Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Group Policies / Running PowerShell Startup (Logon) Scripts Using GPO

July 19, 2019 Group PoliciesPowerShell

Running PowerShell Startup (Logon) Scripts Using GPO

Group Policy allows you to run various script files at a computer startup/shutdown or during user logon/logout. You can use GPOs not only to run classic batch files on a domain computers (.bat, .cmd, .vbs), but also to execute PowerShell scripts (.ps1) during Startup/Shutdown/Logon/Logoff.

In modern operating systems (Windows 10 / Windows Server 2016), you can configure the logon/startup PowerShell scripts directly from the domain GPO editor.

Before Windows 7 and Windows Server 2008 R2, it was impossible to directly run PowerShell files from a GPO (it was necessary to call the .ps1 file from .bat batch file as a parameter of the powershell.exe executable).

Run the domain policy management console – GPMC.msc (Group Policy Management), create a new policy and link it to the desired Active Directory container (OU) with users or computers (you can use WMI GPO filters for fine policy targeting). Switch to policy Edit mode.

You must select a GPO section to run the PowerShell script, depending on when you want to execute your PS1 script:

  • If you want to run a PS script when a user logon (logoff) to a computer (to configure user’s environment settings, programs, for example: you want to automatically generate an Outlook signature based on the AD user properties, adjust screensaver or Start layout settings), you need to go to the GPO section: User Configuration -> Policies -> Windows Settings -> Scripts (Logon / Logoff);
  • If you want to run the PowerShell script at a computer startup (to disable outdated protocols: NetBIOS and LLMNR, SMBv1, configure computer security settings, etc.) or before the computer shutdown, you need to go to the GPO section with the computer settings: Computer Configuration -> Policies -> Windows Settings -> Scripts (Startup / Shutdown).

Configuring PowerShell Startup Scripts with Group Policy

Suppose, we have to run the PowerShell script at a computer startup. Select the Startup policy, and go to the PowerShell Scripts tab in the next window.

running PowerShell Scripts from GPO

Now you need to copy the file with your PowerShell script to the domain controller. Click the Show Files button and drag the file with the PowerShell script (ps1 extension) into the opened File Explorer window (the console will automatically open the folder \\yourdomainname\SysVol\yourdomainname\Policies\{Your_GPO_GUID }\Machine\Scripts\Startup of your policy in the SysVol on the nearest AD domain controller).

placing powershell script to Sysvol

Since we configure the Startup PowerShell script, you need to check the NTFS “Read&Execute” permissions for the Domain Computers group in the ps1 file permissions (or check the permissions on the entire Machine\Scripts\Startup folder).

powershell script ntfs execute permissions for domain computers

Now click Add and add the copied .PS1 script file to the list of scripts to be run by the PowerShell policy.

configure PowerShell Startup Script with GPO

If you run multiple PowerShell scripts through a GPO, you can control the order in which the scripts are executed using the Up/Down buttons.

To correctly run PowerShell scripts during computer startup, you need to configure the delay time before scripts launch using the policy in the Computer Configuration -> Administrative Templates -> System -> Group Policy section. Enable the “Configure Logon Script Delay” policy and specify a delay in minutes before starting the logon scripts (sufficient to complete the initialization and load all necessary services). It is usually enough to set up here for 1-2 minutes.

Logon Script Delay policy

By default, Windows security settings do not allow running PowerShell scripts. The current value of the PowerShell script execution policy setting can be obtained using the Get-ExecutionPolicy cmdlet. If the policy is not configured, the command will return Restricted (any scripts are blocked). The security settings for running the PowerShell script can be configured via the “Turn On Script Execution” policy (in the GPO Computer Configuration section -> Administrative Templates -> Windows Components -> Windows PowerShell). Possible policy values:

  • Allow only signed scripts (AllSigned) – you can run only signed PowerShell scripts (“How to digitally sign a PowerShell script?”) — this is the best option from a security perspective;
  • Allow local scripts and remote signed scripts (RemoteSigned) – you can run any local and signed remote scripts;
  • Allow all scripts (unrestricted) – the most insecure option, because allows executing any PowerShell scripts.

powershell script execution policy

If not one of the setting of the PowerShell scripts execution policy is suitable for you, you can run PowerShell scripts in the Bypass mode (scripts are not blocked, warnings do not appear).

To do this, the PowerShell script must be run from the Startup -> Scripts section. In this section, you can configure ps1 script to run by creating the usual Startup batch file that runs the powershell.exe executable file (similar to the script described in the article). Specify:

  • Script Name: %windir%\System32\WindowsPowerShell\v1.0\powershell.exe
  • Script Parameters: -Noninteractive -ExecutionPolicy Bypass –Noprofile -file %~dp0MyPSScript.ps1

run powershell.exe with args via group policy

The term  %~dp0 when launched on the client is automatically converted to the UNC path to the script directory on SYSVOL.

As you can see, in this case you allowed running untrusted PoSh scripts by specifying Bypass parameter of the ExecutionPolicy.

8 comments
7
Facebook Twitter Google + Pinterest
previous post
VMWare: Virtual Machine Disks Consolidation is Needed
next post
Fix: Outlook 2016/2013 Always Starts in Offline Mode

Related Reading

Create Organizational Units (OU) Structure in Active Directory...

May 17, 2022

Windows Security Won’t Open or Shows a Blank...

May 17, 2022

How to Manually Install Windows Updates from CAB...

May 16, 2022

Deploying Software (MSI Packages) Using Group Policy

May 12, 2022

Enable or Disable MFA for Users in Azure/Microsoft...

April 27, 2022

8 comments

Ric March 7, 2018 - 4:20 pm

How would you specify -NoProfile in your first GPO example?

Reply
MrMattiPants May 4, 2021 - 9:10 pm

Fashionably late as always.
Regardless, you could simply create a .BAT Script, with the following Commands, to accompany your PowerShell Script.

@echo off
%windir%\System32\WindowsPowerShell\v1.0\powershell.exe -Noninteractive -ExecutionPolicy Bypass –Noprofile -file %~dp0MyPSScript.ps1
exit

Reply
David October 8, 2019 - 5:57 pm

Script runs fine locally with elevated powershell, however, in testing by \\ to sysvol I am getting an access is not allow and permissiondenied on the registry key. Full error message below:
Set-ItemProperty : Requested registry access is not allowed.
At \\ts-dc02\SYSVOL\thirdsecurity.com\Policies\{16088BE5-A9DA-4A1C-A4A2-9B52C8B9714D}\Machine\Scripts\Startup\DisableNB
NS.ps1:2 char:34
+ … |foreach { Set-ItemProperty -Path “$regkey\$($_.pschildname)” -Name …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (HKEY_LOCAL_MACH…7-d2d2f7c2680f}:String) [Set-ItemProperty], Securit
yException
+ FullyQualifiedErrorId : System.Security.SecurityException,Microsoft.PowerShell.Commands.SetItemPropertyCommand

Reply
alvin February 14, 2020 - 4:42 pm

Hello regarding the section on “Configure Logon Script Delay”. I think you really wanted to “Specify startup policy processing wait time” as you are setup up a Start up Script not a logon script. You want the the network stack to fully load before attempt to run the startup scripts.

Reply
alvin February 14, 2020 - 5:57 pm

Thanks for your post it pointed me in the right direction

Reply
Gabriel Luiz August 13, 2020 - 7:57 pm

I could do an article explaining step by step more using user configuration.
It was not well explained how to do this process.

Reply
Jason Gallas October 14, 2020 - 5:48 pm

Please do! I am trying to get the logon script to work and it’s not working.

Reply
Deleting user profiles via powershell at shutdown via GPO November 2, 2020 - 3:21 pm

[…] end up just running a bat file to run the ps file, as it's easier, but you can also do it this way Running PowerShell Startup (Logon) Scripts Using GPO | Windows OS Hub Better way is to sign your scripts […]

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows 7
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • PowerShell
  • VMWare
  • Hyper-V
  • MS Office

Recent Posts

  • Create Organizational Units (OU) Structure in Active Directory with PowerShell

    May 17, 2022
  • Windows Security Won’t Open or Shows a Blank Screen on Windows 10/ 11

    May 17, 2022
  • How to Manually Install Windows Updates from CAB and MSU Files?

    May 16, 2022
  • RDS and RemoteApp Performance Issues on Windows Server 2019/2016

    May 16, 2022
  • Deploying Software (MSI Packages) Using Group Policy

    May 12, 2022
  • Updating VMware ESXi Host from the Command Line

    May 11, 2022
  • Enable or Disable MFA for Users in Azure/Microsoft 365

    April 27, 2022
  • Fix: You’ll Need a New App to Open This Windows Defender Link

    April 27, 2022
  • How to Reset an Active Directory User Password with PowerShell and ADUC?

    April 27, 2022
  • How to Completely Uninstall Previous Versions of Office with Removal Scripts?

    April 26, 2022

Follow us

woshub.com

ad

  • Facebook
  • Twitter
  • RSS
Popular Posts
  • How to Configure Google Chrome Using Group Policy ADMX Templates?
  • Backup/Restore and Export Local Group Policy Settings to Another Computer
  • Allow RDP Access to Domain Controller for Non-admin Users
  • Reset Local Group Policy Settings in Windows
  • How to Delete Old User Profiles Using GPO and PowerShell?
  • How to Block USB Drives in Windows using Group Policy?
  • Changing Desktop Background Wallpaper in Windows through GPO
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top