Creating the GPO to Deploy the Script

Applies To: Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Vista

This topic describes the steps involved in configuring a PowerShell script that creates a remote access connection. Note that this step is not specific to remote access and is like configuring any other PowerShell script. The example illustrates configuring the script to run at logon time. Group Policy also enables you to run scripts at user logoff, and at computer startup and shutdown.

To configure a PowerShell script as a logon script

  1. Share the PowerShell script and its associated data XML file on a network share that can be accessed and read by all users that are assigned the script. In this example, the files are placed in a network share called \\\scripts. Read and Execute permissions are granted to the Authenticated Users group.

  2. Open Group Policy Management Console (GPMC), and then use it to find and edit the GPO that you want to modify. Create a new GPO if required. The example in the following figure shows a GPO named “VPN Connection Policy Object.” Ensure that the GPO is linked to either the domain or another container that contains the user accounts that you want to run the script.

  3. In Group Policy Management Editor, in the navigation pane, expand User Configuration, expand Policies, expand Windows Settings, and then click Scripts (Logon/Logoff).

  4. In the details pane, right-click Logon, and then click Properties.

  5. On the Logon Properties dialog box, on the Scripts tab, click Add.

  6. In the Add a Script dialog box, in the Script Name text box, type:


    In the Script Parameters text box, type the following command, substituting the appropriate network path to your copy of the files.

    -noninteractive -command \\\scripts\Create-Conn.ps1 \\\scripts\VPNSettings.xml


Even though the input above might wrap to more than one line when displayed here, enter it as a single line.

When you have entered the paths, click **OK** twice to save your settings.


After this GPO is updated on a computer, then every time that a domain user logs on to the computer the configured PowerShell script is run.


When editing a GPO on a computer that is running Windows 7 or Windows Server 2008 R2, there is a PowerShell Scripts tab on which you can directly specify a script name and parameters without having to identify the powershell.exe program. However, this option works only on client computers that are running Windows 7 or Windows Server 2008 R2. This guide uses the more general Scripts tab to be compatible with computers that are running earlier versions of Windows.

Next topic: The Sample PowerShell Script and Data File