none
PowerShell script will not run at logon RRS feed

  • Question

  • I have created a PowerShell script to stop a service at logon for specific user accounts.  The script is distributed via group policy (User Config > Policies> Windows Settings > Scripts > logon).  The script is located in a file location that all users have read and write access, the script has been signed, the execution policy is such that it will allow signed scripts, I have added the appropriate users to scope, and I have added authenticated users (read) to delegation.  Every time I do a gpupdate  and gpresult I get the error Access Denied (Security Filtering) for this policy.

    The policy is on a 2012 server and it is going to a Windows 7 professional client.  

    The policy is linked to the domain.  

    I am not sure what is causing the access denied error, but would greatly appreciate some help.

    Monday, September 12, 2016 12:40 PM

Answers

  • Hi,

    you need to give the Domain-Computers group read permission on the GPO. Otherwise, they can't read it. Microsoft changed the system so that a user on logon asks his computer to retrieve the policy. This means, if the computer account doesn't have read permissions on GPO and folder, it cannot do this.

    Cheers,
    Fred

    PS: Other than that, stopping services usually requires local admin and elevation. This will only work the way you do this when the users in question have admin privileges and UAC is disabled (bad idea).

    You could propagate a scheduled task with logon trigger - that would do the trick if set up correctly.


    There's no place like 127.0.0.1


    Monday, September 12, 2016 12:53 PM

All replies

  • Hi,

    you need to give the Domain-Computers group read permission on the GPO. Otherwise, they can't read it. Microsoft changed the system so that a user on logon asks his computer to retrieve the policy. This means, if the computer account doesn't have read permissions on GPO and folder, it cannot do this.

    Cheers,
    Fred

    PS: Other than that, stopping services usually requires local admin and elevation. This will only work the way you do this when the users in question have admin privileges and UAC is disabled (bad idea).

    You could propagate a scheduled task with logon trigger - that would do the trick if set up correctly.


    There's no place like 127.0.0.1


    Monday, September 12, 2016 12:53 PM
  • Hi FWN,

    I hope I understood correctly:

    you mean this GPO should the following "Security Delegation":

    any user group mit access right + all computers in the domain (from these users)???

    It is very strange. That is not a GPO for "Computer Configuration", but for "User Configuration". Why the user computers should have acess to this policy?

    Any Microsoft article?

    Best regards

    Birdal

    Friday, February 8, 2019 8:11 AM