none
Using group policy to run a powershell script on logon doesn't seem to work

    Question

  • I'm trying to run the following script:

    echo "Hello, World!"
    echo "Hello, World!" >> ~/Desktop/helloWorld

    as a test to determine if the setting actually works under:

    User Configuration > Windows Settings > Scripts (Logon/Logoff) > Logon

    I would expect the script to start a powershell instance and write "Hello, World!" to it, then create a file on the desktop of the user with the group policy set. I don't see either of those things happening though. Is this just because scripts are run before a user's home directory is initialized or is it because the script isn't actually being run at all.

    To be clear, I have set it to allow scripts to be run; and when I manually run the script, it behaves as I expect.


    J. Duke Rogers Communicore Technologies & Triangle Forensics

    Monday, June 20, 2016 9:29 PM

All replies

  • Hi Rogers,

    Thanks for your post.

    To assign a logon script for user

    1. Create a folder and share it to those users who need apply
    2. Copy the script to the shared folder
    3. Add the script to logon script setting with UNC path

    Here is an article below about how to assign user logon script for your reference.

    Assign user logon script

    https://technet.microsoft.com/en-us/library/cc770908(v=ws.11).aspx

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, June 21, 2016 1:58 AM
    Moderator
  • I have the GPO set up like you've shown and the script is in an accessible location. I can manually navigate to the script under the user over the network and run it. 

    In addition, I have checked the GP Results Wizard, which says the policy is applying properly with no issues. 

    Despite all of this, the script does not appear to be running automatically on logon. 


    J. Duke Rogers Communicore Technologies & Triangle Forensics

    Tuesday, June 21, 2016 1:15 PM
  • Hi Rogers,

    First, I suggest you run gpupdate /force, then logoff and logon again.

    If the policy still not works, I suggest you run GPresult /h C:\gpresult.html and post it to us for further research.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, June 22, 2016 1:33 AM
    Moderator
  • I'm not sure how you want me to post it for you but you can download the html generated from here: https://gist.github.com/anonymous/912d3a087ec0317625b60f07100e42bf

    J. Duke Rogers Communicore Technologies & Triangle Forensics

    Wednesday, June 22, 2016 1:38 PM
  • Hi Rogers,

    The file should look like below.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, June 23, 2016 2:16 AM
    Moderator
  • I linked the html for that. I can take a screenshot of it too but I can't post it here because it's longer than the limit imposed by the forum.

    J. Duke Rogers Communicore Technologies & Triangle Forensics

    Thursday, June 23, 2016 1:22 PM
  • Hi Rogers,

    If so, I suggest you split it in two or three, then post it.

    Thank you.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, June 27, 2016 1:10 AM
    Moderator
  • Here's a stitched together screenshot


    J. Duke Rogers Communicore Technologies & Triangle Forensics

    Monday, June 27, 2016 2:59 PM
  • Hi Rogers,

    I did not see any information about logon script setting in the screenshot which you provided.

    The script setting in gpresult should be like below:

    In my opinion, this may be caused by you did not configure it in proper way.

    Would you tell us the GPO name for logon script? If it has been denied?

    Or the path of PowerShell file has been blocked by software restriction policy?

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, June 28, 2016 5:37 AM
    Moderator
  • The GPO is "Powershell Font Test" (the first one) and one of the other settings it applies (which is applying) is the "Allow Script Execution" setting. The software restrictions and path restrictions are not blocking execution or location, especially since I can run the script manually from the same location as is set in the GPO. 

    J. Duke Rogers Communicore Technologies & Triangle Forensics

    Tuesday, June 28, 2016 7:37 PM
  • Hi Rogers,

    If so, I think you need check if the computer has apply some GPOs which has configured Loopback mode for computer.

    The path of the loopback mode setting:

    Computer Configuration\Administrative Templates\System\Group Policy\Configure user group policy loopback processing mode

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, June 29, 2016 5:41 AM
    Moderator
  • We do have Loopback Mode set, however we do need it to be set.

    J. Duke Rogers Communicore Technologies & Triangle Forensics

    Thursday, June 30, 2016 2:26 PM
  • Hi Rogers,

    The Loopback processing setting directs the system to apply the set of Group Policy objects for the computer to any user who logs on to a computer affected by this policy. It is intended for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user policy based on the computer that is being used.

    So, the user configuration did not apply is expect behavior.

    For more information about Loopback processing, you could refer to the article below.

    Loopback Processing Mode

    https://technet.microsoft.com/en-us/library/cc978513.aspx

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Jay GuModerator Monday, July 4, 2016 5:12 AM
    • Marked as answer by Jay GuModerator Wednesday, July 6, 2016 8:33 AM
    • Unmarked as answer by jdroger2 Wednesday, July 6, 2016 1:46 PM
    Friday, July 1, 2016 1:31 AM
    Moderator
  • We have the Loopback Processing set to Replace and we will switch it to Merge to see if that works for us. If it doesn't work, is there a way to make Loopback Processing Mode and the GPO we're using work nicely together?

    J. Duke Rogers Communicore Technologies & Triangle Forensics

    Tuesday, July 5, 2016 1:12 PM
  • Hi Rogers,

    In my opinion, it will work when you enable Loopback Processing and set it to Merge. Because in Merge mode, the user policies normally applied to the user are combined. If the policy settings conflict, the user policies in the computer's Group Policy objects take precedence over the user's normal policies.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 6, 2016 12:44 AM
    Moderator
  • Hi Rogers,

    Have it work after change the Loopback processing mode to Merge?

    if the problem has been resolved, please mark a helpful reply as answer as it would be helpful to anyone who encounters the similar issue.

    Thank you.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, July 7, 2016 6:23 AM
    Moderator
  • We have set all instances of loopback processing mode to merge and the issue is still occurring.


    J. Duke Rogers Communicore Technologies & Triangle Forensics

    Monday, July 25, 2016 2:25 PM
  • Hi Rogers,

    I suggest you disable the loopback mode temporary.

    And enable it after the script has been applied.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, July 26, 2016 2:40 AM
    Moderator