How to scan Windows computers with the LsPush scanning agent in a group policy

Lansweeper includes several scanning methods to scan the assets in your network. You can scan the Linux, Unix, Mac and Windows computers, VMware servers and other devices in your network without installing any Lansweeper software on the machines you're scanning. For Windows computers, you can optionally choose to perform your scans with a scanning agent, however. Lansweeper's scanning agent is called LsPush. One of the ways it can be run is using a group policy.

LsPush is a small executable that, when run on a Windows computer, scans the computer locally. LsPush cannot and does not need to be installed on the computer you're scanning. The LsPush executable must simply be executed on the computer whenever you want to scan the machine. The LsPush scan results can be sent directly to your Lansweeper server for automatic processing or stored in a file, which can be imported into your Lansweeper installation later on. There are many ways to run LsPush on your machines. Basically any process that can run the LsPush executable, preferably with a parameter, can trigger LsPush scans of your machines. LsPush scans can be fully automated for instance by integrating the scanning agent into logon scripts, group policies or scheduled tasks.

This article explains how to scan Windows computers with the LsPush agent in a group policy and have the scan results automatically sent back to your Lansweeper server. This scanning approach allows you to scan your domain computers as soon as users log into them.

This article only explains how to scan Windows computers with the LsPush scanning agent in a group policy, so domain computers are scanned as soon as users log into them. There are many other methods to run LsPush on one or more machines in your network. In a workgroup environment, LsPush can be deployed with a scheduled task for instance. A list of other ways to run LsPush can be found in this knowledge base article.


To scan Windows computers with the LsPush scanning agent in a group policy, do the following:

  1. On the machine hosting your Lansweeper installation, browse to the folder below and copy the LsPush executable contained within.
    Program Files (x86)\Lansweeper\Client
    LsPush.exe in Program Files (x86)\Lansweeper\Client
    When you update your Lansweeper installation, the latest version of the LsPush executable is automatically added to the Client folder on your Lansweeper server. Make sure to use the latest LsPush executable to scan your machines, as scanning with old agents can cause incomplete data to be returned. If you have just updated Lansweeper and are scanning with LsPush in a logon script, group policy or scheduled task, copy the up-to-date LsPush to any folder referenced by your script, policy or task.
  2. On one of the domain controllers in your domain, paste the LsPush executable into folder below.
    SYSVOL or netlogon on domain controller
  3. For testing purposes, open Command Prompt on a computer you want to scan and run the command below, replacing LansweeperServer with the name of your Lansweeper scanning server, i.e. a server hosting the Lansweeper Server service. This command triggers a local scan of the computer and sends the scan results directly to your Lansweeper server for import. After half a minute or so, you also receive visual feedback in a popup window indicating whether the connection to the Lansweeper server succeeded. This test is just to confirm our command works prior to implementing it in a group policy.
    "%logonserver%\netlogon\LsPush.exe" LansweeperServer /showresult
    testing LsPush direct server connection with the showresult parameter
    By default, LsPush traffic is sent to port 9524 on your Lansweeper server. If the test above does not succeed, make sure incoming traffic over port 9524 is allowed in your Lansweeper server's firewall settings.
  4. Open Notepad and copy/paste the script below, replacing LansweeperServer with the name or IP address of the Lansweeper scanning server you want to send the LsPush data to. The 0 at the end of the script makes the script run asynchronously, so users don't have to wait for the LsPush scan to finish to be able to log into their computers.
    Set WshShell = CreateObject("Wscript.Shell") "%logonserver%\netlogon\LsPush.exe LansweeperServer",0
  5. From the File menu, select Save As... and save the file with a name ending in the .vbs extension.
    creating a VBScript to run LsPush
  6. On one of the domain controllers in your domain, open your Start menu and select Run.
  7. In the input box, type gpmc.msc and hit OK. This opens the Group Policy Management Console (GPMC).
    opening Group Policy Management Console
  8. Under your domain, right-click Group Policy Objects, select New and give your policy a name. After hitting OK, a new policy object appears in the list of group policies.
    creating a group policy
    giving group policy a name
  9. Right-click your newly created group policy and select Edit
    editing a group policy
  10. In the resulting popup, navigate to:
    User Configuration\Policies\Windows Settings\Scripts (Logon/Logoff)
  11. In the right pane, right-click Logon and select Properties
    adding a logon script to a group policy
  12. Hit the Show Files... button and, in the folder that's opened, copy and paste the .vbs script you created earlier.
    showing the logon script files of a group policy
  13. Back in the Logon Properties window, hit Add..., then Browse... and select your .vbs script in the resulting popup. Hit Open afterwards and OK twice to close all popups.
    selecting a script for a logon based group policy
  14. Apply your group policy to your domain computers by right-clicking your domain name or a specific OU, selecting Link an Existing GPO... and choosing your newly created policy from the resulting popup.
    applying a group policy to domain computers
    It may take several hours for your group policy to fully apply and become active on your domain computers. You can run gpupdate /force in Command Prompt on computers to force their group policies to apply.
  15. Once your group policy has become active and a user has logged into a computer to be scanned, perform a search for the name of the computer in the web console search bar, which takes you to the machine's Lansweeper webpage. The Scan time tab of the machine's asset page should also indicate an LsPush scan has taken place. If the search bar finds no asset for the scanned computer, the LsPush scan may have failed for any of the following reasons: you've reached your Lansweeper license's asset limit, your Lansweeper database is full, the Windows computer is excluded from scanning.
    performing a search for a Windows computer
    Last LsPush Scan in Scan Time tab of a Windows computer

Related Articles

Get Started Right Away

Try Lansweeper for Free