Share via

Running PowerShell Startup (Logon) Scripts Using GPO

Will 616 Reputation points
2020-08-13T16:55:37.807+00:00

Hi there,

There are two user accounts, one is Administrator; another is normal user.

  1. AD Domain: Windows Server 2019 with GPO <Running PowerShell Logon Scripts>
  2. Client: Windows 10: (A) Use Administrator to login the AD Domain: GPO works well and add registry to HKLM; (B) Use normal User to login the AD Domain: GPO something went wrong and failed to add registry to HKLM.

The (B) situation: I copy the PowerShell to Windows 10 Client and perform the script, I got the error message:

New-Item : Access to the registry key
'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\OneDrive' is denied.
At C:\Users\alanb\Desktop\Handling_OneDrive_REG.ps1:47 char:58

  • ... HKLM:\Software\Policies\Microsoft" | New-Item -Name "OneDrive" -Force
  • ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  • CategoryInfo : PermissionDenied: (HKEY_LOCAL_MACH...rosoft\OneDrive:S
    tring) [New-Item], UnauthorizedAccessException
  • FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShel
    l.Commands.NewItemCommand

New-ItemProperty : Cannot find path 'HKLM:\Software\Policies\Microsoft\OneDrive'
because it does not exist.
At C:\Users\alanb\Desktop\Handling_OneDrive_REG.ps1:50 char:5

  • New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\OneDriv ...
  • ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  • CategoryInfo : ObjectNotFound: (HKLM:\Software...rosoft\OneDrive:Str
    ing) [New-ItemProperty], ItemNotFoundException
  • FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.NewItemProp
    ertyCommand

New-ItemProperty : Cannot find path 'HKLM:\Software\Policies\Microsoft\OneDrive'
because it does not exist.
At C:\Users\alanb\Desktop\Handling_OneDrive_REG.ps1:51 char:5

  • New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\OneDriv ...
  • ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  • CategoryInfo : ObjectNotFound: (HKLM:\Software...rosoft\OneDrive:Str
    ing) [New-ItemProperty], ItemNotFoundException
  • FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.NewItemProp
    ertyCommand

New-ItemProperty : Cannot find path 'HKLM:\Software\Policies\Microsoft\OneDrive'
because it does not exist.
At C:\Users\alanb\Desktop\Handling_OneDrive_REG.ps1:52 char:5

  • New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\OneDriv ...
  • ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  • CategoryInfo : ObjectNotFound: (HKLM:\Software...rosoft\OneDrive:Str
    ing) [New-ItemProperty], ItemNotFoundException
  • FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.NewItemProp
    ertyCommand

I also setup some settings as the following:

  1. the NTFS “Read & Execute” permissions for the Domain Computers group in the ps1 file permissions
  2. setup Computer Configuration -> Administrative Templates -> System -> Group Policy section. Enable the “Configure Logon Script Delay” policy and specify a delay in minutes before starting the logon scripts (sufficient to complete the initialization and load all necessary services). --> 1-2 minutes.
  3. The security settings for running the PowerShell script can be configured via the “Turn On Script Execution” policy (in the GPO Computer Configuration section -> Administrative Templates -> Windows Components -> Windows PowerShell) --> Allow all scripts (unrestricted)

Thanks

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
5,816 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,629 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rich Matheisen 47,596 Reputation points
    2020-08-13T19:10:11.343+00:00

    Shouldn't you be using a registry-based policy setting to do this instead of logon scripts? Logon scripts run in the context of the user, and users shouldn't be altering policy settings.

    See one of these:
    Set-GPPrefRegistryValue
    Set-GPRegistryValue

    1 person found this answer helpful.
  2. Fan Fan 15,361 Reputation points Microsoft Vendor
    2020-08-14T00:42:23.65+00:00

    Hi,
    From what you mentioned above, the error was caused by the permission.
    Or you can considered to run the script by the schedule task ,and you can assign permission through the schedule task GPO as following,then when the task was running , it will run as system:
    17592-8141.png
    You can also select run it once or not as your requirement :
    17546-8142.png

    Best Regards,

    1 person found this answer helpful.
  3. Andreas Baumgarten 117.9K Reputation points MVP
    2020-08-13T17:33:08.517+00:00

    It looks like the "normal user" does not have access to the Registry key 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\OneDrive'
    Maybe it's worth a try to allow the user the access to the Registry key.

    Maybe this is helpful.

    Regards

    Andreas Baumgarten

    (Please don't forget to Accept as answer if the reply is helpful)

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.