Posted on February 2, 2018 · Posted in Group Policies, Powershell

Running PowerShell Startup Scripts Using GPO

Many administrators use Group Policy feature of running startup / logoff scripts to perform different tasks. In addition to conventional BAT, CMD, VBS, etc. scripts, you can run PowerShell scripts using GPO as well. Let’s see how to configure it.

If all domain clients are running Windows 7 / Windows Server 2008 R2 or higher, there is a separate native GPO module to run PowerShell scripts.

To do it, create a new policy in GPMC.msc Console (Group Policy Management) and link it to the necessary container with users or computers. Switch to the Edit mode and go to one of the sections (depending on when your PowerShell script has to be run: at the OS startup/shutdown or at user logon/logoff).

  • Computer Configuration -> Policies -> Windows Settings -> Scripts (Startup / Shutdown)
  • User Configuration -> Policies -> Windows Settings -> Scripts (Logon / Logoff)

Suppose, we have to run a script at startup. Select the Startup policy, and go to the PowerShell Scripts tab in the next window.

running PowerShell Scripts from GPO

To copy a script file, click Show Files and drag a file containing the PowerShell script (with the extension .PS1) into the next window. (It is Scripts\Startup folder of the corresponding policy located in Sysvol directory on the domain controller.)

placing powershell script to Sysvol Now click Add and add the copied .PS1 script file to the list of scripts to be run by the policy.

configure PowerShell Startup Script with GPO

In fact, that’s all. Just restart your computer and check the results of the script execution.

Note. PowerShell scripts that are run using GPO will work anyway and do not depend on the current settings of PowerShell scripts policy defined by the Set-ExecutionPolicy command or the corresponding policy. It does not matter if the script is signed, it will work in the Bypass mode.

If there are earlier client versions in the domain (having PowerShell, however), you can run a .PS1 script on them using a typical Startup script that runs powershell.exe (like in the scenario described in this article):

%windir%\System32\WindowsPowerShell\v1.0\powershell.exe

With the parameters

-Noninteractive -ExecutionPolicy Bypass –Noprofile -file %~dp0SomePSScript.ps1

run powershell.exe with args via group policy

As you can see, in this case you are forced to allow the execution of untrusted scripts by specifying Bypass parameter of the ExecutionPolicy.

Previous:
Next:
Related Articles