none
Cannot start Powershell script via GP

    Question

  • Hi all)

    I have powershell script that is configured for Computer objects and it works good.

    But I need to run Power shell script for specific users. So I configured powershell as startup script in GPO. GPO applies good because I see it in gpresult but script doesn't work. 

    My script is only one string that copy shortcut to the user desktop. this strings works well if I launch it from powershell of user (not administrator). But If I launch this script from group policy I got message about security warning. I configured "
    If you enable this policy setting, Windows does not mark file attachments with their zone information.

    If you disable this policy setting, Windows marks file attachments with their zone information.

    If you do not configure this policy setting, Windows marks file attachments with their zone information." gpmc_settingname="Do not preserve zone information in file attachments" gpmc_settingpath="User Configuration/Administrative Templates/Windows Components/Attachment Manager" gpmc_supported="At least Windows XP Professional with SP2" tabindex="0">Execution policy is totall Unrestricted.

    <span gpmc_settingdescription="This policy setting allows you to manage whether Windows marks file attachments with information about their zone of origin (such as restricted, Internet, intranet, local). This requires NTFS in order to function correctly, and will fail without notice on FAT32. By not preserving the zone information, Windows cannot make proper risk assessments.

    If you enable this policy setting, Windows does not mark file attachments with their zone information.

    If you disable this policy setting, Windows marks file attachments with their zone information.

    If you do not configure this policy setting, Windows marks file attachments with their zone information." gpmc_settingname="Do not preserve zone information in file attachments" gpmc_settingpath="User Configuration/Administrative Templates/Windows Components/Attachment Manager" gpmc_supported="At least Windows XP Professional with SP2" tabindex="0">

    And If I run this script and after I see security warning I press "Run once", it works good.

    Please help.

    • Edited by Dissonance Friday, February 6, 2015 12:00 PM
    Friday, February 6, 2015 11:57 AM

Answers

  • Well. I sort it out!

    After I changed my script, so the ps1 file is cpoied to drive C and then cmd launched it from C drive, it works well.

    Pause happens because of other policies.

    • Marked as answer by Dissonance Thursday, February 12, 2015 8:45 AM
    Thursday, February 12, 2015 8:45 AM

All replies

  • > But I need to run Power shell script for specific users. So I configured
    > powershell as startup script in GPO. GPO applies good because I see it
    > in gpresult but script doesn't work.
     
    startup scripts don't run for users, they run for computers only :)
     
    > administrator). But If I launch this script from group policy I got
    > message about security warning.
     
    Which message exactly?
     
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Friday, February 6, 2015 1:10 PM
  • Sorry, I meant I configure Logon script, not startup. 

    Warning about are you sure to trust this script:run once,do not run.

    I found in Internet that it's because restriction policy set Unrestricted and we need policy Bypass. From gpo we can only set it unrestricred. I made a test and tried bat file instead of ps .  It worked but I need power she'll. 

    Saturday, February 7, 2015 12:22 PM
  • > unrestricred. I made a test and tried bat file instead of ps .  It
    > worked but I need power she'll.
     
    Run your PS from a cmd file and append "-executionpolicy bypass". Run
    this cmd as a logon script.
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Monday, February 9, 2015 9:28 AM
  • Hi.

    I tried as you said. It's unsuccessful. Group Policy applied (gpresult shows). But PS script was not executed.

    I tried to launch it manually. The result is on the screenshot.

    Wednesday, February 11, 2015 9:21 AM
  • > I tried to launch it manually. The result is on the screenshot.
     
    Seems this file has an alternate data stream with a zone identifier of
    "Internet" :) Sysinternals "streams" or Explorer "properties" to clean it.
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Wednesday, February 11, 2015 12:40 PM
  • I made a batch file that copies it to local drive and it script works well. But it doesn't work from GPO((
    Wednesday, February 11, 2015 4:17 PM
  • Hi,

    >>I made a batch file that copies it to local drive and it script works well. But it doesn't work from GPO((

    Based on the description, please try to enable the following policy setting and choose the option Allow all scripts to see if it helps:

    Computer Configuration\Administrative Templates\Windows Components\Windows PowerShell\Turn On Script Execution

    If the issue persists, please try to use PowerShell command unblock-file to explicitly unblock the file to see if it helps.

    Regarding unblock-file command, the following article can be referred to as reference.

    Unblock-File

    https://technet.microsoft.com/en-us/library/hh849924.aspx

    In addition, if the issue persists, in order to get more assistance, we can also try to ask for suggestions in the following PowerShell forum.

    Windows PowerShell

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverpowershell

    Best regards,,

    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, February 12, 2015 2:56 AM
    Moderator
  • Well. I sort it out!

    After I changed my script, so the ps1 file is cpoied to drive C and then cmd launched it from C drive, it works well.

    Pause happens because of other policies.

    • Marked as answer by Dissonance Thursday, February 12, 2015 8:45 AM
    Thursday, February 12, 2015 8:45 AM
  • When you create the GPO, under:
    Computer Configuration > Policies > Windows settings > Scripts > Startup > PowerShell Scripts
    Click Show Files and copy your script there. Then, click Add and add the script to the list. You do not have to change the execution policy as the GPO will override that.

    You may wish to add logging to the script to see if its actually being executed. For example, just have the script write out some message to a file.
    Thursday, August 13, 2015 7:47 PM
  • This actually does not help as the block-file command needed to unblock this script to run. But this cannot be done from the GPO end so the copy and run locally seems to be feasible option. This is the case with windows 2016 core version too.

    Please mark as an answer if this answers your question .

    PREM RANA

    MCSE Exchange 2013, MCSA 2012 Server MCTS Exchange 2007,

    2010, MCITP Exchange 2007, 2010 MCSE 2003 Server,

    MCSA Exchange 2003 ITIL V3 Foundation

    https://ranaprem.wordpress.com/

    This posting is provided AS IS with no warranties and confers no rights.

    Monday, June 25, 2018 11:06 AM