Deploy a Scheduled Task (via GPO) to run a script as the logged on user

Background

Occasionally, a colleague would ask if it's possible to run a script on a Windows endpoint or VDI/RDSH desktop when a user is connecting or disconnecting to the virtual session, or on desktop unlock, which occurs when roaming your virtual session from one endpoint to another.

Normally, the answer is easy - use Imprivata OneSign's Extension Objects, a feature readily available on most of our clients' environments. This is especially true with our healthcare clients, but other industries have not adopted on a wide scale (yet).

Scheduled Tasks and GPO

The workaround - Scheduled Tasks deployed via GPO. This will give us the functionality we need for a subset of events available to Extension Objects:

Look familiar?

To set up the scheduled task for the logged on user, it's important to note that the task is set up in the GPO's User Configuration sections (User Configuration > Preferences > Control Panel Settings > Scheduled Tasks).

Note that:

1. The user account running the task is %LogonDomain%\%LogonUser%

2. Run only when user is logged on is enabled.

3. The Hidden check box should normally be enabled.

Another GOTCHA is the Run in logged-on user's security context (user policy option) is not enabled. If this check box is enabled, GPO will not be able to create the Task.