Forum Discussion

Alban1999's avatar
Alban1999
Iron Contributor
Nov 26, 2019
Solved

User Logon Scripts Headache

Hello,   I'm hardening a workstation in a workgroup environment, which means I have to rely on MDT, LGPO.exe and PowerShell scripts to achieve my goals - in an automated way of course.   Sadly LG...
  • Alban1999's avatar
    Alban1999
    Dec 18, 2019

    Aaron Margosis 

     

    Hello, I have been able to solve this issue. I was missing CSE GUID information from the GPT.ini file, more precisely CSE GUID related to scripts :

     

    gPCUserExtensionNames=[{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B6664F-4972-11D1-A7CA-0000F87571E3}]

     

    By copying a gpt.ini file filled with those entries into my target computer, along with creating appropriate registry keys, my user logon/logoff Powershell scripts are now executed without issues.

    I didn't have to do that for machine startup/shutdown PowerShell scripts tho, no idea why so far.

     

    Also, I can confirm with Procmon new registry hives/keys are indeed created when configuring scripts, I'm not sure why you do not see this. My target is a LTSC 2016 operating system just in case.

     

    If you are not able to provide support for scripts with LGPO.exe right now, at least please try to document this :

     

    - For machine scripts, copy shutdown and/or startup folders to target, as well as a prefilled pssscripts.ini to C:\Windows\System32\GroupPolicy\Machine\Scripts. Then create appropriate registry keys under:

    "HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts" and "HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\Scripts".

     

    - For user scripts, copy logon and/or logoff folders to target, as well as a prefilled pssscripts.ini to C:\Windows\System32\GroupPolicy\User\Scripts and prefilled GPT.ini file to C:\Windows\System32\GroupPolicy.

    Then create appropriate registry keys under:

    "HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts" and "HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\[SID]"

    (HKLM hive for the second registry hive is not an error).

     

    Regards,

Harvester's avatar
Harvester
Brass Contributor
Mar 28, 2020

Alban1999 

 

I strongly feel you, as I spent a lot of time trying to automate the installation of a startup script on Windows 10 and Windows 7 using the Machine folder, and it was a disappointing experience, and since, as you mentioned, LGPO.exe does not handle startup script at the moment, I had to use a .reg file and manually edit the GPT.ini file to point to the correct script.

 

As it was getting way overkill for the initial task (regulate fans speed at startup, depending on some hardware presence or not), I ended up creating a Scheduled Task launching the PowerShell script at startup. It works great, and it literally takes 2 lines of PowerShell and a XML Task file to import it on a new machine.

 

Aaron Margosis That's great news that a new version of LGPO is on the way 🙂 If you need testers for it, do not hesitate to let me know, would be happy to provide a feedback 🙂

  • Alban1999's avatar
    Alban1999
    Iron Contributor
    Aug 03, 2020

    Harvester Thanks for your reply, indeed a script and a scheduled task is a way to do this - however I'm working on a hardened (DoD level) workstation, so I was not able to do that. Cheers !

Resources