Group Policy permits you to run varied script recordsdata at a pc startup/shutdown or throughout consumer logon/logout. You can use GPOs not solely to run basic batch recordsdata on a website computer systems (.bat, .cmd, .vbs) , but additionally to execute PowerShell scripts (.ps1) throughout Startup/Shutdown/Logon/Logoff.
In trendy working programs (Windows 10 / Windows Server 2016), you may configure the logon/startup PowerShell scripts instantly from the area GPO editor.
Before Windows 7 and Windows Server 2008 R2, it was unattainable to instantly run a PowerShell recordsdata from a GPO (it was essential to name the .ps1 file from .bat batch file as a parameter of the powershell.exe executable).
Run the area coverage administration console – GPMC.msc (Group Policy Management), create a brand new coverage and hyperlink it to the specified Active Directory container (OU) with customers or computer systems (you need to use for positive coverage focusing on.). Switch to coverage Edit mode.
You should choose a GPO part to run the PowerShell script, relying on while you wish to execute your PS1 script:
- If you wish to run a PS script when a consumer logon (logoff) to a pc (to configure consumer’s setting settings, packages, for instance: you wish to mechanically , or ), it is advisable to go to the GPO part: User Configuration -> Policies -> Windows Settings -> Scripts (Logon / Logoff);
- If you wish to run the PowerShell script at a pc startup (to disable outdated protocols: ,, configure laptop safety settings, and so forth.) or earlier than the pc shutdown, it is advisable to go to the GPO part with the pc settings: Computer Configuration -> Policies -> Windows Settings -> Scripts (Startup / Shutdown).
Configuring PowerShell Startup Scripts with Group Policy
Suppose, we’ve to run the PowerShell script at a pc startup. Select the Startup coverage, and go to the PowerShell Scripts tab within the subsequent window.
Now it is advisable to copy the file along with your PowerShell script to the area controller. Click the Show Files button and drag the file with the PowerShell script (ps1 extension) into the opened File Explorer window (the console will mechanically open the folder
yourdomainnameSysVolyourdomainnamePoliciesMachineScriptsStartup of your coverage within the SysVol on the closest AD area controller).
Since we configure the Startup PowerShell script, it is advisable to verify the NTFS “Read&Execute” permissions for the
Domain Computers group within the ps1 file permissions (or verify the permissions on the whole MachineScriptsStartup folder).
Now click on Add and add the copied .PS1 script file to the listing of scripts to be run by the PowerShell coverage.
If you run a number of PowerShell scripts by means of a GPO, you may management the order by which the scripts are executed utilizing the Up/Down buttons.
To accurately run PowerShell scripts throughout laptop startup, it is advisable to configure the delay time earlier than scripts launch utilizing the coverage within the Computer Configuration -> Administrative Templates -> System -> Group Policy part. Enable the “Configure Logon Script Delay” coverage and specify a delay in minutes earlier than beginning the logon scripts (enough to finish the initialization and cargo all needed companies). It is normally sufficient to arrange right here for 1-2 minutes.
By default, Windows safety settings don’t enable operating PowerShell scripts. The present worth of the PowerShell script execution coverage setting will be obtained utilizing the
Get-ExecutionPolicy cmdlet. If the coverage will not be configured, the command will return Restricted (any scripts are blocked). The safety settings for operating the PowerShell script will be configured through the “Turn On Script Execution” coverage (within the GPO Computer Configuration part -> Administrative Templates -> Windows Components -> Windows PowerShell). Possible coverage values:
- Allow solely signed scripts (AllSigned) – you may run solely signed PowerShell scripts (“”) — that is the best choice from a safety perspective;
- Allow native scripts and distant signed scripts (RemoteSigned) – you may run any native and signed distant scripts;
- Allow all scripts (unrestricted) – essentially the most insecure possibility, as a result of permits to execute any PowerShell scripts.
If not one of many setting of the PowerShell scripts execution coverage is appropriate for you, you may run PowerShell scripts within the Bypass mode (scripts aren’t blocked, warnings don’t seem).
To do that, the PowerShell script should be run from the Startup -> Scripts part. In this part, you may configure ps1 script to run by creating the standard Startup batch file that runs the powershell.exe executable file (much like the script described within the ). Specify:
- Script Name:
- Script Parameters:
-Noninteractive -ExecutionPolicy Bypass –Noprofile -file %~dp0MyPSScript.ps1
The time period
%~dp0 when launched on the shopper is mechanically transformed to the UNC path to the script listing on SYSVOL.
As you may see, on this case you allowed to run untrusted PoSh scripts by specifying Bypass parameter of the ExecutionPolicy.