Forum Discussion
User Logon Scripts Headache
Hello, I have been able to solve this issue. I was missing CSE GUID information from the GPT.ini file, more precisely CSE GUID related to scripts :
gPCUserExtensionNames=[{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B6664F-4972-11D1-A7CA-0000F87571E3}]
By copying a gpt.ini file filled with those entries into my target computer, along with creating appropriate registry keys, my user logon/logoff Powershell scripts are now executed without issues.
I didn't have to do that for machine startup/shutdown PowerShell scripts tho, no idea why so far.
Also, I can confirm with Procmon new registry hives/keys are indeed created when configuring scripts, I'm not sure why you do not see this. My target is a LTSC 2016 operating system just in case.
If you are not able to provide support for scripts with LGPO.exe right now, at least please try to document this :
- For machine scripts, copy shutdown and/or startup folders to target, as well as a prefilled pssscripts.ini to C:\Windows\System32\GroupPolicy\Machine\Scripts. Then create appropriate registry keys under:
"HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts" and "HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\Scripts".
- For user scripts, copy logon and/or logoff folders to target, as well as a prefilled pssscripts.ini to C:\Windows\System32\GroupPolicy\User\Scripts and prefilled GPT.ini file to C:\Windows\System32\GroupPolicy.
Then create appropriate registry keys under:
"HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts" and "HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\[SID]"
(HKLM hive for the second registry hive is not an error).
Regards,
Alban1999 - I just spent a little time looking into this - nobody's ever asked about startup/logon scripts for local policy before. First: I didn't see any registry writes when I configured scripts. Second: my quick attempt to configure a PowerShell script didn't do what I expected, but a *.cmd batch file did. It might be (have to dig deeper to verify) that this old part of policy hasn't been updated to handle PowerShell. Might need to explicitly invoke powershell.exe from a batch file or something.
Sorry, but I can't spend any more time on it right now.
Hello, I have been able to solve this issue. I was missing CSE GUID information from the GPT.ini file, more precisely CSE GUID related to scripts :
gPCUserExtensionNames=[{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B6664F-4972-11D1-A7CA-0000F87571E3}]
By copying a gpt.ini file filled with those entries into my target computer, along with creating appropriate registry keys, my user logon/logoff Powershell scripts are now executed without issues.
I didn't have to do that for machine startup/shutdown PowerShell scripts tho, no idea why so far.
Also, I can confirm with Procmon new registry hives/keys are indeed created when configuring scripts, I'm not sure why you do not see this. My target is a LTSC 2016 operating system just in case.
If you are not able to provide support for scripts with LGPO.exe right now, at least please try to document this :
- For machine scripts, copy shutdown and/or startup folders to target, as well as a prefilled pssscripts.ini to C:\Windows\System32\GroupPolicy\Machine\Scripts. Then create appropriate registry keys under:
"HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts" and "HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\Scripts".
- For user scripts, copy logon and/or logoff folders to target, as well as a prefilled pssscripts.ini to C:\Windows\System32\GroupPolicy\User\Scripts and prefilled GPT.ini file to C:\Windows\System32\GroupPolicy.
Then create appropriate registry keys under:
"HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts" and "HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\[SID]"
(HKLM hive for the second registry hive is not an error).
Regards,
Alban1999 - news you might find welcome is that the next set of Policy Analyzer and LGPO tools will include support for client side extensions. "LGPO /g path" will identify the machine and user CSEs referenced in the backup.xml files and register them. Policy Analyzer will also capture CSEs into the .PolicyRules files. (And LGPO /p file.PolicyRules will let you use Policy Analyzer files - with CSE references - to configure local policy.)
No movement on startup/logon scripts, though.
Hello, that's good news - so basically, I won't have to mess with GPT.ini file in the future, even for user scripts ? Your last line is a bit confusing.
From what I understand, I still need to manage the "copy script to target" + "create appropriate registry keys" steps, however I won't need to update gpt.ini file anymore, as scripts CSE will be already included within.
Please let me know if I'm not mistaken.
That's correct:
* "LGPO.exe /b" will parse gpt.ini for you and pick up the Scripts machine CSE.
* When Policy Analyzer imports a GPO backup, it will pick up the CSEs referenced in the backup.xml file(s) and incorporate them into the resulting .PolicyRules file.
* "LGPO.exe /g path" will inspect backup.xml file(s) and register machine and user CSEs that it finds.
* "LGPO.exe /p path\lgpo.PolicyRules" will apply all policy settings in the PolicyRules file, including registering machine/user CSEs.