Windows OS Hub
  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange

 Windows OS Hub / Group Policies / Running PowerShell Startup (Logon) Scripts Using GPO

July 19, 2019 Group PoliciesPowerShell

Running PowerShell Startup (Logon) Scripts Using GPO

Group Policy allows you to run various script files at a computer startup/shutdown or during user logon/logout. You can use GPOs not only to run classic batch files on a domain computers (.bat, .cmd, .vbs), but also to execute PowerShell scripts (.ps1) during Startup/Shutdown/Logon/Logoff.

In modern operating systems (Windows 10 / Windows Server 2016), you can configure the logon/startup PowerShell scripts directly from the domain GPO editor.

Before Windows 7 and Windows Server 2008 R2, it was impossible to directly run PowerShell files from a GPO (it was necessary to call the .ps1 file from .bat batch file as a parameter of the powershell.exe executable).

Run the domain policy management console – GPMC.msc (Group Policy Management), create a new policy and link it to the desired Active Directory container (OU) with users or computers (you can use WMI GPO filters for fine policy targeting). Switch to policy Edit mode.

You must select a GPO section to run the PowerShell script, depending on when you want to execute your PS1 script:

  • If you want to run a PS script when a user logon (logoff) to a computer (to configure user’s environment settings, programs, for example: you want to automatically generate an Outlook signature based on the AD user properties, adjust screensaver or Start layout settings), you need to go to the GPO section: User Configuration -> Policies -> Windows Settings -> Scripts (Logon / Logoff);
  • If you want to run the PowerShell script at a computer startup (to disable outdated protocols: NetBIOS and LLMNR, SMBv1, configure computer security settings, etc.) or before the computer shutdown, you need to go to the GPO section with the computer settings: Computer Configuration -> Policies -> Windows Settings -> Scripts (Startup / Shutdown).

Configuring PowerShell Startup Scripts with Group Policy

Suppose, we have to run the PowerShell script at a computer startup. Select the Startup policy, and go to the PowerShell Scripts tab in the next window.

running PowerShell Scripts from GPO

Now you need to copy the file with your PowerShell script to the domain controller. Click the Show Files button and drag the file with the PowerShell script (ps1 extension) into the opened File Explorer window (the console will automatically open the folder \\yourdomainname\SysVol\yourdomainname\Policies\{Your_GPO_GUID }\Machine\Scripts\Startup of your policy in the SysVol on the nearest AD domain controller).

placing powershell script to Sysvol

Since we configure the Startup PowerShell script, you need to check the NTFS “Read&Execute” permissions for the Domain Computers group in the ps1 file permissions (or check the permissions on the entire Machine\Scripts\Startup folder).

powershell script ntfs execute permissions for domain computers

Now click Add and add the copied .PS1 script file to the list of scripts to be run by the PowerShell policy.

configure PowerShell Startup Script with GPO

If you run multiple PowerShell scripts through a GPO, you can control the order in which the scripts are executed using the Up/Down buttons.

To correctly run PowerShell scripts during computer startup, you need to configure the delay time before scripts launch using the policy in the Computer Configuration -> Administrative Templates -> System -> Group Policy section. Enable the “Configure Logon Script Delay” policy and specify a delay in minutes before starting the logon scripts (sufficient to complete the initialization and load all necessary services). It is usually enough to set up here for 1-2 minutes.

Logon Script Delay policy

By default, Windows security settings do not allow running PowerShell scripts. The current value of the PowerShell script execution policy setting can be obtained using the Get-ExecutionPolicy cmdlet. If the policy is not configured, the command will return Restricted (any scripts are blocked). The security settings for running the PowerShell script can be configured via the “Turn On Script Execution” policy (in the GPO Computer Configuration section -> Administrative Templates -> Windows Components -> Windows PowerShell). Possible policy values:

  • Allow only signed scripts (AllSigned) – you can run only signed PowerShell scripts (“How to digitally sign a PowerShell script?”) — this is the best option from a security perspective;
  • Allow local scripts and remote signed scripts (RemoteSigned) – you can run any local and signed remote scripts;
  • Allow all scripts (unrestricted) – the most insecure option, because allows executing any PowerShell scripts.

powershell script execution policy

If not one of the setting of the PowerShell scripts execution policy is suitable for you, you can run PowerShell scripts in the Bypass mode (scripts are not blocked, warnings do not appear).

To do this, the PowerShell script must be run from the Startup -> Scripts section. In this section, you can configure ps1 script to run by creating the usual Startup batch file that runs the powershell.exe executable file (similar to the script described in the article). Specify:

  • Script Name: %windir%\System32\WindowsPowerShell\v1.0\powershell.exe
  • Script Parameters: -Noninteractive -ExecutionPolicy Bypass –Noprofile -file %~dp0MyPSScript.ps1

run powershell.exe with args via group policy

The term  %~dp0 when launched on the client is automatically converted to the UNC path to the script directory on SYSVOL.

As you can see, in this case you allowed running untrusted PoSh scripts by specifying Bypass parameter of the ExecutionPolicy.

7 comments
5
Facebook Twitter Google + Pinterest
previous post
VMWare: Virtual Machine Disks Consolidation is Needed
next post
SSL Error: This Site Can’t Provide a Secure Connection in Chrome, Opera & Chromium

Related Reading

How to Sign a PowerShell Script (PS1) with...

February 25, 2021

Configuring PowerShell Script Execution Policy

February 18, 2021

Configuring Proxy Settings on Windows Using Group Policy...

February 17, 2021

Updating Group Policy Settings on Windows Domain Computers

February 16, 2021

How to Find Inactive Computers and Users in...

January 29, 2021

7 comments

Ric March 7, 2018 - 4:20 pm

How would you specify -NoProfile in your first GPO example?

Reply
David October 8, 2019 - 5:57 pm

Script runs fine locally with elevated powershell, however, in testing by \\ to sysvol I am getting an access is not allow and permissiondenied on the registry key. Full error message below:
Set-ItemProperty : Requested registry access is not allowed.
At \\ts-dc02\SYSVOL\thirdsecurity.com\Policies\{16088BE5-A9DA-4A1C-A4A2-9B52C8B9714D}\Machine\Scripts\Startup\DisableNB
NS.ps1:2 char:34
+ … |foreach { Set-ItemProperty -Path “$regkey\$($_.pschildname)” -Name …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (HKEY_LOCAL_MACH…7-d2d2f7c2680f}:String) [Set-ItemProperty], Securit
yException
+ FullyQualifiedErrorId : System.Security.SecurityException,Microsoft.PowerShell.Commands.SetItemPropertyCommand

Reply
alvin February 14, 2020 - 4:42 pm

Hello regarding the section on “Configure Logon Script Delay”. I think you really wanted to “Specify startup policy processing wait time” as you are setup up a Start up Script not a logon script. You want the the network stack to fully load before attempt to run the startup scripts.

Reply
alvin February 14, 2020 - 5:57 pm

Thanks for your post it pointed me in the right direction

Reply
Gabriel Luiz August 13, 2020 - 7:57 pm

I could do an article explaining step by step more using user configuration.
It was not well explained how to do this process.

Reply
Jason Gallas October 14, 2020 - 5:48 pm

Please do! I am trying to get the logon script to work and it’s not working.

Reply
Deleting user profiles via powershell at shutdown via GPO November 2, 2020 - 3:21 pm

[…] end up just running a bat file to run the ps file, as it's easier, but you can also do it this way Running PowerShell Startup (Logon) Scripts Using GPO | Windows OS Hub Better way is to sign your scripts […]

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange
  • Windows 10
  • Windows 8
  • Windows 7
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2008 R2
  • PowerShell
  • VMWare
  • MS Office

Recent Posts

  • Accessing USB Flash Drive from VMWare ESXi

    February 26, 2021
  • How to Sign a PowerShell Script (PS1) with a Code Signing Certificate?

    February 25, 2021
  • Change the Default Port Number (TCP/1433) for a MS SQL Server Instance

    February 24, 2021
  • How to Shadow (Remote Control) a User’s RDP session on RDS Windows Server 2016/2019?

    February 22, 2021
  • Configuring PowerShell Script Execution Policy

    February 18, 2021
  • Configuring Proxy Settings on Windows Using Group Policy Preferences

    February 17, 2021
  • Updating Group Policy Settings on Windows Domain Computers

    February 16, 2021
  • Managing Administrative Shares (Admin$, IPC$, C$, D$) in Windows 10

    February 11, 2021
  • Packet Monitor (PktMon) – Built-in Packet Sniffer in Windows 10

    February 10, 2021
  • Fixing “Winload.efi is Missing or Contains Errors” in Windows 10

    February 5, 2021

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • How to Configure Google Chrome Using Group Policy ADMX Templates?
  • Updating List of Trusted Root Certificates in Windows 10/8.1/7
  • Allow RDP Access to Domain Controller for Non-admin Users
  • Backup/Restore and Export Local Group Policy Settings to Another Computer
  • How to Show/Hide All User Accounts from Login Screen in Windows 10?
  • Reset Local Group Policy Settings in Windows
  • How to Block USB Drives in Windows using Group Policy?
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top