question

weisnh avatar image
0 Votes"
weisnh asked FanFan-MSFT commented

Running PowerShell Startup (Logon) Scripts Using GPO

Hi there,

There are two user accounts, one is Administrator; another is normal user.

  1. AD Domain: Windows Server 2019 with GPO <Running PowerShell Logon Scripts>

  2. Client: Windows 10: (A) Use Administrator to login the AD Domain: GPO works well and add registry to HKLM; (B) Use normal User to login the AD Domain: GPO something went wrong and failed to add registry to HKLM.

The (B) situation: I copy the PowerShell to Windows 10 Client and perform the script, I got the error message:

New-Item : Access to the registry key
'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\OneDrive' is denied.
At C:\Users\alanb\Desktop\Handling_OneDrive_REG.ps1:47 char:58
+ ... HKLM:\Software\Policies\Microsoft" | New-Item -Name "OneDrive" -Force
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (HKEY_LOCAL_MACH...rosoft\OneDrive:S
tring) [New-Item], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShel
l.Commands.NewItemCommand

New-ItemProperty : Cannot find path 'HKLM:\Software\Policies\Microsoft\OneDrive'
because it does not exist.
At C:\Users\alanb\Desktop\Handling_OneDrive_REG.ps1:50 char:5
+ New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\OneDriv ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (HKLM:\Software...rosoft\OneDrive:Str
ing) [New-ItemProperty], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.NewItemProp
ertyCommand

New-ItemProperty : Cannot find path 'HKLM:\Software\Policies\Microsoft\OneDrive'
because it does not exist.
At C:\Users\alanb\Desktop\Handling_OneDrive_REG.ps1:51 char:5
+ New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\OneDriv ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (HKLM:\Software...rosoft\OneDrive:Str
ing) [New-ItemProperty], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.NewItemProp
ertyCommand

New-ItemProperty : Cannot find path 'HKLM:\Software\Policies\Microsoft\OneDrive'
because it does not exist.
At C:\Users\alanb\Desktop\Handling_OneDrive_REG.ps1:52 char:5
+ New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\OneDriv ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (HKLM:\Software...rosoft\OneDrive:Str
ing) [New-ItemProperty], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.NewItemProp
ertyCommand

I also setup some settings as the following:

  1. the NTFS “Read & Execute” permissions for the Domain Computers group in the ps1 file permissions

  2. setup Computer Configuration -> Administrative Templates -> System -> Group Policy section. Enable the “Configure Logon Script Delay” policy and specify a delay in minutes before starting the logon scripts (sufficient to complete the initialization and load all necessary services). --> 1-2 minutes.

  3. The security settings for running the PowerShell script can be configured via the “Turn On Script Execution” policy (in the GPO Computer Configuration section -> Administrative Templates -> Windows Components -> Windows PowerShell) --> Allow all scripts (unrestricted)

Thanks



windows-server-powershellwindows-group-policy
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Suddhaman-2932 avatar image Suddhaman-2932 ·

Hi,
Runnin script in the startup for computer base policy, sometimes require administrative permission. You can achieve only by setting the script in a different way. Please check my blog : https://suddhaman.blogspot.com/2020/08/dns-server-ip-address-change-in-client.html

0 Votes 0 ·

3 Answers

AndreasBaumgarten avatar image
0 Votes"
AndreasBaumgarten answered weisnh commented

It looks like the "normal user" does not have access to the Registry key 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\OneDrive'
Maybe it's worth a try to allow the user the access to the Registry key.

Maybe this is helpful.

Regards

Andreas Baumgarten

(Please don't forget to Accept as answer if the reply is helpful)

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

weisnh avatar image weisnh ·

Hi Andreas Baumgarten,

Thanks your information. I post another related question at https://docs.microsoft.com/en-us/answers/questions/114314/regarding-group-policy-with-powershell.html.

If I used GPO with PowerShell to do some job, the Execution account will be System account, I am realize that the account should have permission to do this.

0 Votes 0 ·
RichMatheisen-8856 avatar image
1 Vote"
RichMatheisen-8856 answered weisnh commented

Shouldn't you be using a registry-based policy setting to do this instead of logon scripts? Logon scripts run in the context of the user, and users shouldn't be altering policy settings.

See one of these:
Set-GPPrefRegistryValue
Set-GPRegistryValue

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

weisnh avatar image weisnh ·

Hi

I post another extend question at https://docs.microsoft.com/en-us/answers/questions/114314/regarding-group-policy-with-powershell.html.

I tried to use the following command along with GPO:

New-ItemProperty -Path $_HKLM -Name SharePointOnPremFrontDoorUrl -Value $_SharePointOnPremFrontDoorUrl -PropertyType String -Force

the new Registry can be added. :(

0 Votes 0 ·
FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered FanFan-MSFT commented

Hi,
From what you mentioned above, the error was caused by the permission.
Or you can considered to run the script by the schedule task ,and you can assign permission through the schedule task GPO as following,then when the task was running , it will run as system:
17592-8141.png
You can also select run it once or not as your requirement :
17546-8142.png

Best Regards,



8141.png (66.8 KiB)
8142.png (13.8 KiB)
· 4
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image FanFan-MSFT ·

Hi,
 
Just checking in to see if the information provided was helpful.
Please let us know if you would like further assistance.
 
Best Regards,

0 Votes 0 ·
FanFan-MSFT avatar image FanFan-MSFT ·

18544-image.png



0 Votes 0 ·
image.png (9.6 KiB)
weisnh avatar image weisnh ·

Hi Fan Fan,

I post another problem related this topic at https://docs.microsoft.com/en-us/answers/questions/114314/regarding-group-policy-with-powershell.html

0 Votes 0 ·
FanFan-MSFT avatar image FanFan-MSFT weisnh ·

Hi,
If you want to end this thread, and the answer was helpful for you, you can "Accept as answer" to help other community members find the helpful reply quickly.
If you have a better method to solve it, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.
If there is anything else we can do for you, please feel free to post here.
Best Regards,

0 Votes 0 ·