Many administrators use Group Policy feature of running startup / logoff scripts to perform different tasks. In addition to conventional BAT, CMD, VBS, etc. scripts, you can run PowerShell scripts using GPO as well. Let’s see how to configure it.
If all domain clients are running Windows 7 / Windows Server 2008 R2 or higher, there is a separate native GPO module to run PowerShell scripts.
To do it, create a new policy in GPMC.msc Console (Group Policy Management) and link it to the necessary container with users or computers. Switch to the Edit mode and go to one of the sections (depending on when your PowerShell script has to be run: at the OS startup/shutdown or at user logon/logoff).
- Computer Configuration -> Policies -> Windows Settings -> Scripts (Startup / Shutdown)
- User Configuration -> Policies -> Windows Settings -> Scripts (Logon / Logoff)
Suppose, we have to run a script at startup. Select the Startup policy, and go to the PowerShell Scripts tab in the next window.
To copy a script file, click Show Files and drag a file containing the PowerShell script (with the extension .PS1) into the next window. (It is Scripts\Startup folder of the corresponding policy located in Sysvol directory on the domain controller.)
Now click Add and add the copied .PS1 script file to the list of scripts to be run by the policy.
In fact, that’s all. Just restart your computer and check the results of the script execution.
If there are earlier client versions in the domain (having PowerShell, however), you can run a .PS1 script on them using a typical Startup script that runs powershell.exe (like in the scenario described in this article):
%windir%\System32\WindowsPowerShell\v1.0\powershell.exe
With the parameters
-Noninteractive -ExecutionPolicy Bypass –Noprofile -file %~dp0SomePSScript.ps1
As you can see, in this case you are forced to allow the execution of untrusted scripts by specifying Bypass parameter of the ExecutionPolicy.
1 comment
How would you specify -NoProfile in your first GPO example?