Forum Discussion
User Logon Scripts Headache
Hello,
I'm hardening a workstation in a workgroup environment, which means I have to rely on MDT, LGPO.exe and PowerShell scripts to achieve my goals - in an automated way of course.
Sadly LGPO.exe does not support scripts, neither Group Policy Preferences. I have to use logon scripts, which wasn't hard on old OSes - just drop them to the appropriate "C:\Windows\System32\GroupPolicy\Scripts" subfolders on the target computer.
In Windows 10 this is a different story - you also need to add a ini file to those folders, as well as create registry keys - for machine scripts, stuff under "HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts" and "HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\Scripts".
While it works for machine scripts, it fails for user scripts - I have tried with "HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts" and "HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\[SID]" registry hives without success - error is "incorrect function" (the same I had for computer scripts until I configured all required registry keys).
ProcMon detects some more updated key when manually adding login scripts using gpedit.msc, however those seems created automatically by those above.
Did anyone manage to successfully add user logon/logoff scripts to a workstation preconfigured with LGPO ? Could it be some kind of permissions issue instead ?
Thanks
Hello, I have been able to solve this issue. I was missing CSE GUID information from the GPT.ini file, more precisely CSE GUID related to scripts :
gPCUserExtensionNames=[{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B6664F-4972-11D1-A7CA-0000F87571E3}]
By copying a gpt.ini file filled with those entries into my target computer, along with creating appropriate registry keys, my user logon/logoff Powershell scripts are now executed without issues.
I didn't have to do that for machine startup/shutdown PowerShell scripts tho, no idea why so far.
Also, I can confirm with Procmon new registry hives/keys are indeed created when configuring scripts, I'm not sure why you do not see this. My target is a LTSC 2016 operating system just in case.
If you are not able to provide support for scripts with LGPO.exe right now, at least please try to document this :
- For machine scripts, copy shutdown and/or startup folders to target, as well as a prefilled pssscripts.ini to C:\Windows\System32\GroupPolicy\Machine\Scripts. Then create appropriate registry keys under:
"HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts" and "HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\Scripts".
- For user scripts, copy logon and/or logoff folders to target, as well as a prefilled pssscripts.ini to C:\Windows\System32\GroupPolicy\User\Scripts and prefilled GPT.ini file to C:\Windows\System32\GroupPolicy.
Then create appropriate registry keys under:
"HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts" and "HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\[SID]"
(HKLM hive for the second registry hive is not an error).
Regards,
8 Replies
I strongly feel you, as I spent a lot of time trying to automate the installation of a startup script on Windows 10 and Windows 7 using the Machine folder, and it was a disappointing experience, and since, as you mentioned, LGPO.exe does not handle startup script at the moment, I had to use a .reg file and manually edit the GPT.ini file to point to the correct script.
As it was getting way overkill for the initial task (regulate fans speed at startup, depending on some hardware presence or not), I ended up creating a Scheduled Task launching the PowerShell script at startup. It works great, and it literally takes 2 lines of PowerShell and a XML Task file to import it on a new machine.
Aaron Margosis That's great news that a new version of LGPO is on the way 🙂 If you need testers for it, do not hesitate to let me know, would be happy to provide a feedback 🙂
Alban1999 - I just spent a little time looking into this - nobody's ever asked about startup/logon scripts for local policy before. First: I didn't see any registry writes when I configured scripts. Second: my quick attempt to configure a PowerShell script didn't do what I expected, but a *.cmd batch file did. It might be (have to dig deeper to verify) that this old part of policy hasn't been updated to handle PowerShell. Might need to explicitly invoke powershell.exe from a batch file or something.
Sorry, but I can't spend any more time on it right now.
Hello, I have been able to solve this issue. I was missing CSE GUID information from the GPT.ini file, more precisely CSE GUID related to scripts :
gPCUserExtensionNames=[{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B6664F-4972-11D1-A7CA-0000F87571E3}]
By copying a gpt.ini file filled with those entries into my target computer, along with creating appropriate registry keys, my user logon/logoff Powershell scripts are now executed without issues.
I didn't have to do that for machine startup/shutdown PowerShell scripts tho, no idea why so far.
Also, I can confirm with Procmon new registry hives/keys are indeed created when configuring scripts, I'm not sure why you do not see this. My target is a LTSC 2016 operating system just in case.
If you are not able to provide support for scripts with LGPO.exe right now, at least please try to document this :
- For machine scripts, copy shutdown and/or startup folders to target, as well as a prefilled pssscripts.ini to C:\Windows\System32\GroupPolicy\Machine\Scripts. Then create appropriate registry keys under:
"HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts" and "HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\Scripts".
- For user scripts, copy logon and/or logoff folders to target, as well as a prefilled pssscripts.ini to C:\Windows\System32\GroupPolicy\User\Scripts and prefilled GPT.ini file to C:\Windows\System32\GroupPolicy.
Then create appropriate registry keys under:
"HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts" and "HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\[SID]"
(HKLM hive for the second registry hive is not an error).
Regards,
Alban1999 - news you might find welcome is that the next set of Policy Analyzer and LGPO tools will include support for client side extensions. "LGPO /g path" will identify the machine and user CSEs referenced in the backup.xml files and register them. Policy Analyzer will also capture CSEs into the .PolicyRules files. (And LGPO /p file.PolicyRules will let you use Policy Analyzer files - with CSE references - to configure local policy.)
No movement on startup/logon scripts, though.
