Logon scripts have been part of IT since the Stone Age it seems. Eventually we were also given logoff scripts for users as well as startup and shutdown scripts for computers. In the past these scripts were often written in VBScript. But now that we have PowerShell, we have another option.

Jeffery Hicks

Jeffery Hicks is a multi-year Microsoft MVP in Windows PowerShell, Microsoft Certified Professional and an IT veteran with 25 years of experience specializing in automation. He works today as an author, trainer and consultant.

Even though I am going to show you how to set up a Group Policy to run a PowerShell script, I encourage you to think about what you really need to accomplish. Many people still use logon scripts, for example, to do things that can now be done as a Group Policy preference such as mapped drives and printers. In fact Group Policy has come so far since the days of Windows 2000 that many organizations don’t really need a logon script. But if you think you do, the only things you should do in the script are those things for which there is no Group Policy setting. In other words, the exceptions.

Requirements ^

Now before you get to excited realize that your clients must be running at least Windows 7 or Windows Server 2008 R2. And while not a requirement, I’m going to encourage you to be running at least PowerShell 3.0. Remember that logon scripts run under the credential of the current user and it only makes sense that your logon script perform tasks specific to the user. Computer scripts should run under the system context which should give you more leeway. One area you might need to test is if your computer script, e.g. startup or shutdown, needs to access network resources. Credentials may be an issue.

I also encourage you to test your scripts interactively first to verify it works. Because the script runs in the background and invisible to the user, I also suggest testing your script as a background job. If it runs as a background job the odds are it will run as a Group Policy script.

Finally, I want to point out that Group Policy scripts will always run, regardless of your local script execution policy. Even if your execution policy is restricted Group Policy scripts will still run using a Bypass policy. The assumption is that if you have setup a Group Policy to run a script, you know what the script will do and are taking adequate steps to protect it.

Creating the policy ^

Let’s create a policy. In the screenshot below you can see I have the Group Policy Management console open. I’ve created an empty GPO called PowerShell Scripts and linked it to the MyTest organizational unit.

Group Policy Management Console

Group Policy Management Console

Edit the policy and navigate in the User node to the location shown below.

Logon - Logoff scripts

Logon / Logoff scripts

Double-Click on the type of script you want to create. I’m going to create a logon script which will give you in the next screenshot.

PowerShell scripts require at least Windows 7 or Windows Server 2008 R2

PowerShell scripts require at least Windows 7 or Windows Server 2008 R2

I’ve highlighted the fact that scripts need at least Windows 7 or Windows Server 2008 R2. Because it is possible you may have other types of scripts to run as well, you can control when PowerShell scripts are run in the drop down box as seen below.

Control when PowerShell scripts are run ^

For my test I’m going to run PowerShell scripts last. Now I need to add a script. The best approach is to click the Show Files button which will open an Explorer window for the GPO. Open another window with your script folder. Then simply drag and drop the file or files to the GPO as I do in the next screenshot.

Add PowerShell script to GPO

Add PowerShell script to GPO

The files in the Logon folder will replicate and should be pretty secure. Once the file is copied I can go back to the Logon Properties dialog and click the Add button. I find it easiest to browse.

Browse logon scripts ^

This opens up the browse window again. Select the script and click open. If your script requires parameters, you can insert them as well. If all goes well you should end up with the following screenshot.

Logon properties

Logon properties

At this point the policy is complete. If you want to create a computer startup or shutdown script you would follow a similar process except under the Computer node.

Summary ^

Using PowerShell scripts through Group Policy opens up some tremendous possibilities primarily because you can do so much with a short script. Keep your scripts simple, test thoroughly and enjoy the benefits. In a future article I will share some sample PowerShell scripts that might make good candidates for Group Policy.

Join the 4sysops PowerShell group!

1+
Share
35 Comments
  1. archana 6 months ago

    Hi,
    Is there any program In powershell which can be used to calculate the group policy impact on PC boot time?

    0

    • Luc Fullenwarth 6 months ago

      @archana
      Such a tool does not exist and will probably never exist, even with AI.
      However, you can try to simulate the impact in a test environment.

      0

  2. DANIEL 5 months ago

    Hello
    can I create a script in powershell as soon as admin user logon, scrip run, and automar delete so I do not run anymore?

    0

  3. iyad omry 4 months ago

    I got access denied from the host side but if I access the script via the share and run it as administrator it's working, notice that my user is a member of machine administrator.

     

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account