Running PowerShell Startup (Logon) Scripts Using GPO

Question

Running PowerShell Startup (Logon) Scripts Using GPO

Will 616

Hi there,

There are two user accounts, one is Administrator; another is normal user.

AD Domain: Windows Server 2019 with GPO <Running PowerShell Logon Scripts>
Client: Windows 10: (A) Use Administrator to login the AD Domain: GPO works well and add registry to HKLM; (B) Use normal User to login the AD Domain: GPO something went wrong and failed to add registry to HKLM.

The (B) situation: I copy the PowerShell to Windows 10 Client and perform the script, I got the error message:

New-Item : Access to the registry key
'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\OneDrive' is denied.
At C:\Users\alanb\Desktop\Handling_OneDrive_REG.ps1:47 char:58

... HKLM:\Software\Policies\Microsoft" | New-Item -Name "OneDrive" -Force

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

CategoryInfo : PermissionDenied: (HKEY_LOCAL_MACH...rosoft\OneDrive:S
tring) [New-Item], UnauthorizedAccessException

FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShel
l.Commands.NewItemCommand

New-ItemProperty : Cannot find path 'HKLM:\Software\Policies\Microsoft\OneDrive'
because it does not exist.
At C:\Users\alanb\Desktop\Handling_OneDrive_REG.ps1:50 char:5

New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\OneDriv ...

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

CategoryInfo : ObjectNotFound: (HKLM:\Software...rosoft\OneDrive:Str
ing) [New-ItemProperty], ItemNotFoundException

FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.NewItemProp
ertyCommand

New-ItemProperty : Cannot find path 'HKLM:\Software\Policies\Microsoft\OneDrive'
because it does not exist.
At C:\Users\alanb\Desktop\Handling_OneDrive_REG.ps1:51 char:5

New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\OneDriv ...

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

CategoryInfo : ObjectNotFound: (HKLM:\Software...rosoft\OneDrive:Str
ing) [New-ItemProperty], ItemNotFoundException

FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.NewItemProp
ertyCommand

New-ItemProperty : Cannot find path 'HKLM:\Software\Policies\Microsoft\OneDrive'
because it does not exist.
At C:\Users\alanb\Desktop\Handling_OneDrive_REG.ps1:52 char:5

New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\OneDriv ...

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

CategoryInfo : ObjectNotFound: (HKLM:\Software...rosoft\OneDrive:Str
ing) [New-ItemProperty], ItemNotFoundException

FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.NewItemProp
ertyCommand

I also setup some settings as the following:

the NTFS “Read & Execute” permissions for the Domain Computers group in the ps1 file permissions
setup Computer Configuration -> Administrative Templates -> System -> Group Policy section. Enable the “Configure Logon Script Delay” policy and specify a delay in minutes before starting the logon scripts (sufficient to complete the initialization and load all necessary services). --> 1-2 minutes.
The security settings for running the PowerShell script can be configured via the “Turn On Script Execution” policy (in the GPO Computer Configuration section -> Administrative Templates -> Windows Components -> Windows PowerShell) --> Allow all scripts (unrestricted)

Thanks

Suddhaman 1 Reputation point

2020-08-16T07:27:10.287+00:00

Hi,
Runnin script in the startup for computer base policy, sometimes require administrative permission. You can achieve only by setting the script in a different way. Please check my blog : https://suddhaman.blogspot.com/2020/08/dns-server-ip-address-change-in-client.html

3 answers

Your answer

Suddhaman 1 Reputation point

2020-08-16T07:27:10.287+00:00

Hi,
Runnin script in the startup for computer base policy, sometimes require administrative permission. You can achieve only by setting the script in a different way. Please check my blog : https://suddhaman.blogspot.com/2020/08/dns-server-ip-address-change-in-client.html

Answer 1

Rich Matheisen 47,901

Shouldn't you be using a registry-based policy setting to do this instead of logon scripts? Logon scripts run in the context of the user, and users shouldn't be altering policy settings.

See one of these:
Set-GPPrefRegistryValue
Set-GPRegistryValue

Will 616 Reputation points

2020-10-02T07:02:11.957+00:00

Hi

I post another extend question at https://learn.microsoft.com/en-us/answers/questions/114314/regarding-group-policy-with-powershell.html.

I tried to use the following command along with GPO:

New-ItemProperty -Path $_HKLM -Name SharePointOnPremFrontDoorUrl -Value $_SharePointOnPremFrontDoorUrl -PropertyType String -Force

the new Registry can be added. :(

Answer 2

Anonymous

Hi,
From what you mentioned above, the error was caused by the permission.
Or you can considered to run the script by the schedule task ,and you can assign permission through the schedule task GPO as following,then when the task was running , it will run as system:

You can also select run it once or not as your requirement :

Best Regards,

Anonymous

2020-08-17T01:40:06.187+00:00

Hi,

Just checking in to see if the information provided was helpful.
Please let us know if you would like further assistance.

Best Regards,
Anonymous

2020-08-19T00:50:21.737+00:00
Will 616 Reputation points

2020-10-02T07:02:54.577+00:00

Hi Fan Fan,

I post another problem related this topic at https://learn.microsoft.com/en-us/answers/questions/114314/regarding-group-policy-with-powershell.html
Anonymous

2020-10-05T05:53:34.15+00:00

Hi，
If you want to end this thread, and the answer was helpful for you, you can "Accept as answer" to help other community members find the helpful reply quickly.
If you have a better method to solve it, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.
If there is anything else we can do for you, please feel free to post here.
Best Regards,

Answer 3

Andreas Baumgarten 123.4K MVP Volunteer Moderator

It looks like the "normal user" does not have access to the Registry key 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\OneDrive'
Maybe it's worth a try to allow the user the access to the Registry key.

Maybe this is helpful.

Regards

Andreas Baumgarten

(Please don't forget to Accept as answer if the reply is helpful)

Will 616 Reputation points

2020-10-02T06:58:51.973+00:00

Hi Andreas Baumgarten,

Thanks your information. I post another related question at https://learn.microsoft.com/en-us/answers/questions/114314/regarding-group-policy-with-powershell.html.

If I used GPO with PowerShell to do some job, the Execution account will be System account, I am realize that the account should have permission to do this.

Share via

Running PowerShell Startup (Logon) Scripts Using GPO

3 answers

Your answer