none
Logon Script restrictions for Powershell?

    Question

  • Hi,

    when using a powershell script as User Logon Script, it's not possible to list mapped network drives with this code:

    $wmifoo = Get-WMIObject -query "Select * From Win32_LogicalDisk Where DriveType = 4"
    foreach ($foo in $wmifoo) {
    	echo "found: $foo.DeviceID"
    }

    ...but when running the script through the PowerShell console, the code works as expected.

    Is this a known limitation or do I need to change some security setting for this to work?

    Thanks

    - fraenki


    • Edited by fraenki Tuesday, June 21, 2016 8:26 PM
    Tuesday, June 21, 2016 3:45 PM

Answers

  • Sometime, the cause may be that GPO is not applied at all due to some reasons.
    So firstly, please check if the group policy is applied on clients successfully, you could run gpresult /h to view the result.

    It turns out that the issue was related to the user's group membership. The user was a member of the group "Power Users", but not a member of the group "Users" (or any other group).

    According to an article from Microsoft, the group "Power Users" has "no default user rights", while the group "Users" has rights to "perform common tasks, such as running applications, using local and network printers".

    The solution was to add my user(s) to the group "Users". This immediately solved the issue and allowed User Logon Scripts to perform all required tasks.

    Regards

    - fraenki

    • Marked as answer by fraenki Wednesday, June 29, 2016 7:58 AM
    Wednesday, June 29, 2016 7:57 AM

All replies

  • Hi fraenki,
    Sometime, the cause may be that GPO is not applied at all due to some reasons.
    So firstly, please check if the group policy is applied on clients successfully, you could run gpresult /h to view the result.
    Regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, June 22, 2016 3:09 AM
    Moderator
  • Sometime, the cause may be that GPO is not applied at all due to some reasons.
    So firstly, please check if the group policy is applied on clients successfully, you could run gpresult /h to view the result.

    It turns out that the issue was related to the user's group membership. The user was a member of the group "Power Users", but not a member of the group "Users" (or any other group).

    According to an article from Microsoft, the group "Power Users" has "no default user rights", while the group "Users" has rights to "perform common tasks, such as running applications, using local and network printers".

    The solution was to add my user(s) to the group "Users". This immediately solved the issue and allowed User Logon Scripts to perform all required tasks.

    Regards

    - fraenki

    • Marked as answer by fraenki Wednesday, June 29, 2016 7:58 AM
    Wednesday, June 29, 2016 7:57 AM