dk!

Best regards
Jakob H. Heidelberg


Clark Peterson said...

A very nice VB scripting and html wrapper! Although it lacks the ability to choose objects within the OU, that would be no problem for us. We're using Desktop Authority which allows to select any AD object and evaluate the script for it based on defined criteria. Thank you, Jacob!

tringener said...

I found a link to this program in an article on the Windows Security website. When I attempt to run it on a Windows 2008 domain controller the box for choosing an OU does not appear.

Is this tool compatible with Windows 2008 server?

Jakob H. Heidelberg said...

Hi Tringener,

Sorry, it was created before WS2008. As soon as I can, I'll post a new version (if possible).

Thanx for the update!

JRV said...

HTA's don't work on WS2008 with UAC enabled. Open an elevated command prompt and type START FLEXCOMMAND.HTA and it will work.

cusford said...

i cant download it for some reason? is there another download link?

Jakob H. Heidelberg said...

Link is down - check this out:

Best regards and happy scripting

Eirik Andreassen said...

Windows 2008 problem:
defaultNC = GetObject("LDAP://RootDSE").Get("DefaultNamingContext")


set RootDSE = GetObject("LDAP://RootDSE")
defaultNC = RootDSE.Get("DefaultNamingContext")

Hans Vellekoop said...

How should I enter the gpupdate command? The command now is
"gpupdate:{C} /Force" (without quotes) but doesn't work.
Anyone any ideas? Love the functionality, so I want it working :-)

Hans Vellekoop said...

I'm trying to push domain policy with this command in the tool:
gpupdate:{C} /Force
Doesn't work.. anyone ideas? Would love it if this is going to work..

Jakob H. Heidelberg said...

Hi Hans

You should combine FlexCommand with the PSEXEC Tool from Sysinternals to do that.

Something like:
PSEXEC \\{C} gpupdate.exe