Group Policy allows you to run various script files at a computer startup/shutdown or during user logon/logout. You can use GPOs not only to run classic batch files on a domain computers (.bat, .cmd, .vbs), but also to execute PowerShell scripts (.ps1) during Startup/Shutdown/Logon/Logoff.
In modern operating systems (Windows 10 / Windows Server 2016), you can configure the logon/startup PowerShell scripts directly from the domain GPO editor.
Run the domain policy management console – GPMC.msc (Group Policy Management), create a new policy and link it to the desired Active Directory container (OU) with users or computers (you can use WMI GPO filters for fine policy targeting). Switch to policy Edit mode.
You must select a GPO section to run the PowerShell script, depending on when you want to execute your PS1 script:
- If you want to run a PS script when a user logon (logoff) to a computer (to configure user’s environment settings, programs, for example: you want to automatically generate an Outlook signature based on the AD user properties, adjust screensaver or Start layout settings), you need to go to the GPO section: User Configuration -> Policies -> Windows Settings -> Scripts (Logon / Logoff);
- If you want to run the PowerShell script at a computer startup (to disable outdated protocols: NetBIOS and LLMNR, SMBv1, configure computer security settings, etc.) or before the computer shutdown, you need to go to the GPO section with the computer settings: Computer Configuration -> Policies -> Windows Settings -> Scripts (Startup / Shutdown).
Configuring PowerShell Startup Scripts with Group Policy
Suppose, we have to run the PowerShell script at a computer startup. Select the Startup policy, and go to the PowerShell Scripts tab in the next window.
Now you need to copy the file with your PowerShell script to the domain controller. Click the Show Files button and drag the file with the PowerShell script (ps1 extension) into the opened File Explorer window (the console will automatically open the folder \\yourdomainname\SysVol\yourdomainname\Policies\{Your_GPO_GUID }\Machine\Scripts\Startup of your policy in the SysVol on the nearest AD domain controller).
Since we configure the Startup PowerShell script, you need to check the NTFS “Read&Execute” permissions for the Domain Computers group in the ps1 file permissions (or check the permissions on the entire Machine\Scripts\Startup folder).
Now click Add and add the copied .PS1 script file to the list of scripts to be run by the PowerShell policy.
If you run multiple PowerShell scripts through a GPO, you can control the order in which the scripts are executed using the Up/Down buttons.
To correctly run PowerShell scripts during computer startup, you need to configure the delay time before scripts launch using the policy in the Computer Configuration -> Administrative Templates -> System -> Group Policy section. Enable the “Configure Logon Script Delay” policy and specify a delay in minutes before starting the logon scripts (sufficient to complete the initialization and load all necessary services). It is usually enough to set up here for 1-2 minutes.
By default, Windows security settings do not allow running PowerShell scripts. The current value of the PowerShell script execution policy setting can be obtained using the Get-ExecutionPolicy cmdlet. If the policy is not configured, the command will return Restricted (any scripts are blocked). The security settings for running the PowerShell script can be configured via the “Turn On Script Execution” policy (in the GPO Computer Configuration section -> Administrative Templates -> Windows Components -> Windows PowerShell). Possible policy values:
- Allow only signed scripts (AllSigned) – you can run only signed PowerShell scripts (“How to digitally sign a PowerShell script?”) — this is the best option from a security perspective;
- Allow local scripts and remote signed scripts (RemoteSigned) – you can run any local and signed remote scripts;
- Allow all scripts (unrestricted) – the most insecure option, because allows executing any PowerShell scripts.
If not one of the setting of the PowerShell scripts execution policy is suitable for you, you can run PowerShell scripts in the Bypass mode (scripts are not blocked, warnings do not appear).
To do this, the PowerShell script must be run from the Startup -> Scripts section. In this section, you can configure ps1 script to run by creating the usual Startup batch file that runs the powershell.exe executable file (similar to the script described in the article). Specify:
- Script Name:
%windir%\System32\WindowsPowerShell\v1.0\powershell.exe - Script Parameters:
-Noninteractive -ExecutionPolicy Bypass –Noprofile -file %~dp0MyPSScript.ps1
%~dp0 when launched on the client is automatically converted to the UNC path to the script directory on SYSVOL.As you can see, in this case you allowed running untrusted PoSh scripts by specifying Bypass parameter of the ExecutionPolicy.
2 comments
How would you specify -NoProfile in your first GPO example?
Script runs fine locally with elevated powershell, however, in testing by \\ to sysvol I am getting an access is not allow and permissiondenied on the registry key. Full error message below:
Set-ItemProperty : Requested registry access is not allowed.
At \\ts-dc02\SYSVOL\thirdsecurity.com\Policies\{16088BE5-A9DA-4A1C-A4A2-9B52C8B9714D}\Machine\Scripts\Startup\DisableNB
NS.ps1:2 char:34
+ … |foreach { Set-ItemProperty -Path “$regkey\$($_.pschildname)” -Name …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (HKEY_LOCAL_MACH…7-d2d2f7c2680f}:String) [Set-ItemProperty], Securit
yException
+ FullyQualifiedErrorId : System.Security.SecurityException,Microsoft.PowerShell.Commands.SetItemPropertyCommand