cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

User Logon Scripts Headache

Alban1999
Iron Contributor

‎Nov 26 2019 06:50 AM

‎Nov 26 2019 06:50 AM

User Logon Scripts Headache

Hello,

 

I'm hardening a workstation in a workgroup environment, which means I have to rely on MDT, LGPO.exe and PowerShell scripts to achieve my goals - in an automated way of course.

 

Sadly LGPO.exe does not support scripts, neither Group Policy Preferences. I have to use logon scripts, which wasn't hard on old OSes - just drop them to the appropriate "C:\Windows\System32\GroupPolicy\Scripts" subfolders on the target computer.

 

In Windows 10 this is a different story - you also need to add a ini file to those folders, as well as create registry keys - for machine scripts, stuff under "HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts" and "HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\Scripts".

 

While it works for machine scripts, it fails for user scripts - I have tried with "HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts" and "HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\[SID]" registry hives without success - error is "incorrect function" (the same I had for computer scripts until I configured all required registry keys).

ProcMon detects some more updated key when manually adding login scripts using gpedit.msc, however those seems created automatically by those above.

 

Did anyone manage to successfully add user logon/logoff scripts to a workstation preconfigured with LGPO ? Could it be some kind of permissions issue instead ?

 

Thanks

7,312 Views
1 Like
8 Replies
Reply
8 Replies
Aaron Margosis

‎Dec 10 2019 03:11 PM

‎Dec 10 2019 03:11 PM

Re: User Logon Scripts Headache

@Alban1999 - I just spent a little time looking into this - nobody's ever asked about startup/logon scripts for local policy before. First: I didn't see any registry writes when I configured scripts. Second: my quick attempt to configure a PowerShell script didn't do what I expected, but a *.cmd batch file did. It might be (have to dig deeper to verify) that this old part of policy hasn't been updated to handle PowerShell. Might need to explicitly invoke powershell.exe from a batch file or something.

Sorry, but I can't spend any more time on it right now.

1 Like
Reply
best response confirmed by Alban1999 (Iron Contributor)
Alban1999

‎Dec 18 2019 12:55 AM - edited ‎Dec 18 2019 01:05 AM

‎Dec 18 2019 12:55 AM - edited ‎Dec 18 2019 01:05 AM

Solution

Re: User Logon Scripts Headache

@Aaron Margosis 

 

Hello, I have been able to solve this issue. I was missing CSE GUID information from the GPT.ini file, more precisely CSE GUID related to scripts :

 

gPCUserExtensionNames=[{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B6664F-4972-11D1-A7CA-0000F87571E3}]

 

By copying a gpt.ini file filled with those entries into my target computer, along with creating appropriate registry keys, my user logon/logoff Powershell scripts are now executed without issues.

I didn't have to do that for machine startup/shutdown PowerShell scripts tho, no idea why so far.

 

Also, I can confirm with Procmon new registry hives/keys are indeed created when configuring scripts, I'm not sure why you do not see this. My target is a LTSC 2016 operating system just in case.

 

If you are not able to provide support for scripts with LGPO.exe right now, at least please try to document this :

 

- For machine scripts, copy shutdown and/or startup folders to target, as well as a prefilled pssscripts.ini to C:\Windows\System32\GroupPolicy\Machine\Scripts. Then create appropriate registry keys under:

"HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts" and "HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\Scripts".

 

- For user scripts, copy logon and/or logoff folders to target, as well as a prefilled pssscripts.ini to C:\Windows\System32\GroupPolicy\User\Scripts and prefilled GPT.ini file to C:\Windows\System32\GroupPolicy.

Then create appropriate registry keys under:

"HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts" and "HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\[SID]"

(HKLM hive for the second registry hive is not an error).

 

Regards,

0 Likes
Reply
Aaron Margosis

‎Jan 08 2020 08:34 PM

‎Jan 08 2020 08:34 PM

Re: User Logon Scripts Headache

@Alban1999 - news you might find welcome is that the next set of Policy Analyzer and LGPO tools will include support for client side extensions. "LGPO /g path" will identify the machine and user CSEs referenced in the backup.xml files and register them. Policy Analyzer will also capture CSEs into the .PolicyRules files. (And LGPO /p file.PolicyRules will let you use Policy Analyzer files - with CSE references - to configure local policy.)

 

No movement on startup/logon scripts, though.

0 Likes
Reply
Alban1999

‎Jan 15 2020 03:09 AM

‎Jan 15 2020 03:09 AM

Re: User Logon Scripts Headache

@Aaron Margosis 

 

Hello, that's good news - so basically, I won't have to mess with GPT.ini file in the future, even for user scripts ? Your last line is a bit confusing.

 

From what I understand, I still need to manage the "copy script to target" + "create appropriate registry keys" steps, however I won't need to update gpt.ini file anymore, as scripts CSE will be already included within.

 

Please let me know if I'm not mistaken.

0 Likes
Reply
Aaron Margosis

‎Jan 15 2020 06:34 AM

‎Jan 15 2020 06:34 AM

Re: User Logon Scripts Headache

That's correct:

* "LGPO.exe /b" will parse gpt.ini for you and pick up the Scripts machine CSE.

* When Policy Analyzer imports a GPO backup, it will pick up the CSEs referenced in the backup.xml file(s) and incorporate them into the resulting .PolicyRules file.

* "LGPO.exe /g path" will inspect backup.xml file(s) and register machine and user CSEs that it finds.

* "LGPO.exe /p path\lgpo.PolicyRules" will apply all policy settings in the PolicyRules file, including registering machine/user CSEs.

0 Likes
Reply
Alban1999

‎Jan 27 2020 08:18 AM

‎Jan 27 2020 08:18 AM

Re: User Logon Scripts Headache

@Aaron Margosis 

 

Great news Aaron ! Could you tell me when this updated LGPO.exe will be available ? I'm eager to test it with this improved feature.

 

Also, I promise I won't use scripts anymore the day LGPO.exe supports Group Policy Preference - one of the top users requests I'm sure.

 

Regards and thanks again for all the help

0 Likes
Reply
Harvester

‎Mar 28 2020 04:40 AM

‎Mar 28 2020 04:40 AM

Re: User Logon Scripts Headache

@Alban1999 

 

I strongly feel you, as I spent a lot of time trying to automate the installation of a startup script on Windows 10 and Windows 7 using the Machine folder, and it was a disappointing experience, and since, as you mentioned, LGPO.exe does not handle startup script at the moment, I had to use a .reg file and manually edit the GPT.ini file to point to the correct script.

 

As it was getting way overkill for the initial task (regulate fans speed at startup, depending on some hardware presence or not), I ended up creating a Scheduled Task launching the PowerShell script at startup. It works great, and it literally takes 2 lines of PowerShell and a XML Task file to import it on a new machine.

 

@Aaron Margosis That's great news that a new version of LGPO is on the way :) If you need testers for it, do not hesitate to let me know, would be happy to provide a feedback :)

1 Like
Reply
Alban1999

‎Aug 03 2020 07:04 AM

‎Aug 03 2020 07:04 AM

Re: User Logon Scripts Headache

@Harvester Thanks for your reply, indeed a script and a scheduled task is a way to do this - however I'm working on a hardened (DoD level) workstation, so I was not able to do that. Cheers !

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Alban1999 (Iron Contributor)
Alban1999

‎Dec 18 2019 12:55 AM - edited ‎Dec 18 2019 01:05 AM

‎Dec 18 2019 12:55 AM - edited ‎Dec 18 2019 01:05 AM

Solution

Re: User Logon Scripts Headache

@Aaron Margosis 

 

Hello, I have been able to solve this issue. I was missing CSE GUID information from the GPT.ini file, more precisely CSE GUID related to scripts :

 

gPCUserExtensionNames=[{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B6664F-4972-11D1-A7CA-0000F87571E3}]

 

By copying a gpt.ini file filled with those entries into my target computer, along with creating appropriate registry keys, my user logon/logoff Powershell scripts are now executed without issues.

I didn't have to do that for machine startup/shutdown PowerShell scripts tho, no idea why so far.

 

Also, I can confirm with Procmon new registry hives/keys are indeed created when configuring scripts, I'm not sure why you do not see this. My target is a LTSC 2016 operating system just in case.

 

If you are not able to provide support for scripts with LGPO.exe right now, at least please try to document this :

 

- For machine scripts, copy shutdown and/or startup folders to target, as well as a prefilled pssscripts.ini to C:\Windows\System32\GroupPolicy\Machine\Scripts. Then create appropriate registry keys under:

"HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts" and "HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\Scripts".

 

- For user scripts, copy logon and/or logoff folders to target, as well as a prefilled pssscripts.ini to C:\Windows\System32\GroupPolicy\User\Scripts and prefilled GPT.ini file to C:\Windows\System32\GroupPolicy.

Then create appropriate registry keys under:

"HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts" and "HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\[SID]"

(HKLM hive for the second registry hive is not an error).

 

Regards,

View solution in original post

0 Likes
Reply