none
Cannot start Powershell script via GP

    Question

  • Hi all)

    I have powershell script that is configured for Computer objects and it works good.

    But I need to run Power shell script for specific users. So I configured powershell as startup script in GPO. GPO applies good because I see it in gpresult but script doesn't work. 

    My script is only one string that copy shortcut to the user desktop. this strings works well if I launch it from powershell of user (not administrator). But If I launch this script from group policy I got message about security warning. I configured "
    If you enable this policy setting, Windows does not mark file attachments with their zone information.

    If you disable this policy setting, Windows marks file attachments with their zone information.

    If you do not configure this policy setting, Windows marks file attachments with their zone information." gpmc_settingname="Do not preserve zone information in file attachments" gpmc_settingpath="User Configuration/Administrative Templates/Windows Components/Attachment Manager" gpmc_supported="At least Windows XP Professional with SP2" tabindex="0">Execution policy is totall Unrestricted.

    <span gpmc_settingdescription="This policy setting allows you to manage whether Windows marks file attachments with information about their zone of origin (such as restricted, Internet, intranet, local). This requires NTFS in order to function correctly, and will fail without notice on FAT32. By not preserving the zone information, Windows cannot make proper risk assessments.

    If you enable this policy setting, Windows does not mark file attachments with their zone information.

    If you disable this policy setting, Windows marks file attachments with their zone information.

    If you do not configure this policy setting, Windows marks file attachments with their zone information." gpmc_settingname="Do not preserve zone information in file attachments" gpmc_settingpath="User Configuration/Administrative Templates/Windows Components/Attachment Manager" gpmc_supported="At least Windows XP Professional with SP2" tabindex="0">

    And If I run this script and after I see security warning I press "Run once", it works good.

    Please help.

    • Edited by Dissonance Friday, February 06, 2015 12:00 PM
    Friday, February 06, 2015 11:57 AM

Answers

  • Well. I sort it out!

    After I changed my script, so the ps1 file is cpoied to drive C and then cmd launched it from C drive, it works well.

    Pause happens because of other policies.

    • Marked as answer by Dissonance Thursday, February 12, 2015 8:45 AM
    Thursday, February 12, 2015 8:45 AM

All replies

  • > But I need to run Power shell script for specific users. So I configured
    > powershell as startup script in GPO. GPO applies good because I see it
    > in gpresult but script doesn't work.
     
    startup scripts don't run for users, they run for computers only :)
     
    > administrator). But If I launch this script from group policy I got
    > message about security warning.
     
    Which message exactly?
     
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Friday, February 06, 2015 1:10 PM
  • Sorry, I meant I configure Logon script, not startup. 

    Warning about are you sure to trust this script:run once,do not run.

    I found in Internet that it's because restriction policy set Unrestricted and we need policy Bypass. From gpo we can only set it unrestricred. I made a test and tried bat file instead of ps .  It worked but I need power she'll. 

    Saturday, February 07, 2015 12:22 PM
  • > unrestricred. I made a test and tried bat file instead of ps .  It
    > worked but I need power she'll.
     
    Run your PS from a cmd file and append "-executionpolicy bypass". Run
    this cmd as a logon script.
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Monday, February 09, 2015 9:28 AM
  • Hi.

    I tried as you said. It's unsuccessful. Group Policy applied (gpresult shows). But PS script was not executed.

    I tried to launch it manually. The result is on the screenshot.

    Wednesday, February 11, 2015 9:21 AM
  • > I tried to launch it manually. The result is on the screenshot.
     
    Seems this file has an alternate data stream with a zone identifier of
    "Internet" :) Sysinternals "streams" or Explorer "properties" to clean it.
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Wednesday, February 11, 2015 12:40 PM
  • I made a batch file that copies it to local drive and it script works well. But it doesn't work from GPO((
    Wednesday, February 11, 2015 4:17 PM
  • Hi,

    >>I made a batch file that copies it to local drive and it script works well. But it doesn't work from GPO((

    Based on the description, please try to enable the following policy setting and choose the option Allow all scripts to see if it helps:

    Computer Configuration\Administrative Templates\Windows Components\Windows PowerShell\Turn On Script Execution

    If the issue persists, please try to use PowerShell command unblock-file to explicitly unblock the file to see if it helps.

    Regarding unblock-file command, the following article can be referred to as reference.

    Unblock-File

    https://technet.microsoft.com/en-us/library/hh849924.aspx

    In addition, if the issue persists, in order to get more assistance, we can also try to ask for suggestions in the following PowerShell forum.

    Windows PowerShell

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverpowershell

    Best regards,,

    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, February 12, 2015 2:56 AM
    Moderator
  • Well. I sort it out!

    After I changed my script, so the ps1 file is cpoied to drive C and then cmd launched it from C drive, it works well.

    Pause happens because of other policies.

    • Marked as answer by Dissonance Thursday, February 12, 2015 8:45 AM
    Thursday, February 12, 2015 8:45 AM
  • When you create the GPO, under:
    Computer Configuration > Policies > Windows settings > Scripts > Startup > PowerShell Scripts
    Click Show Files and copy your script there. Then, click Add and add the script to the list. You do not have to change the execution policy as the GPO will override that.

    You may wish to add logging to the script to see if its actually being executed. For example, just have the script write out some message to a file.
    Thursday, August 13, 2015 7:47 PM