none
Don't allow Powershell to run interactively, still run .ps1 with Task Scheduler

    Question

  • Hello,

    I need to disable Powershell from running interactively for student AD accounts. I also need a Powershell script to run on student computers via Task Scheduler/GPO.

    I can get both of these to work, but can they be configured together?

    If I use GP Preferences to, 'Don't run specified Windows applications' and prevent Powershell from opening as  User configuration... what are the options to still run my script (stored locally on the user device) via Task Scheduler?

    Using a service account the ability to 'Run whether user is logged in or not', would achieve this, but it is no longer available.

    This Powershell script writes to a SQL server. The task needs network credentials, I presume.

    Thank you for any advice!

    Tuesday, May 2, 2017 5:13 PM

Answers

  • I got around this by compiling the .ps1 scripts into an exe. No more need for powershell to run.

    Thank you

    • Marked as answer by CreedCor Thursday, May 4, 2017 5:40 PM
    Thursday, May 4, 2017 5:40 PM

All replies

  • Can you use AppLocker? What Windows version are you running? If you can use AppLocker, you could simply block the running of %windir%\system32\WindowsPowerShell\v1.0\powershell.exe for certain Active Directory group and get the results you need.

    Also, if your GPO isn't targeted at the user account you're using for your scheduled task, your preferences won't matter as they never got applied at all.. What you should be looking at is the User Rights Assignment section and add privileges for this network account (the one's that's used for running the task) the correct permissions to run scheduled tasks on the targeted computers, that'll be Logon as a batch job.

    Tuesday, May 2, 2017 5:24 PM
  • Can you use AppLocker? What Windows version are you running? If you can use AppLocker, you could simply block the running of %windir%\system32\WindowsPowerShell\v1.0\powershell.exe for certain Active Directory group and get the results you need.

    Also, if your GPO isn't targeted at the user account you're using for your scheduled task, your preferences won't matter as they never got applied at all.. What you should be looking at is the User Rights Assignment section and add privileges for this network account (the one's that's used for running the task) the correct permissions to run scheduled tasks on the targeted computers, that'll be Logon as a batch job.

    Hi Narcoticoo,

    Thank you for your time!

    I am not sure I follow everything you posted. Basically, I need to prevent users in a particular OU from running powershell interactively, which I can do with AppLocker or GP Preference - that is fine.

    I also need to run a Scheduled Task on their machines, which starts a powershell script. I need that task to run as a user that a) can run powershell, b) has access to network resources and c) is not logged into their computer.

    That is the part I am hung up on.

    I could not find the 'User Rights Assignment section'.  

    Can this be done?

    Thank you!!

    Tuesday, May 2, 2017 8:42 PM
  • Hi,

    To my knowledge, we cannot disable Console and run Scripts because the Scripts run within the PowerShell console, it is like trying to run a .bat/.cmd file after disabling CMD.exe.

    Below thread discussed the similar requirement:

    Disable interative powershell console but allow scripts

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/7b6c646f-0afe-49cb-b5f9-9d5bf555c771/disable-interative-powershell-console-but-allow-scripts?forum=winserverpowershell

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, May 3, 2017 12:41 AM
    Moderator
  • Sure that can be done. I'd create a computer gpo object targeted at the computers in the ou:

    • Has AppLocker enabled so that powershell.exe is blocked from running for standard users (Everyone -group) and allowed to run for this particular user account you're using for your task. AppLocker configuration can be found from Computer Settings -> Windows Settings -> Security Settings -> Application Control Policies -> AppLocker -> Executable Rules
    • Has user rights assignments configured so that Logon as a batch job is allowed for that particular user account. This configuration can be found from Computer Settings -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment ...be careful though, if you have multiple GPOs that are also targeted at these computers and have this setting configured, the one with the highest precedence will win and these settings are not cumulative so you need to configure the setting so that if there are other accounts or groups configured in other GPOs, you'll need to add those as well for your new customized GPO. This has been discussed here: https://social.technet.microsoft.com/Forums/windowsserver/en-US/5f1721bc-54a9-4f77-9f1a-e3864345f92d/will-multiple-gpos-in-which-user-right-assignment-is-configured-with-different-users-for-same

    And of course you'll need the user account for running the task, I'd create a standard user account which has the privileges in the resources you're referring to.

    Wednesday, May 3, 2017 3:09 AM
  • Sure that can be done. I'd create a computer gpo object targeted at the computers in the ou:

    • Has AppLocker enabled so that powershell.exe is blocked from running for standard users (Everyone -group) and allowed to run for this particular user account you're using for your task. AppLocker configuration can be found from Computer Settings -> Windows Settings -> Security Settings -> Application Control Policies -> AppLocker -> Executable Rules
    • Has user rights assignments configured so that Logon as a batch job is allowed for that particular user account. This configuration can be found from Computer Settings -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment ...be careful though, if you have multiple GPOs that are also targeted at these computers and have this setting configured, the one with the highest precedence will win and these settings are not cumulative so you need to configure the setting so that if there are other accounts or groups configured in other GPOs, you'll need to add those as well for your new customized GPO. This has been discussed here: https://social.technet.microsoft.com/Forums/windowsserver/en-US/5f1721bc-54a9-4f77-9f1a-e3864345f92d/will-multiple-gpos-in-which-user-right-assignment-is-configured-with-different-users-for-same

    And of course you'll need the user account for running the task, I'd create a standard user account which has the privileges in the resources you're referring to.

    In all of my research, this cannot be done. Not because of disabling powershell, but because the Scheduled Task will not work under any user account that is not logged into the system, unless it has access to only local resources.

    I obviously need access to network resources, and Microsoft have taken this ability away instead of fixing their vulnerability.

    Thursday, May 4, 2017 4:02 PM
  • I got around this by compiling the .ps1 scripts into an exe. No more need for powershell to run.

    Thank you

    • Marked as answer by CreedCor Thursday, May 4, 2017 5:40 PM
    Thursday, May 4, 2017 5:40 PM
  • Like I said, you'd need a standard user account to accomplish this.. don't see how running .exe differs, unless you've hardcoded your credentials into it..
    Friday, May 5, 2017 3:33 AM