Site icon RDR-IT

GPO: Run PowerShell script at logon

Romain

In this tutorial, I will show you how to run a PowerShell script at user logon using Group Policy (GPO) in an Active Directory environment.

Before you begin this tutorial, here are some considerations when running scripts at login:

In this tutorial I will use a pretty simple script, it will just create an entry in the Windows Event Viewer.

Before deploying a PowerShell script by group policy, make sure it works properly with local tests and before deploying it on a large scale, also do tests of the group policy on a test OU for example.

Table of contents

Run a PowerShell script at logon via Group Policy

Before creating the group policy, copy the script to the server.

From the Group Policy Management console, right-click Group Policy Objects and click New 1.

Name the group policy 1 and click OK 2 to create it.

The GPO is created, right click on it and click Edit 1.

Go to the following location: User Configuration / Policies / Windows Settings / Scripting (logon and logoff), double-click on Logon 1 to access the properties.

Go to the PowerShell Scripts tab 1 and click on Show Files 2.

In the File Explorer window that opens, copy the PowerShell script.

Close the File Explorer window and return to the Properties window, then click the Add 1 button.

On the new Add Script window, click the Browse button 1.

Select the PowerShell script file 1 and then click the Open button 2.

The PowerShell script to add is selected, click OK 1.

The PowerShell script is added to the logon script, it is possible to add several scripts if you wish, to do this repeat the operation, personally I prefer to make several GPOs, this is easier to maintain over time and especially if you want to stop the application of a script temporarily, you just have to deactivate the group policy.

Click on the Apply 1 and OK 2 buttons.

Now close the Group Policy Editor.

The GPO is ready.

Now we need to link the Group Policy to the desired location in the Active Directory domain tree, at the moment it is in the Group Policy Objects container which is the “library” of all GPOs.

Right-click the desired location and click Link an existing Group Policy Object 1.

Here I will link the GPO to the Users OU so that the script is applied to all users in that OU.

In the list, select GPO 1 and click OK 2.

Test Group Policy and PowerShell Script Execution

Here I will open the session of the user Iron MAN (iron.man).

This is the login page with the user Iron MAN.

In the Windows Event Viewer, I can find the entry created by the PowerShell script.

Now you know how to run a PowerShell script at logon using Group Policy.

With experience, here are some additional tips:

With PowerShell, it is possible to run remote scripts that will be downloaded in https, this is where Gitlab will take all its interest by hosting the scripts on it, which will allow to have a centralized management of PowerShell scripts and benefit from versioning. The other advantage is the almost instantaneous update of the script, there is no need to wait for the replication of the sysvol folder.

Here’s how to do it, first retrieve the URL of the PowerShell script in raw format.

Create a PowerShell script for Group Policy with the following code:

[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://git.uri/-/snippets/xx/raw/main/ScriptPSOnLogin.ps1'))

or but less secure:

Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://git.uri/-/snippets/xx/raw/main/ScriptPSOnLogin.ps1'))

Using Gitlab does not prevent signing of PowerShell scripts.

Exit mobile version