Windows Group Policy allows you to run various script files at a computer startup/shutdown or during user logon/logoff. You can use GPOs not only to run classic batch logon scripts on domain computers (.bat, .cmd, .vbs), but also to execute PowerShell scripts (.ps1) during Startup/Shutdown/Logon/Logoff. (adsbygoogle = window.adsbygoogle []).push();

PowerShell GPMC scripts

In modern versions of Windows, you can directly run logon/logoff PowerShell scripts from a GPO editor (previously it was necessary to call the .ps1 file from the .bat batch file as a parameter of the powershell.exe executable).

If you run multiple PowerShell scripts through a GPO, you can control the order in which the scripts are executed using the Up/Down buttons.(adsbygoogle = window.adsbygoogle []).push();

On Windows Server 2012R2 and Windows 8.1 and newer, PowerShell scripts in GPO are run from the NetLogon directory in the Bypass mode. This means that PowerShell Script Execution Policy settings are ignored. If you want to run a script from a different shared folder, or if you still have Windows 7 or Windows Server 2008R2 clients on your network, you need to configure the PowerShell script execution policy.

If not one of the settings of the PowerShell scripts execution policy is suitable for you, you can run PowerShell scripts in the Bypass mode (scripts are not blocked, and warnings do not appear).

To do this, run the PowerShell script from the Startup -> Scripts section. In this section, you can run your PS1 script by calling the powershell.exe executable (similar to the script described in the article). Set:

Action: Start a programProgram/Script: C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exeAdd Arguments (optional): -ExecutionPolicy Bypass -command "& \\woshub.com\Netlogon\Your_PS_Script.ps1"

Some logon scripts need to be run for each user only once at the first login to the computer (initialization of the working environment, copying folders or configuration files, creating shortcuts, etc.). Here is a simple trick that allows you to run a script only once using GPO.

This topic describes how to install and use scripts on a domain controller. If you want information about script use for the local computer, see Working with startup, shutdown, logon, and logoff scripts using the Local Group Policy Editor.

You can use Windows PowerShell scripts, or author scripts in any other language supported by the client computer. Windows Script Host (WSH) supported languages and command files are also used, including VBScript and Jscript.

Startup Scripts for : Lists all the scripts that currently are assigned to the selected GPO. If you assign multiple scripts, the scripts are processed in the order that you specify. To move a script up in the list, click it, and then click Up. To move a script down in the list, click it, and then click Down.

Startup scripts that run asynchronously will not be visible. Enabling the Run Startup Scripts Visible Group Policy setting has no effect when you are running startup scripts asynchronously.

Shutdown Scripts for : Lists all the scripts that are currently assigned to the selected Group Policy object (GPO). If you assign multiple scripts, the scripts are processed in the order that you specify. To move a script up in the list, click it, and then click Up. To move a script down in the list, click it, and then click Down.

Logon Scripts for : Lists all the scripts that currently are assigned to the selected Group Policy object (GPO). If you assign multiple scripts, the scripts are processed in the order that you specify. To move a script up in the list, click it, and then click Up. To move a script down in the list, click it, and then click Down.

Logoff Scripts for : Lists all the scripts that currently are assigned to the selected Group Policy object (GPO). If you assign multiple scripts, the scripts are processed in the order that you specify. To move a script up in the list, click it, and then click Up. To move a script down in the list, click it, and then click Down.

Enabling the script block logging PowerShell policy will store all PowerShell script input into the Microsoft-Windows-PowerShell/Operational event log. This will log various code blocks as PowerShell runs them including commands and scripts. This policy also does not log the output of the PowerShell that was run.

The tool actually needs to run elevated, because otherwise it is not allowed to do the changes it needs to do. This is usually the case when you run the tool on the machine locally and do changes specific to that machine. In that case you need to elevate the console before you run the command. This can be done directly from powershell using:

In my last 2 blog post I covered the creation of group policy objects for distributing certificates to all computers in a domain and enable Network Level Authentication on them plus also covered how to create and use WMI filters to specify which machines a Group Policy Object should apply to. On this blog post I will cover how to do this with Windows 2008 R2 built in PowerShell Module and some external ones from SDM Software. The GPO that we will be creating is to disable RDP on none Vista, Windows 7 and Windows 2008 hosts since following the other blog posts these do not support NLA on their Remote Desktop Service. We will use PowerShell on a Windows 2008 R2 Domain Controller. Since we are going to use external scripts we would first start modifying the execution policy this is done by running the Set-ExecutionPolicy command to allow local scripts to execute without the need of being signed. PS C:\Windows\system32> Set-ExecutionPolicy remotesignedExecution Policy ChangeThe execution policy helps protect you from scripts that you do not trust. Changing the execution policy might exposeyou to the security risks described in the about_Execution_Policies help topic. Do you want to change the executionpolicy?[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): yPS C:\Windows\system32>

As stated by the command this could be a potential security risk so do remember to re-run the command at the en with the execution policy of Restricted. Before we start creating group policy objects and linking them we should create a WMI Filter that we will attach to the policy. I took the liberty to write one based on another one I saw in the Microsoft Scripting Repository that will create a series of base filters for you when ran in a Domain Controller running Windows 2008 or Windows 2008 R2. You can download the script from my GitHub account at _scripts/blob/master/create-wmifilters.ps1 the script will make the necessary changes to the registry to allow modification of attributes locally on the box thus allowing us to add the filters. The script is ran from a PoweShell Window providing the path like any other PowerShell script:

There is no way to use the in-the-box Group Policy PowerShell cmdlets to create WMI Filters. For that, there is a Group Policy WMI filter cmdlet module available. I downloaded the module and placed it in my scripts folder, c:\webster. There was an issue for me and I had to change one line in the module.

One way to address these and other PowerShell scripting challenges is to use a portal tool. Although these offerings vary in scope, they generally serve a similar purpose: apply a PowerShell front end to scripts to make them available to users who are not PowerShell experts. Such tools also commonly handle all the required permissions. WebJEA is an attractive offering because of its features and the fact that it is free, but there are several other PowerShell automation tools organizations can investigate to see if one is a better choice.

PowerShell Universal is more than a tool to build a GUI for PowerShell scripts. PowerShell Universal has rich features and offers advanced capabilities, such as rate limiters and token-based authentication.

PowerShell Universal takes its front-end capabilities a step further by integrating with standard HTTP requests and supporting custom responses. Additionally, PowerShell Universal can convert PowerShell scripts into desktop applications that run on a local machine.

System Frontier dynamically generates a web front end for PowerShell scripts. The tool provides granular control over permissions and maintains a detailed activity log that helps with audits and compliance tasks.

A feature unique to System Frontier is it works with a variety of scripting languages, not just PowerShell. This enables an IT team to bring PowerShell, Python and other scripts together in a single repository and generate web front ends for all of them.

Runbooks are essentially a collection of automated steps that can be initiated by an event or by an authorized user. For example, an organization might set up a runbook to automate adding a new user to Active Directory or to restart a Windows service. Rundeck uses Windows Remote Management to run scripts on remote machines.

WebJEA is a free tool that creates web forms for PowerShell scripts. It can give users the rights to run specific scripts. WebJEA enables adjustment of the settings so users only see the scripts they have permission to run.

WebJEA requires a domain-joined server running Windows Server 2016 or higher and PowerShell 5.1. The server needs sufficient memory and CPU resources to process PowerShell scripts, but the amount of hardware resources required varies widely based on the workload.

Hi Lain,Thank you for your reply!As I stated above, this script needs to run every time one particular user logs in. Not every user and not the computer itself.I tried to find a Group Policy community here but I cannot find one. Honestly, I'm not sure exactly where the problem lies. The script can be executed from the command line but nothing happens if GPO is expected to run the script.The only thing I have found so far in searching is that it's recommended to use the full path to powershell.exe in your command line. I'm attempting to do this now but I am having issues remoting into the affected client to check the result. I will look at Event Viewer as you suggested above.Thank you,Rob 2ff7e9595c