Running PowerShell Startup (Logon) Script Using GPO | Ranjan.info

Windows Group Policy allows you to run various script files at computer startup/shutdown or during user logon/logoff. You can use GPOs to run classic batch logon scripts not only on domain computers (.bat, .cmd, .vbs), but also for executing powershell scripts (.ps1) during startup/shutdown/logon/logoff.

In modern versions of Windows, you can run the logon/logoff PowerShell scripts directly from the GPO editor (previously it was necessary to call the .ps1 file as a parameter from a .bat batch file. powershell.exe executable).

Run Domain Group Policy Management Console (GPMC.msc), create a new policy (GPO), and assign it to the target Active Directory container (OU) with users or computers (you can use the WMI GPO filter for fine policy targeting). switch to policy edit way.

Depending on when you want to execute your PS1 script, you may need to select the GPO section to run the PowerShell script:

  • If you want to run a PS script when a user logs off on a computer (to configure the user’s environment settings or programs: for example, you want to automatically generate an Outlook signature based on AD user properties) , Customize Screensaver or Start Screen Settings), you need to go to the GPO section: User Configuration -> Policies -> Windows Settings -> Scripts (Logon/Logoff),
  • If you want to run PowerShell scripts at computer startup (to disable legacy protocols: NetBIOS and LLMNR, SMBv1, configure computer security settings, etc.) or before the computer is turned off, you need to go to the GPO section with the computer. Adjustment: Computer Configuration -> Policies -> Windows Settings -> Scripts (Startup/Shutdown).

How to run PowerShell script on Windows startup with Group Policy?

Suppose, we have to run powershell script on computer startup. select the start up Policy, go to powershell script tab.

running powershell script from gpio

Now you need to copy the file to the domain controller with your PowerShell script. Copy your ps1 file to the Netlogon directory on the domain controller (for example, \\woshub.com\netlogon,

Since we configure the startup powershell script, you need to check NTFS”read and execute“permissions for” Domain Computers and/or Authenticated Users group in ps1 file permissions.

copy your gpio startup powershell script file to the netlogon folder on the domain controller

click now add And specify UNC path for your ps1 script file in Netlogon.

If you run multiple PowerShell scripts through a GPO, you can control the order in which the scripts are executed using Down up switch.

In order to correctly run PowerShell scripts during computer startup, you need to configure the delay time before the script is launched using the policy in the Computer Configuration -> Administrative Templates -> System -> Group Policy section. enable”Configure logon script delay” Specify a delay of minutes (enough to complete initialization and load all required services) before starting the policy and logon scripts. Usually, it is enough to spend 1 or 2 minutes here.

logon script delay policy

If your powershell script uses Windows networking, you’ll need toSpecify the startup policy processing wait timeOptions for some GPOs (Computer Configuration -> Policies -> Administrative Templates -> System -> Group Policy). You can try starting with 60 seconds here. After you enable this policy, your computer will wait 60 seconds for network availability notifications before running your startup script. This is usually enough time to initialize the Windows networking stack.

GPO parameter: startup policy processing wait time

On Windows Server 2012R2 and Windows 8.1 and newer, PowerShell scripts in GPOs are run in bypass mode from the NetLogon directory. This means that the PowerShell script execution policy settings are ignored. If you want to run scripts from a different shared folder, or if you still have Windows 7 or Windows Server 2008R2 clients on your network, you need to configure a PowerShell script execution policy.

By default, Windows security settings do not allow running PowerShell scripts. The current value of the PowerShell Script Execution Policy setting can be obtained using the following Get-ExecutionPolicy cmdlet. If the policy is not configured, the command will return Restricted (Any script is blocked). The security settings for running powershell scripts can be configured viastart script executionPolicy (GPO in Computer Configuration section -> Administrative Templates -> Windows Components -> Windows PowerShell). Possible Policy Value:

  • Allow only signed scripts (allsigned) – you can only run signed powershell scripts (“How to digitally sign a powershell script?”) – this is the best option from the security point of view;
  • Allow local scripts and remote signed scripts (RemoteSigned) – You can run any local and signed remote scripts;
  • allow all scripts (unrestricted) – The most insecure option, as allows any powershell script to run.

powershell script execution policy

If none of the PowerShell script execution policy settings are suitable for you, you can run PowerShell scripts in byway Mode (scripts are not blocked, and warnings do not appear).

To do this, run the PowerShell script from start up , script section. In this section, you can run your PS1 scripts by calling the powershell.exe executable (similar to the script described in the article). group:

  • Script Name: %windir%\System32\WindowsPowerShell\v1.0\powershell.exe
  • Script Parameters: -Noninteractive -ExecutionPolicy Bypass -Noprofile -file %~dp0MyPSScript.ps1

run powershell.exe with args via group policy

Word %~dp0 There is an environment variable that is automatically converted to a UNC path in the script directory (in this case, NETLOGON).

In this case, you are forced to allow any (even untrusted) PowerShell scripts to run using the bypass parameter.

Reboot your computer to update the GPO settings and check that your PowerShell scripts run after Windows boots.

Run Windows PowerShell script on user logon/logoff

Let’s see how to run a PowerShell script automatically when a user logs in (or logs out) to Windows.

If you need to run the script not at computer startup, but after the user has logged into Windows (for each user on the computer), you need to link the GPOs with the users to the Active Directory OU. In this case, the PowerShell script needs to be configured in the User Configuration section of your GPO.

If you want the policy to apply to all users of a specific computer, you need to enable and enable the policy with the computer associated with the OU Configure user group policy loopback processing mode Parameters in Computer Configuration -> Administrative Templates -> System -> Group Policy). If you do not enable loopback processing, the parameters in the user configuration section will not be applied to the user. For more details see Post Group Policy Not Apply to User or Computer.

In this example, I’ll use a simple PowerShell script that writes the user’s login time to a text log file.

  1. Copy your PowerShell script file here\\woshub.com\NETLOGON\ folder on the Active Directory domain controller;
  2. Go to User Configuration -> Policies -> Windows Settings -> Scripts -> Logon;
  3. Go to PowerShell Scripts tab and add your PS1 script file (eg use UNC path \\woshub.com\NETLOGON\UserLog.ps1 ,run user gpio logon powershell script
  4. Re-login the user on the target computer;
  5. Your powershell script will automatically launch via GPO when the user logs in;
  6. You can verify that the user logon script was executed successfully by the event ID 5018Under the Operations section of Microsoft-Windows-GroupPolicy/Event Viewer:
    Completed Logon script for woshub\jsmith in 11 seconds.

    GPO logon script execution event in Event Viewer

If you want the user to not be able to access their desktop until the script ends, you need to enable the GPO parameter Synchronize logon script (Computer Configuration -> Administrative Templates -> System -> Logon). In this case, the Explorer.exe process will not start until all policies and logon scripts have been completed (this increases user logon time!).

Note that the script is run with the current user permissions. If the user has administrative privileges on the computer and User Account Control (UAC) settings are enabled, a PowerShell script cannot make changes that require elevated privileges.

To run PowerShell logon scripts with elevated user permissions, you can use the Scheduler task.

  1. Create a new Task Scheduler task under User Configuration -> Preferences -> Control Panel Settings -> Scheduled Tasks;
  2. Feather General tab, specify that the task will be started on behalf of the current user %LogonDomain%\%LogonUser and enable Run with highest privileges alternative;run gpo logon script as administrator with scheduler task
  3. Feather trigger tab, specify that the task should be started at log on,run powershell script on user logon
  4. Specify the path to your PowerShell script file action Tabs:

action: start a program
program/script, C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
add arguments (optional), -ExecutionPolicy Bypass -command "& \\woshub.com\Netlogon\Your_PS_Script.ps1"

Learn more about configuring Windows Scheduler tasks via GPO.

Such a PowerShell script will run as administrator (if the domain user is added to the local administrators group).

Some logon scripts need to be run only once for each user on the first login to the computer (start of work environment, copying folders or configuration files, creating shortcuts, etc.). Here’s a simple trick that allows you to run a script only once using a GPO.

Leave a Comment