none
Computer Startup Script via GPO Not Executing

    Question

  • Good afternoon, all.

    I have a nice PowerShell script that I've written that will determine whether or not to install the SCOM agent on a server based on group membership. The script works great - when I'm logged in and run interactively.

    I've created a group policy to execute the script on startup (not login) and applied it to our servers OU (lab environment).
    I've applied Domain Computers to the policy Security Filtering.
    I've insured that the Domain Computers group has access to the script.
    Yes, I've placed the script in the PowerShell tab in the GPO. :) (voice of experience....)

    Upon rebooting targeted servers, the script does not execute. 
    I've executed gpupdate /force and gpupdate /sync.
    Running RSOP shows that the policy has been applied to the machines I am testing on. However, there are no executions in their history. 
    The script logs to event logs several times during execution for information and error control, so I should see entries there whether the script tasks themselves are successful or not, but no luck. 

    I'm at a loss. I've looked all about the Google and see many instances of this same problem with no real answers or resolution.

    Any input would be greatly appreciated!

    John

    Wednesday, October 19, 2016 7:41 PM

Answers

  • Hey RandomJohn,

    This may not be an optimum solution, but perhaps try using a regular batch script to in turn call your PowerShell one by using the following line:

    @echo off
    
    powershell.exe -ExecutionPolicy ByPass -Command "& {& '\\YOURSERVER\sharedFolder\script.ps1'}"
    
    exit

    Where YOURSERVER is the name of the server/computer with the script on, sharedFolder is a shared folder with read access for Everyone or Authenticated Users, and script.ps1 is your PowerShell script.

    I had to do this when deploying Firefox across a network.

    Hope this helps!



    Rory Fewell

    (CCNA, MOS)

    Windows Server 2012 and Networking Fundamentals Apprentice

    Visit my site!

    View me on GitHub!


    Wednesday, October 19, 2016 8:33 PM
  • Also, I tested this on a different server that started having the same issues.

    It would only work if I put "cmd.exe /c " at the start of the commands called from the script, if this doesn't work, could you post the batch file you're using?

    EDIT:

    I've just been dealing with this for a Firefox deployment on another server for the past 2 hours. I figured out a few things:

    First off, the "-ExecutionPolicy Bypass" bit is definitely necessarily I think, as when I removed it, the scripts stopped working.

    Secondly, remove any environment variables that may cause problems (or completely strip them out for testing purposes). My scripts were using %logonserver% and stuff - when I changed this to the actual computer's name, the scripts starting working.

    I would like to say as well - a good way to debug your script at least from what I have found, is to put "echo "x" | Out-File C:\debugging\debug.log" (where x is a number) at various stages in the script so I could tell where it was failing. I put one of these lines at the very start to see if the script was even being called at all, and then past that I put it every so often within statements. Perhaps try this with yours?

    I hope this helps, because this script problem I had me preoccupied for the past 2 hours scratching my head.


    Rory Fewell

    (CCNA, MOS)

    Windows Server 2012 and Networking Fundamentals Apprentice

    Visit my site!

    View me on GitHub!


    Thursday, October 20, 2016 9:52 AM
  • I checked RSOP and saw it was picking up the policy, but no results showed until I changed the stuff I said I changed. (Also you're most likely right on the execuition policy part - didn't think of that)

    Is your script definitely not running at all? Have you checked by doing the echo pipe to Out-File at the start of the script to test?


    Rory Fewell

    (CCNA, MOS)

    Windows Server 2012 and Networking Fundamentals Apprentice

    Visit my site!

    View me on GitHub!

    Thursday, October 20, 2016 7:40 PM
  • At least that means the script should be okay...

    Have you tested running a plain batch script on Startup? Not like the one from earlier, perhaps a test one with just something like 'mkdir C:\test' to see if it makes a folder or something at all.


    Rory Fewell

    (CCNA, MOS)

    Windows Server 2012 and Networking Fundamentals Apprentice

    Visit my site!

    View me on GitHub!

    Tuesday, October 25, 2016 7:10 PM

All replies

  • Hey RandomJohn,

    I've found that my startup scripts only work if they're in the same folder that the policy looks in originally - if you go on the PowerShell scripts tab again and press Show Files..., can you make sure you placed the PowerShell scripts inside that folder, and then add them from there?

    Hope this helps!


    Rory Fewell

    (CCNA, MOS)

    Windows Server 2012 and Networking Fundamentals Apprentice

    Visit my site!

    View me on GitHub!

    Wednesday, October 19, 2016 8:01 PM
  • Rory,

    Thanks for the response.

    I did select the same directory. Just to be sure, I copied the path from Show Files and then removed then re-added to the scripts list. 

    Path is \\lab2.tst\SysVol\lab2.tst\Policies\{BE3C29A0-BAAA-41B4-BA00-367D1261CD27}\Machine\Scripts\Startup

    Same result.

    Also, looking in the logs on the target server, I can see that the GPO is picking up the policy and I can see my policy name. Just doesn't want to run it.


    • Edited by RandomJohn Wednesday, October 19, 2016 8:30 PM
    Wednesday, October 19, 2016 8:26 PM
  • Hey RandomJohn,

    This may not be an optimum solution, but perhaps try using a regular batch script to in turn call your PowerShell one by using the following line:

    @echo off
    
    powershell.exe -ExecutionPolicy ByPass -Command "& {& '\\YOURSERVER\sharedFolder\script.ps1'}"
    
    exit

    Where YOURSERVER is the name of the server/computer with the script on, sharedFolder is a shared folder with read access for Everyone or Authenticated Users, and script.ps1 is your PowerShell script.

    I had to do this when deploying Firefox across a network.

    Hope this helps!



    Rory Fewell

    (CCNA, MOS)

    Windows Server 2012 and Networking Fundamentals Apprentice

    Visit my site!

    View me on GitHub!


    Wednesday, October 19, 2016 8:33 PM
  • Rory,

    As expected, same result. This would imply that the issue is running powershell whereas I think the problem is execution in general.

    Also, setting execution policy isn't needed. Scripts that run as GPOs run under the local system account, which has no execution policy restrictions.

    As a side note, not long ago I configured a policy in our production domain with the same sort of start up settings for our SCCM agent and it worked fine. I'm going to test a new policy in that domain to determine if the issue is my GPO skillz or if it is a problem with the test lab.

    Wednesday, October 19, 2016 8:56 PM
  • See, that's what I thought about the execution policy thing as well, but it simply would not run the script without it on our domains.

    Good luck on the testing, let us know how it goes when you're done. :)


    Rory Fewell

    (CCNA, MOS)

    Windows Server 2012 and Networking Fundamentals Apprentice

    Visit my site!

    View me on GitHub!

    Wednesday, October 19, 2016 9:09 PM
  • Just for kicks, I tried the set execution policy option. Same result. :/
    Wednesday, October 19, 2016 9:35 PM
  • Does the batch file work if you execute it manually? Just checking...


    Rory Fewell

    (CCNA, MOS)

    Windows Server 2012 and Networking Fundamentals Apprentice

    Visit my site!

    View me on GitHub!

    Wednesday, October 19, 2016 10:02 PM
  • Also, I tested this on a different server that started having the same issues.

    It would only work if I put "cmd.exe /c " at the start of the commands called from the script, if this doesn't work, could you post the batch file you're using?

    EDIT:

    I've just been dealing with this for a Firefox deployment on another server for the past 2 hours. I figured out a few things:

    First off, the "-ExecutionPolicy Bypass" bit is definitely necessarily I think, as when I removed it, the scripts stopped working.

    Secondly, remove any environment variables that may cause problems (or completely strip them out for testing purposes). My scripts were using %logonserver% and stuff - when I changed this to the actual computer's name, the scripts starting working.

    I would like to say as well - a good way to debug your script at least from what I have found, is to put "echo "x" | Out-File C:\debugging\debug.log" (where x is a number) at various stages in the script so I could tell where it was failing. I put one of these lines at the very start to see if the script was even being called at all, and then past that I put it every so often within statements. Perhaps try this with yours?

    I hope this helps, because this script problem I had me preoccupied for the past 2 hours scratching my head.


    Rory Fewell

    (CCNA, MOS)

    Windows Server 2012 and Networking Fundamentals Apprentice

    Visit my site!

    View me on GitHub!


    Thursday, October 20, 2016 9:52 AM
  • Rory,

    I think this is an issue with my test environment.  I created the same GPO with the same script in one of my production environments and it ran perfectly. I'd still like to get to the bottom of it, but at least I know it isn't an issue with the script or the GPO creation process.

    Also, I wonder if your requirement for set-executionpolicy isn't a byproduct of running it from a batch file?

    For your FF deployment, is it an issue with the script not executing properly or with not at all? Run RSOP from the command line and you should see your policy in the return. Also, you can look at the GPO editor when it comes up and see if there has been a run time associated with the policy/script.

    cheers!

    Thursday, October 20, 2016 7:24 PM
  • I checked RSOP and saw it was picking up the policy, but no results showed until I changed the stuff I said I changed. (Also you're most likely right on the execuition policy part - didn't think of that)

    Is your script definitely not running at all? Have you checked by doing the echo pipe to Out-File at the start of the script to test?


    Rory Fewell

    (CCNA, MOS)

    Windows Server 2012 and Networking Fundamentals Apprentice

    Visit my site!

    View me on GitHub!

    Thursday, October 20, 2016 7:40 PM
  • Rory,

    In my production environment in a test OU, it works great. Just that test domain is having issues, so I know my process is sound. :) 

    As for knowing it runs, when it does, it logs half a dozen items in the event log, tracking its progress. Between the lack of that in the test domain as well as the null value on last run time, its pretty clear it isn't doing its thing. 

    Tuesday, October 25, 2016 6:40 PM
  • At least that means the script should be okay...

    Have you tested running a plain batch script on Startup? Not like the one from earlier, perhaps a test one with just something like 'mkdir C:\test' to see if it makes a folder or something at all.


    Rory Fewell

    (CCNA, MOS)

    Windows Server 2012 and Networking Fundamentals Apprentice

    Visit my site!

    View me on GitHub!

    Tuesday, October 25, 2016 7:10 PM