in the Group Policy Management Editor go to Computer Configuration > Policies > Administrative Templates > System > Logon > Run these programs at user logon, and add the path (on the local computer) to the script to be run when any user logs in. Powershell scripts need to be called from a .vbs script like this in order to prevent window popup:
Dim objShell Dim cmd Set objShell = CreateObject("Wscript.Shell") cmd = "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nologo -noProfile -NonInteractive -ExecutionPolicy bypass -File c:\mypowershellscript.ps1" objShell.Run cmd,0
As for distributing the scripts, that’s a work in progress… GPP?
Logon scripts have long been used to configure users’ desktop environments, adding network drive mappings and desktop shortcuts etc. But there are some tasks that require administrative privileges and can’t be executed as part of a logon script if users don’t have administrative access to their PCs. In this Ask the Admin, I’ll show you how to configure a Group Policy Object (GPO) to run a startup script with administrative privileges.
Computer Startup Scripts vs. Logon Scripts
Startup scripts run just before the boot process gets to the logon screen, and in the context of the local computer account, which has local administrative privileges. Startup scripts can be stored in the GPO itself, removing the need to configure a network share.
Configure a Computer Startup Script
Log on to a Windows Server 2012 R2 domain controller (DC) with a domain administrator account and follow the instructions below.
Create a new Group Policy Object in Active Directory:
- Open Server Manager using the icon on the desktop taskbar or from the Start screen.
- In the Tools menu, select Group Policy Management.
- In the Group Policy Management Console (GPMC), expand your Active Directory (AD) forest, domain and click the Group Policy Objects container.
- Right-click the Group Policy Objects container and select Newfrom the menu.
- In the New GPO dialog box, give the new Group Policy Object (GPO) a name and press OK.
- Now right-click the new GPO in the right pane and select Edit from the menu.
Add the startup script settings to the GPO:
- In the left pane of the Group Policy Management Editor window, expand Computer Configuration, Policies and click Scripts.
- In the right pane, double-click Startup.
- On the Scripts tab of the Startup Properties dialog, click Show Files. Copy the file(s) you want to run to this location.
- Once the script you want to run has been added to the GPO, click Add on the Scripts tab.
- Click Browse in the Add a Scriptdialog and select the file using the file browser. Additionally in the Add a Script dialog, you can optionally specify parameters to configure how the script runs. Click OK to continue.
You can additional scripts and set the order in which they run by using the Up and Down buttons. Additionally, PowerShell scripts can be added on a separate tab and set to run before or after scripts specified on the first tab.
- Complete the configuration by clicking OK in the Startup Properties window.
- Close the Group Policy Management Editor window.
Finally, link the GPO to an OU, domain, forest or site:
- Back in GPMC, decide where you want to link the new GPO. Right click the desired OU, domain, site or forest in the left pane and select Link an Existing GPO from the menu.
- In the Select GPO dialog, select the GPO you just created and click OK.
The startup script will now run on computers that have the GPO applied. For more information on using the Group Policy Management Console and linking GPOs, see Working with Group Policy on Petri.
To work with Immediate Scheduled Tasks, you must join your endpoints to your Active Directory (AD) domain. You will also need Remote Server Administration Tools (RSAT) installed on your workstation (please do not do this on your Domain Controller).
After fulfilling these prerequisites, you will need to open up your Group Policy Management Console (GPMC). Navigate to the location in your AD forest that contains the systems to which you would like to apply this Immediate Scheduled Task. Then right-click and select “Create a GPO in this domain, and Link it here.” When prompted, assign a descriptive name to this GPO:
Once you have created that GPO and linked it to your selected organizational unit (OU) or root domain, right-click it and select Edit.
This will bring up your Group Policy Object for which we will set this policy’s conditions. With this policy open, we should navigate to the following location:
Computer Configuration -> Preferences -> Control Panel Settings -> Scheduled Tasks
On the right-hand side, you will have a blank area in the Scheduled Tasks pane. You should either right-click in the blank area or right-click on the Scheduled Tasks tree item on the left-hand side. Next, we will then select:
New -> Immediate Task (At least Windows 7)
Once you have selected the Immediate Task (At least Windows 7), a New Taskpane prompts us to configure our task. These settings include a Name, Description, Account to run from, Run with highest privileges checkbox, and the Configure For: drop-down menu. First, we will need to give your new task a Name and Description(recommended).
Next, let’s go to the bottom and select “Windows 7, Windows Server 2008R2” in the Configure For: drop-down list. This will make sure this task will work on Windows 7 and higher systems (Windows 7’s Task Scheduler has significantly changed since Windows XP). Additionally, we will need to make sure that we select the Run with highest privileges checkbox.
Next, we will select the Change User or Group… button. For this example, I am going to use the built-in NT Authority/System account on the local machine that will run this Immediate Task. You can, and the recommended approach is to use a separate account that has this right/authorization on your endpoint systems since the SYSTEM account has what I like to call “god” permissions. To select this account, simply type out SYSTEM in the “Enter the object name to select:” pane and click OK.
We will now move on to the Actions tab on the New Task (At least Windows 7) Properties pane. We will make sure that the following pane has these values:
- Action = “Start a program”
- Program/Script = C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
- Add Arguments (optional) = -ExecutionPolicy Bypass -command “& C:\Path\To\Script.ps1”
We will keep the Start a program action and include the path to the Windows PowerShell executable in the Program/Script field. The Add Arguments (Optional) we will include a few things here that will make sure that our script runs. The first is the -ExecutionPolicy Bypass string. This will ensure your PowerShell execution policy doesn’t prevent your script from running.
The second piece here is the -command “& C:\Path\To\Script.ps1” string. We are using the Command parameter to run our actual script. The “&” symbol inside the quotes ensures that our script runs and does not simply open or just load into memory. Your Add Arguments (Optional) field should look like the string above with all the hyphens and spaces.
Next, we will move to the Common tab and select the Apply once and do not reapply option since we want our Immediate Task to apply only once and not continually (unless you would like that).
Close out of all open windows in the GPMC. The next time your systems reboot, your Immediate Task will run. In my example, I am referencing a location on the individual endpoint systems, but you could also use a network share like \\networkshare01\scripts\scripts.ps1 in the -command “&” string.
If the desired script does not reside on the local system, we can add another setting to our Group Policy Object that can copy the intended script to our local machines. To do this, Edit our existingImmediate Task Group Policy Object and navigate to:
Computer Configuration -> Preferences -> Windows Settings -> Files
Right-click in the Files pane and select New -> File. We will first select Create in the Action drop-down menu. Then we will select our Source file (either on a network share or our local machine), and then for the Destination File, we will either type in or select the file path:
If we look at one of our workstations, we can see that the system copies the file to the C:\Path\To\Script.ps1location.
I have added the following code inside my C:\Path\To\Script.ps1 file so that I can see if it works as expected:
New–Item –Path C:\Path\To\ –ItemType File –Name log.log
Add–Content –Path C:\Path\To\log.log –Value “$(Get-Date) – C:\Path\To\Script.ps1 has run as an Immediate Scheduled Task”
With this code, I should see the creation of a C:\Path\To\log.log file created with some simple text.
Additionally, if you are working with Windows 10, you can see that your Immediate Task ran by looking at the Event Viewer under Applications and Services Logs -> Windows PowerShell
With Immediate Scheduled Tasks you can run scripts on your endpoints quickly and resolve any configuration issues to help both yourself and your end users.