locked
GP logon script with PowerShell RRS feed

  • Question

  • We have a Windows Server 2012 domain and would like to create a GP logon script with PowerShell.

    So if you execute the .ps1 file, the specified logon script settings (including parameters) would be applied automatically in the GP.

    Any idea of such command line?


    Tuesday, January 29, 2013 5:02 PM

Answers

  • Thanks for the tips!

    May not be the easiest solution, but it works:

    I created a backup of the GPO set fully graphical interface, and I've copied ps1 file in the same folder.

    #Start
    #Create GPO
    $gponame = "Program_AutoStart"
    Write-Host ""
    $ou = Read-Host "What is your Organisational Unit name?"
    Write-Host ""
    $enforce = Read-Host "Do you want enforce Group Policy link? (Yes/No)"
    
    $dc1 = $env:userdnsdomain
    $dc1length = $env:userdnsdomain.Length
    $dc1s = $env:userdnsdomain.Split(".")
    $dc1count = $dc1s[$dc1s.Count-1].Length+1
    $dc1max = $dc1length-$dc1count
    $dc1 = $dc1.Substring(0,$dc1max)
    
    $dc2 = $env:userdnsdomain.Split(".")
    $dc2 = $dc2[$dc2.Count-1]
    Write-Host ""
    Write-Host -Object "Create a new Group Policy Object..."
    
    #replace GPO settings
    ##backup.xml file
    $backupFilePath = ".\backup\{2F708EB2-F154-4739-8F6D-1F16C954649C}\Backup.xml"
    $content = Get-Content -path $backupFilePath
    $content | foreach { $_.Replace("mydomainname","$env:userdnsdomain") } | Set-Content $backupFilePath
    $content = Get-Content -path $backupFilePath
    $content | foreach { $_.Replace("mycomputername","$env:COMPUTERNAME") } | Set-Content $backupFilePath
    $content = Get-Content -path $backupFilePath
    $content | foreach { $_.Replace("mynetbiosname","$env:userdomain") } | Set-Content $backupFilePath
    
    ##backup.xml file
    $bkupinfoFilePath = ".\backup\{2F708EB2-F154-4739-8F6D-1F16C954649C}\bkupinfo.xml"
    $content = Get-Content -path $bkupinfoFilePath
    $content | foreach { $_.Replace("mydomainname","$env:userdnsdomain") } | Set-Content $bkupinfoFilePath
    $content = Get-Content -path $bkupinfoFilePath
    $content | foreach { $_.Replace("mycomputername","$env:COMPUTERNAME") } | Set-Content $bkupinfoFilePath
    $content = Get-Content -path $bkupinfoFilePath
    $content | foreach { $_.Replace("mynetbiosname","$env:userdomain") } | Set-Content $bkupinfoFilePath
    
    ##gpreport.xml file
    $gpreportFilePath = ".\backup\{2F708EB2-F154-4739-8F6D-1F16C954649C}\gpreport.xml"
    $programexe = "$env:logonserver\$share\My_Program\program.exe"
    $content = Get-Content -path $gpreportFilePath
    $content | foreach { $_.Replace("mycommand","$programexe") } | Set-Content $gpreportFilePath
    Write-Host ""
    $parameters = Read-Host "Add your parameters"
    $content = Get-Content -path $gpreportFilePath
    $content | foreach { $_.Replace("myparameters","$parameters") } | Set-Content $gpreportFilePath
    
    ##scripts.ini file
    $gpreportFilePath = ".\backup\{2F708EB2-F154-4739-8F6D-1F16C954649C}\DomainSysvol\GPO\User\Scripts\scripts.ini"
    $content = Get-Content -path $gpreportFilePath
    $content | foreach { $_.Replace("mycommand","$programexe") } | Set-Content $gpreportFilePath
    $content = Get-Content -path $gpreportFilePath
    $content | foreach { $_.Replace("myparameters","$parameters") } | Set-Content $gpreportFilePath
    
    #Import GPO and link
    Write-Host ""
    Write-Host -Object "Import Group Policy settings..."
    Import-GPO -BackupGpoName "$gponame" -TargetName "$gponame" -Path ".\backup" -CreateIfNeeded
    New-GPLink -Name "$gponame" -target "ou=$ou,dc=$dc1,dc=$dc2" -Enforced $enforce -LinkEnabled Yes
    
    #Replace undo
    ##backup.xml file
    $content = Get-Content -path $backupFilePath
    $content | foreach { $_.Replace("$env:userdnsdomain","mydomainname") } | Set-Content $backupFilePath
    $content = Get-Content -path $backupFilePath
    $content | foreach { $_.Replace("$env:COMPUTERNAME","mycomputername") } | Set-Content $backupFilePath
    $content = Get-Content -path $backupFilePath
    $content | foreach { $_.Replace("$env:userdomain","mynetbiosname") } | Set-Content $backupFilePath
    
    ##backup.xml file
    $content = Get-Content -path $bkupinfoFilePath
    $content | foreach { $_.Replace("$env:userdnsdomain","mydomainname") } | Set-Content $bkupinfoFilePath
    $content = Get-Content -path $bkupinfoFilePath
    $content | foreach { $_.Replace("$env:COMPUTERNAME","mycomputername") } | Set-Content $bkupinfoFilePath
    $content = Get-Content -path $bkupinfoFilePath
    $content | foreach { $_.Replace("$env:userdomain","mynetbiosname") } | Set-Content $bkupinfoFilePath
    
    ##gpreport.xml file
    $content = Get-Content -path $gpreportFilePath
    $content | foreach { $_.Replace("$programexe","mycommand") } | Set-Content $gpreportFilePath
    $content = Get-Content -path $gpreportFilePath
    $content | foreach { $_.Replace("$parameters","myparameters") } | Set-Content $gpreportFilePath
    
    ##scripts.ini file
    $content = Get-Content -path $gpreportFilePath
    $content | foreach { $_.Replace("$programexe","mycommand") } | Set-Content $gpreportFilePath
    $content = Get-Content -path $gpreportFilePath
    $content | foreach { $_.Replace("$parameters","myparameters") } | Set-Content $gpreportFilePath
    
    #End


    • Marked as answer by GPeti07 Thursday, January 31, 2013 9:40 AM
    • Edited by GPeti07 Thursday, January 31, 2013 3:49 PM
    Thursday, January 31, 2013 9:39 AM

All replies

  • Tuesday, January 29, 2013 5:18 PM
  • Yes, but via PowerShell command line
    Tuesday, January 29, 2013 5:39 PM
  • Any reason why you don't want to do it in GPMC?
    Tuesday, January 29, 2013 6:11 PM
  • Would like to make the process easier for those don't prefer or don't know the graphical interface.

    This is what i have so far:

    #Create and link a new GPO
    $gponame = "Program_AutoStart"
    Write-Host ""
    Write-Host -Object "Create a new Group Policy Object..."
    Write-Host ""
    $ou = Read-Host "What is your Organisational Unit name?"
    Write-Host ""
    $enforce = Read-Host "Do you want enforce Group Policy link? (Yes/No)"
    $dc1 = "$env:userdomain"
    $dc2 = "$env:userdnsdomain"
    $dc2 = $dc2.Replace("$env:userdomain.", "")
    New-GPO -Name "$gponame" | New-GPLink -target "ou=$ou,dc=$dc1,dc=$dc2" -Enforced $enforce -LinkEnabled Yes
    Tuesday, January 29, 2013 6:52 PM
  • According to this documentation, the Group Policy Cmdlets are used for:

      • - Maintain GPOs: GPO creation, removal, backup, reporting, and import.
      • - Associate GPOs with Active Directory Directory Services (AD DS) containers: Group Policy link creation, update, and removal.
      • - Set inheritance and permissions on AD DS organizational units (OUs) and domains.
      • - Configure registry-based policy settings and Group Policy Preferences Registry settings.

    AFAIK logon/logoff/startup/shutdown scripts are not registry-based policy settings, therefore if I'm correct, you cannot use Group Policy Cmdlets to configure those scripts for computers or users.

    The closest registry key I found for that is HKCU\Software\Microsoft\Windows\CurrentVersion \Run but this is not logon script.

    GPMC is the only tool I know that can do everything you want (legitimately) to a GPO, and I personally don't find it any harder to learn that than coming up with a script like this.
    • Edited by Pan Zhang Wednesday, February 20, 2013 7:47 AM
    Tuesday, January 29, 2013 7:26 PM
  •  
    > So if you execute the .ps1 file, the specified logon script settings
    > (including parameters) would be applied automatically in the GP.
     
    A logon script is just a pair of lines in scripts.ini in the GPO sysvol
    directory (machine\scripts or user\scripts).
     
    Easiest way (as there is no "official" method to do so): Create a GPO
    template that contains all you need including an empty script. For
    production, create a copy of that GPO (backup template gpo, create new
    gpo, import from backup), then modify scripts.ini according to your
    needs and create appropriate links and ACLs.
     
    Or get in touch with SDM Software - they automated almost everything in
     
    This is NOT a simple one liner :-D
     
    regards, Martin
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Tuesday, January 29, 2013 7:58 PM
  • Thanks for the tips!

    May not be the easiest solution, but it works:

    I created a backup of the GPO set fully graphical interface, and I've copied ps1 file in the same folder.

    #Start
    #Create GPO
    $gponame = "Program_AutoStart"
    Write-Host ""
    $ou = Read-Host "What is your Organisational Unit name?"
    Write-Host ""
    $enforce = Read-Host "Do you want enforce Group Policy link? (Yes/No)"
    
    $dc1 = $env:userdnsdomain
    $dc1length = $env:userdnsdomain.Length
    $dc1s = $env:userdnsdomain.Split(".")
    $dc1count = $dc1s[$dc1s.Count-1].Length+1
    $dc1max = $dc1length-$dc1count
    $dc1 = $dc1.Substring(0,$dc1max)
    
    $dc2 = $env:userdnsdomain.Split(".")
    $dc2 = $dc2[$dc2.Count-1]
    Write-Host ""
    Write-Host -Object "Create a new Group Policy Object..."
    
    #replace GPO settings
    ##backup.xml file
    $backupFilePath = ".\backup\{2F708EB2-F154-4739-8F6D-1F16C954649C}\Backup.xml"
    $content = Get-Content -path $backupFilePath
    $content | foreach { $_.Replace("mydomainname","$env:userdnsdomain") } | Set-Content $backupFilePath
    $content = Get-Content -path $backupFilePath
    $content | foreach { $_.Replace("mycomputername","$env:COMPUTERNAME") } | Set-Content $backupFilePath
    $content = Get-Content -path $backupFilePath
    $content | foreach { $_.Replace("mynetbiosname","$env:userdomain") } | Set-Content $backupFilePath
    
    ##backup.xml file
    $bkupinfoFilePath = ".\backup\{2F708EB2-F154-4739-8F6D-1F16C954649C}\bkupinfo.xml"
    $content = Get-Content -path $bkupinfoFilePath
    $content | foreach { $_.Replace("mydomainname","$env:userdnsdomain") } | Set-Content $bkupinfoFilePath
    $content = Get-Content -path $bkupinfoFilePath
    $content | foreach { $_.Replace("mycomputername","$env:COMPUTERNAME") } | Set-Content $bkupinfoFilePath
    $content = Get-Content -path $bkupinfoFilePath
    $content | foreach { $_.Replace("mynetbiosname","$env:userdomain") } | Set-Content $bkupinfoFilePath
    
    ##gpreport.xml file
    $gpreportFilePath = ".\backup\{2F708EB2-F154-4739-8F6D-1F16C954649C}\gpreport.xml"
    $programexe = "$env:logonserver\$share\My_Program\program.exe"
    $content = Get-Content -path $gpreportFilePath
    $content | foreach { $_.Replace("mycommand","$programexe") } | Set-Content $gpreportFilePath
    Write-Host ""
    $parameters = Read-Host "Add your parameters"
    $content = Get-Content -path $gpreportFilePath
    $content | foreach { $_.Replace("myparameters","$parameters") } | Set-Content $gpreportFilePath
    
    ##scripts.ini file
    $gpreportFilePath = ".\backup\{2F708EB2-F154-4739-8F6D-1F16C954649C}\DomainSysvol\GPO\User\Scripts\scripts.ini"
    $content = Get-Content -path $gpreportFilePath
    $content | foreach { $_.Replace("mycommand","$programexe") } | Set-Content $gpreportFilePath
    $content = Get-Content -path $gpreportFilePath
    $content | foreach { $_.Replace("myparameters","$parameters") } | Set-Content $gpreportFilePath
    
    #Import GPO and link
    Write-Host ""
    Write-Host -Object "Import Group Policy settings..."
    Import-GPO -BackupGpoName "$gponame" -TargetName "$gponame" -Path ".\backup" -CreateIfNeeded
    New-GPLink -Name "$gponame" -target "ou=$ou,dc=$dc1,dc=$dc2" -Enforced $enforce -LinkEnabled Yes
    
    #Replace undo
    ##backup.xml file
    $content = Get-Content -path $backupFilePath
    $content | foreach { $_.Replace("$env:userdnsdomain","mydomainname") } | Set-Content $backupFilePath
    $content = Get-Content -path $backupFilePath
    $content | foreach { $_.Replace("$env:COMPUTERNAME","mycomputername") } | Set-Content $backupFilePath
    $content = Get-Content -path $backupFilePath
    $content | foreach { $_.Replace("$env:userdomain","mynetbiosname") } | Set-Content $backupFilePath
    
    ##backup.xml file
    $content = Get-Content -path $bkupinfoFilePath
    $content | foreach { $_.Replace("$env:userdnsdomain","mydomainname") } | Set-Content $bkupinfoFilePath
    $content = Get-Content -path $bkupinfoFilePath
    $content | foreach { $_.Replace("$env:COMPUTERNAME","mycomputername") } | Set-Content $bkupinfoFilePath
    $content = Get-Content -path $bkupinfoFilePath
    $content | foreach { $_.Replace("$env:userdomain","mynetbiosname") } | Set-Content $bkupinfoFilePath
    
    ##gpreport.xml file
    $content = Get-Content -path $gpreportFilePath
    $content | foreach { $_.Replace("$programexe","mycommand") } | Set-Content $gpreportFilePath
    $content = Get-Content -path $gpreportFilePath
    $content | foreach { $_.Replace("$parameters","myparameters") } | Set-Content $gpreportFilePath
    
    ##scripts.ini file
    $content = Get-Content -path $gpreportFilePath
    $content | foreach { $_.Replace("$programexe","mycommand") } | Set-Content $gpreportFilePath
    $content = Get-Content -path $gpreportFilePath
    $content | foreach { $_.Replace("$parameters","myparameters") } | Set-Content $gpreportFilePath
    
    #End


    • Marked as answer by GPeti07 Thursday, January 31, 2013 9:40 AM
    • Edited by GPeti07 Thursday, January 31, 2013 3:49 PM
    Thursday, January 31, 2013 9:39 AM
  • You won't be able to accomplish it using the standard PowerShell group policy cmdlets.

    The way to inject logon/shutdown script though is by modifying "scripts.ini" file located on the Sysvol.

    E.g. for any given GPO check these files:

    • \\domain\SYSVOL\domain\Policies\{GPO_GUID}\User\Scripts\scripts.ini   (user configuration scripts)
    • \\domain\SYSVOL\domain\Policies\{GPO_GUID}\Machine\Scripts\scripts.ini   (computer configuration scripts)

    Normally its content will look like (2 lines for every single script - one for script's path and another for parameters):

    [Startup]
    0CmdLine=\\domain\SYSVOL\domain\scripts\script.bat
    0Parameters=
    1CmdLine=\\domain\SYSVOL\domain\scripts\script2.bat
    1Parameters=
    2CmdLine=\\domain\SYSVOL\domain\scripts\script3.bat
    2Parameters=

    So just modify scripts.ini files according to your needs & it should work.

    Best regards, Michael.

    Thursday, June 12, 2014 12:11 PM