Logon scripts have been part of IT since the Stone Age it seems. Eventually we were also given logoff scripts for users as well as startup and shutdown scripts for computers. In the past these scripts were often written in VBScript. But now that we have PowerShell, we have another option.

Jeffery Hicks

Jeffery Hicks is a multi-year Microsoft MVP in Windows PowerShell, Microsoft Certified Professional and an IT veteran with 25 years of experience specializing in automation. He works today as an author, trainer and consultant.

Even though I am going to show you how to set up a Group Policy to run a PowerShell script, I encourage you to think about what you really need to accomplish. Many people still use logon scripts, for example, to do things that can now be done as a Group Policy preference such as mapped drives and printers. In fact Group Policy has come so far since the days of Windows 2000 that many organizations don’t really need a logon script. But if you think you do, the only things you should do in the script are those things for which there is no Group Policy setting. In other words, the exceptions.

Requirements ^

Now before you get to excited realize that your clients must be running at least Windows 7 or Windows Server 2008 R2. And while not a requirement, I’m going to encourage you to be running at least PowerShell 3.0. Remember that logon scripts run under the credential of the current user and it only makes sense that your logon script perform tasks specific to the user. Computer scripts should run under the system context which should give you more leeway. One area you might need to test is if your computer script, e.g. startup or shutdown, needs to access network resources. Credentials may be an issue.

I also encourage you to test your scripts interactively first to verify it works. Because the script runs in the background and invisible to the user, I also suggest testing your script as a background job. If it runs as a background job the odds are it will run as a Group Policy script.

Finally, I want to point out that Group Policy scripts will always run, regardless of your local script execution policy. Even if your execution policy is restricted Group Policy scripts will still run using a Bypass policy. The assumption is that if you have setup a Group Policy to run a script, you know what the script will do and are taking adequate steps to protect it.

Creating the policy ^

Let’s create a policy. In the screenshot below you can see I have the Group Policy Management console open. I’ve created an empty GPO called PowerShell Scripts and linked it to the MyTest organizational unit.

Group Policy Management Console

Group Policy Management Console

Edit the policy and navigate in the User node to the location shown below.

Logon - Logoff scripts

Logon / Logoff scripts

Double-Click on the type of script you want to create. I’m going to create a logon script which will give you in the next screenshot.

PowerShell scripts require at least Windows 7 or Windows Server 2008 R2

PowerShell scripts require at least Windows 7 or Windows Server 2008 R2

I’ve highlighted the fact that scripts need at least Windows 7 or Windows Server 2008 R2. Because it is possible you may have other types of scripts to run as well, you can control when PowerShell scripts are run in the drop down box as seen below.

Control when PowerShell scripts are run ^

For my test I’m going to run PowerShell scripts last. Now I need to add a script. The best approach is to click the Show Files button which will open an Explorer window for the GPO. Open another window with your script folder. Then simply drag and drop the file or files to the GPO as I do in the next screenshot.

Add PowerShell script to GPO

Add PowerShell script to GPO

The files in the Logon folder will replicate and should be pretty secure. Once the file is copied I can go back to the Logon Properties dialog and click the Add button. I find it easiest to browse.

Browse logon scripts ^

This opens up the browse window again. Select the script and click open. If your script requires parameters, you can insert them as well. If all goes well you should end up with the following screenshot.

Logon properties

Logon properties

At this point the policy is complete. If you want to create a computer startup or shutdown script you would follow a similar process except under the Computer node.

Summary ^

Using PowerShell scripts through Group Policy opens up some tremendous possibilities primarily because you can do so much with a short script. Keep your scripts simple, test thoroughly and enjoy the benefits. In a future article I will share some sample PowerShell scripts that might make good candidates for Group Policy.

Win the monthly 4sysops member prize for IT pros

Share
1+

Related Posts

28 Comments
  1. Andrew 3 years ago

    I would like a script to update computer description field with: serial/machine type/model and last logged in user.

    I have this setup with vbs, but would like to migrate this to PS, can you help?

    0

  2. Author
    Jeffery Hicks 3 years ago

    The PowerShell part is pretty easy:

    $cs = Get-WmiObject win32_computersystem
    $bios = Get-WmiObject win32_bios
    $text = "{0}/{1}/{2}/{3}\{4}" -f $bios.serialnumber,$cs.Manufacturer,$cs.Model,$env:userdomain,$env:USERNAME
    Set-ADComputer -Identity $env:computername -Description $text

    However, in order for this to work as part of a user logon script, the user must have write access to the description property on the computer object.

    1+

    • This also requires the user to have RSAT tools installed (or at least the activedirectory module installed).

      Further it doesn't autoload on older versions.
      You should utilize ADSI instead in the powershell script:

      $ComputerName = $env:Computername
      $CurrentUser = $Env:Username
      $ComputerModel = Get-WMIObject -Class Win32_computersystem | select -expand Model
      $ComputerSerialNumber = Get-WMIObject -Class Win32_BIOS | select -expand SerialNumber
      $ComputerDescription = "User: $($CurrentUser) "+"/ "+"Hostname: $($ComputerName) "+"/ "+"Model: $($ComputerModel) "+"/ "+"Serialnumber: $($ComputerSerialNumber)"

      $Searcher = New-Object DirectoryServices.DirectorySearcher
      $Searcher.Filter = "(&(objectCategory=computer)(anr=$($ComputerName)))"
      $Searcher.SearchRoot = 'LDAP://DC=Domain,DC=Local'
      $GetProperties = $Searcher.FindAll()
      $EditDescription = $GetProperties | select -expand path
      [ADSI]$Editor = "$EditDescription"
      $Editor.description = "$ComputerDescription"
      $Editor.setInfo()

      0

  3. manas 3 years ago

    Hi, Is there any way to get the powershell script to run on Windows 2003 servers provided the 2003 servers do not have powershell installed ?

    0

  4. Michael Pietroforte 3 years ago

    mamas, you can install PowerShell 2.0 on Windows Server 2003 SP2. Check this out.

    0

  5. eric 3 years ago

    Set-ADComputer -Identity $env:computername -Description $text
    requires that the AD module be installed on client machines. This seems overkill, is there a way to do this with the default powerhshell capability that is present on windows 7 machines.

    0

    • Yes:
      $ComputerName = $env:Computername
      $CurrentUser = $Env:Username
      $ComputerModel = Get-WMIObject -Class Win32_computersystem | select -expand Model
      $ComputerSerialNumber = Get-WMIObject -Class Win32_BIOS | select -expand SerialNumber
      $ComputerDescription = "User: $($CurrentUser) "+"/ "+"Hostname: $($ComputerName) "+"/ "+"Model: $($ComputerModel) "+"/ "+"Serialnumber: $($ComputerSerialNumber)"

      $Searcher = New-Object DirectoryServices.DirectorySearcher
      $Searcher.Filter = "(&(objectCategory=computer)(anr=$($ComputerName)))"
      $Searcher.SearchRoot = 'LDAP://DC=Domain,DC=Local'
      $GetProperties = $Searcher.FindAll()
      $EditDescription = $GetProperties | select -expand path
      [ADSI]$Editor = "$EditDescription"
      $Editor.description = "$ComputerDescription"
      $Editor.setInfo()

      0

  6. Author

    Eric,
    The comments are starting to get away from the original article, but yes, it would be a bit much to assume a user would have the AD cmdlets installed. The other option would be to use the "raw" ADSI classes to achieve the same result. Or you could run a simple batch file and use the dsmod.exe command line tool. But this is well beyond the scope of what can be discussed in a comment.

    0

  7. Nick 3 years ago

    Hey Jeff, I am using this method to run a powershell script at logon. Everything seems to be working well, but for some reason, it seems that the script is being run twice. for the sake of simplicity, I just take a powershell script that only consists of "notepad.exe" and set that to run at logon. I log out then log back on, and I get two notepad windows popping up. Any ideas on what could be causing this?

    0

  8. Author

    Nick, I'm assuming that if you run the script manually you get the desired result. The first thing that comes to mind is that your policy is being applied twice. I would do an RSoP analysis on the computer and user and see what is being applied. I'd also look to see if loopback processing is enabled.

    0

  9. John Jensen 2 years ago

    Jeffery - I have set up three PS scripts (one startup script for computer policy, one logon, the same script as logoff with a parameter. I have applied it an OU that contains only three machines, for initial testing. gpupdate /force on all three. gpresult shows all three have the policy. Two of the machines do run the scripts; the third does not (this is after a couple of weeks of testing, by the way). The third machine runs the scripts just fine by hand, but not by GPO.

    I note in your example that you put the scripts into the default scripts directory. I can't do that as I only manage a sub-OU of the whole Active Directory domain (I am a faculty-level admin). I put in the full path to the scripts and all three machines can see it - as I said, the problem machine can run them as well if done by hand.

    I haven't found anything the problem machine's logs that would show what the problem is. I am just about stumped. Have you any thoughts?

    jj

    0

  10. John Jensen 2 years ago

    PS - when I try to subscribe to posts or comments, it displays XML in a browser window - doesn't subscribe me.

    jj

    0

  11. Author

    This sounds more like a GPO problem than a PowerShell one. Are the scripts in a single GPO or separate?

    0

  12. Paul T. Ireland 2 years ago

    Is it possible to create a GPO that will run a powershell script only once by adding it to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce?

    0

  13. Author
    Jeff Hicks 2 years ago

    I don't see why not. You can create a registry group policy preference to add it. Of course whether it will actually run will depend on what it is that you are trying to do. But that is a separate question.

    0

  14. Paul T Ireland 2 years ago

    I'm basically trying to disable the Microsoft Telemetry callbacks through a GPO that turns off the Windows Customer Experience Improvement Program and Application Telemetry:

    Computer Config à Policies à Admin Templates à System à Internet Communication Management à Internet Communications Settings à Turn off Windows Customer Experience Improvement Program

    and

    Computer Config à Policies à Windows Components à Application Compatibility à Turn off Application Telemetry

    and run a script once that will uninstall the updates that turn these things on and disabling the Diagnostic Tracking Service.

     

    Set-Service -Name DiagTrack -StartupType Disabled

    wusa /uninstall /kb:3068708 /quiet /norestart

    wusa /uninstall /kb:3022345 /quiet /norestart

    wusa /uninstall /kb:3075249 /quiet /norestart

    wusa /uninstall /kb:3080149 /quiet /norestart

    So my dilemma is do I call the PowerShell script from a regular batch file and add the batch file to the runonce part of the registry?  Or do I try to run the PowerShell script directly?  Also, I’m not sure if I’ll have to set the execution policy from within the script to make sure it runs right and will it run as the system account or do I have to make it a local admin account?

    I found an interesting blog post here about running PowerShell scripts from batch files…

    http://blog.danskingdom.com/allow-others-to-run-your-powershell-scripts-from-a-batch-file-they-will-love-you-for-it

    I would love your recommendations on how to pull this off, and any suggestions you can offer if I have forgotten anything that would make telemetry calls back to Microsoft.
     

    0

  15. Paul T Ireland 2 years ago

    Apologies.  All of the à symbols are supposed to be --> 

    0

  16. Author
    Jeffery-Hicks 2 years ago

    Any PowerShell script you run through a startup/shutdown etc GPO will run under a bypass execution policy. So even if the computer has a restricted execution policy it would run. This is by design with the understanding that if you are doing this, you know what you are doing. But, I don't think this would apply to a script run from the RunOnce key. If you wanted to use that key, I'd put the commands in a batch file and run the batch file. That way if you need to modify the script you can without having to modify the GPO.

    I don't have anything to add about Microsoft telemetry. What I would say, is that if you are considering using GroupPolicy, you can configure the  DiagTrack service with a GPO. Then all your script needs to do is uninstall the hotfixes and at this point you can use a simple batch file since you're no longer using any PowerShell commands.

    0

  17. Marco Schlegel 2 years ago

    Hi Jeff

    Great article and I've seen you mentioned "One area you might need to test is if your computer script, e.g. startup or shutdown, needs to access network resources. Credentials may be an issue."

    Can you explain a bit more in detail what you meant?

    Because we have a strange issue with such a logon script. We deploy our Intranet site with this script:

    $IE = New-Object -com internetexplorer.application;

     $IE.visible = $true;

     start-sleep -s 15

     $IE.navigate("http://intranet");

     

    It's working fine, the IE11 is launching in the default browser, but all the SMB links we have on our Intranet site are not click able. We get an error in IE11 "cannot find file:///correct_path.file.pdf  make sure the path or internet address is correct"

    More strange is, wehn we close the IE instance and run the same PS script again, all links are working. So it happens only with the first IE instance the PS script is starting during the Logon GPO. We also tested with a very long delay of 90 seconds to make sure the script is running after all Windows drives are mapped, but without success, the result is the same. All users have this drive mapped persistent by GPO. Could it be that the PS script is starting the IE with another token as the user itself gets during logon.

    Any suggestions?

    Thank you very much

     

    0

  18. aftab 2 years ago

    Hi there,

     

    i want to create a powershell script to uninstall windows 10 apps as soon as user logs on, though i tried to create WDS image while removing all the apps but as soon as user logs in they come back, either tell me a way to remove them permanently so its not available to new users or a powershell script solution will do for me.

     

    appreciate your help and kind work you are doing for us

     

    thanks and regards

    Aftab

    0

    • Bryan 1 year ago

      aftab,

      I have been working on developing a windows 10 GPO for my company. After much research I was able to find this and put it into a PS script.

      Get-AppxProvisionedPackage -Online |
      Where-Object DisplayName -In $Packages |
      Remove-ProvisionedAppxPackage -Online |
      Out-Null

      $Packages is a list of all the windows packages that I want to remove and is assigned before the code above.

      I'm still working on getting this and another (that removes the already installed apps for the users that have logged in already) to run in a GPO.

      I hope this helps.

      -Bryan

      0

  19. sam 2 years ago

    Is it possible to call the PowerShell script from a local directory? The file will be on every computer.

    0

    • Santiago 1 year ago

      Hello Sam,

       

      Have you found any solution Sam?

       

      Tks for your reply 🙂

      0

  20. Santiago 1 year ago

    Hello,

     

    Is there any way to run a local .cmd file placed locally on a client computer (Win 7) and make it run on user logon script by GPO?

    I would like to configure the user GPO logon section to point to that local .cmd file for everyone of my domain.

    "C:\locamsi\soft1\Installer.cmd"

    Thank you for your help

    0

  21. Sharavana 1 year ago

    Hi All,

    I have power-shell script to delete the data with in the %APPDATA%Microsoft\signature. so that signature tool will stamp the signature. i have created GPO policy using below script for  logon.

    # This script will delete the local signatures for the logged on user from the default folder location
    $user = $env:APPDATA
    Remove-Item $user\Microsoft\Signatures\* -Recurse -Force

    group policy is reaching to client machine but still existing signature are their.

    can anyone help me on this task.

    Thanks always

    0

  22. Akshay Awasthi 1 year ago

    Great article. Kudos!!

    Although I have a problem of a different sort. I have a powershell script (on windows server 2008 R2)which runs successfully from console,but when I run it from task scheduler , it does not enter the script and task completes with a status of 0x1   in task scheduler .I know it is an issue of rights/security but the account running the script is an administrator. Screenshots are attached.I have read so many articles online but nothing helps.

    Also , the sad part is..I have another task which I scheduled a few months back with the same configuration and same account with same privileges and that works perfectly fine.

    It would be great if you could help me troubleshoot this.

    2+

  23. Attar 9 months ago

    Greetings

    I'm trying to run the below scripts from a Windows 10 login script, but never succeed. Can you please help me with the way I should configure the ps1/ bat file?

    With thanks

    Get-AppxPackage -allusers *BingSports* | Remove-AppxPackage
    Get-AppxPackage -allusers *BingNews* | Remove-AppxPackage
    Get-AppxPackage -allusers *XboxApp* | Remove-AppxPackage

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2017

Log in with your credentials

or    

Forgot your details?

Create Account