Edit Local Group Policy With Power Shell Scripting

Group Policy allows you to run various script files at a computer startup/shutdown or during user logon/logout. You can use GPOs not only to run classic batch files on a domain computers (.bat, .cmd, .vbs), but also to execute PowerShell scripts (.ps1) during Startup/Shutdown/Logon/Logoff.

Apr 26, 2012  Hi, I want to set values of Local Group Policy Computer Configration Administrative Templates Windows Components Remote Desktop Services Remote Desktop Session Host Connections Limit number of connections by powershell. But I can't find any cmdlet from Internet. So I come here for some help. Any help is fine. Last week I dropped in on a class Jeremy Moskowitz was teaching on Group Policy to talk a little PowerShell. I was demonstrating the Get-GPO cmdlet and talking about the object you get back and how you can use it to filter and create reports. Editing Group Policy Via Powershell? It's a prebuilt 'automated helpdesk' script that is menu driven with tools like automated defrag. I would think it is easier to edit GPO in the UI rather than power shell? Applying in power shell maybe but edit?

In modern operating systems (Windows 10 / Windows Server 2016), you can configure the logon/startup PowerShell scripts directly from the domain GPO editor.

Before Windows 7 and Windows Server 2008 R2, it was impossible to directly run PowerShell files from a GPO (it was necessary to call the .ps1 file from .bat batch file as a parameter of the powershell.exe executable).

Run the domain policy management console – GPMC.msc (Group Policy Management), create a new policy and link it to the desired Active Directory container (OU) with users or computers (you can use WMI GPO filters for fine policy targeting). Switch to policy Edit mode.

You must select a GPO section to run the PowerShell script, depending on when you want to execute your PS1 script:

  • If you want to run a PS script when a user logon (logoff) to a computer (to configure user’s environment settings, programs, for example: you want to automatically generate an Outlook signature based on the AD user properties, adjust screensaver or Start layout settings), you need to go to the GPO section: User Configuration -> Policies -> Windows Settings -> Scripts (Logon / Logoff);
  • If you want to run the PowerShell script at a computer startup (to disable outdated protocols: NetBIOS and LLMNR, SMBv1, configure computer security settings, etc.) or before the computer shutdown, you need to go to the GPO section with the computer settings: Computer Configuration -> Policies -> Windows Settings -> Scripts (Startup / Shutdown).

Powershell Edit Local Group Policy

Configuring PowerShell Startup Scripts with Group Policy

Suppose, we have to run the PowerShell script at a computer startup. Select the Startup policy, and go to the PowerShellScripts tab in the next window.

Now you need to copy the file with your PowerShell script to the domain controller. Click the Show Files button and drag the file with the PowerShell script (ps1 extension) into the opened File Explorer window (the console will automatically open the folder yourdomainnameSysVolyourdomainnamePolicies{Your_GPO_GUID }MachineScriptsStartup of your policy in the SysVol on the nearest AD domain controller).

Since we configure the Startup PowerShell script, you need to check the NTFS “Read&Execute” permissions for the Domain Computers group in the ps1 file permissions (or check the permissions on the entire MachineScriptsStartup folder).

Now click Add and add the copied .PS1 script file to the list of scripts to be run by the PowerShell policy.

If you run multiple PowerShell scripts through a GPO, you can control the order in which the scripts are executed using the Up/Down buttons.

To correctly run PowerShell scripts during computer startup, you need to configure the delay time before scripts launch using the policy in the Computer Configuration -> Administrative Templates -> System -> Group Policy section. Enable the “Configure Logon Script Delay” policy and specify a delay in minutes before starting the logon scripts (sufficient to complete the initialization and load all necessary services). It is usually enough to set up here for 1-2 minutes.

By default, Windows security settings do not allow running PowerShell scripts. The current value of the PowerShell script execution policy setting can be obtained using the Get-ExecutionPolicy cmdlet. If the policy is not configured, the command will return Restricted (any scripts are blocked). The security settings for running the PowerShell script can be configured via the “Turn On Script Execution” policy (in the GPO Computer Configuration section -> Administrative Templates -> Windows Components -> Windows PowerShell). Possible policy values:

  • Allow only signed scripts (AllSigned) – you can run only signed PowerShell scripts (“How to digitally sign a PowerShell script?”) — this is the best option from a security perspective;
  • Allow local scripts and remote signed scripts (RemoteSigned) – you can run any local and signed remote scripts;
  • Allow all scripts (unrestricted) – the most insecure option, because allows executing any PowerShell scripts.

If not one of the setting of the PowerShell scripts execution policy is suitable for you, you can run PowerShell scripts in the Bypass mode (scripts are not blocked, warnings do not appear).

To do this, the PowerShell script must be run from the Startup -> Scripts section. In this section, you can configure ps1 script to run by creating the usual Startup batch file that runs the powershell.exe executable file (similar to the script described in the article). Specify:

  • Script Name: %windir%System32WindowsPowerShellv1.0powershell.exe
  • Script Parameters: -Noninteractive -ExecutionPolicy Bypass –Noprofile -file %~dp0MyPSScript.ps1

Edit Local Group Policy With Powershell Scripting

The term %~dp0 when launched on the client is automatically converted to the UNC path to the script directory on SYSVOL.

As you can see, in this case you allowed running untrusted PoSh scripts by specifying Bypass parameter of the ExecutionPolicy.

Test-NetConnection: Check for Open/Closed Ports from PowerShell

August 27, 2019

How to Reset a User Password in Active...

August 23, 2019
Local

Group Policy With Powershell

Changing Desktop Background Wallpaper in Windows through GPO

August 21, 2019

Powershell Edit Gpo

Secure Password (Credentials) Encryption in PowerShell Scripts

August 20, 2019

Get-ADComputer: Find Computer Details in Active Directory with...

August 19, 2019