TEC 2010 USA Alumni
Watchman
Debater
Fanboy
Helper
Instigator
Participant

PowerShell Group Policy Scripts

Mon 08 Feb 2010

LIKED BY
1
PEOPLE

Recently I was adding some finishing touches to a chapter I worked up for Jeremy Moskowitz on PowerShell and Group Policy. Some comments had been raised about running PowerShell scripts as logon and logoff scripts and script execution policy. Leaving aside the merits of using PowerShell for a logon or logoff script (that's another article) I discovered something that I'm honestly still not sure about. Confused?

Let's start at the beginning. First off, you need a version of the Group Policy management console running on Windows Server 2008 R2. (I don't have an older 2008 server handy to see if that version works too). When you go to create a user logon script in a GPO, you'll see the setting you've seen since Windows 2000 where you can specify a script path and parameters. Originally I thought this was the only way you could run a PowerShell script. The script path had to be a PowerShell.exe command and any script executed would have followed the execution policy on the client. If the client was configured as Restricted, then your script wouldn't run.

What I failed to notice, or perhaps I was using the wrong GPMC is that there is also a PowerShell script tab.

PowerShell Logon Script

This setting only applies to Windows 7 and Windows Server 2008 R2 clients. But now I can add a PowerShell script just as I used to with batch files and VBScript. I can store the PowerShell script with the GPO or put it on a network share. Naturally if you choose the latter make sure your security is solid. If I have a mix of legacy and PowerShell scripts in the same GPO, I can also control whether or not the PowerShell scripts should first or last.

But now for the intriguing part.

Normally script execution is controlled by the execution policy on the local machine. This can be configured using Set-ExecutionPolicy or even better via a GPO. If you try to run a PowerShell script in the legacy script setting of the GPO, essentially running PowerShell.exe and the path to your script, then the exectuion policy is in force. However....when you run a PowerShell script GPO, exeuction policy is ignored.

Let me repeat that.

When you run a GPO with a PowerShell logon, logoff, startup or shutdown script, the script is executed regardless of the execution policy. Even if you are pushing a policy of Restricted through a GPO, the PowerShell logon script will execute., Without getting into the nitty gritty, in essence Group Policy processing launches the script with a temporary execution policy of bypass.

The reasoning, as I imagine it, is that your GPO infrastructure should be secure enough that is you specify a PowerShell script you know what it is and expect it to run. I can kinda buy that. But what bothers me is that if I'm using an AllSigned execution policy, not only does this add a small layer of security, it also lets me know if a script has been modified since I signed it. I don't want a corrupted PowerShell script to run that might have some unexpected result on the client or a script that has been modified (intentionally or otherwise) by someone else.

But maybe that's just me.

The good news is that you can now use PowerShell as a scripting engine with Group Policy. You can also be guaranteed (maybe a good thing) that your script will run regardless of the local execution policy.

Tagged with:

2008 gpmc gpo logon policy powershell r2 script security

Replies

Neat. I just tested a test PoSH script that takes a snapshot of services and exports them into a csv, I used it as a startup script so it all happened in the backgroup, as oppose to the usual CMD splash you would see with the old batch file or VB script approach. My personal take is that I like the fact that I can overwrite the local restriction policy as the GPO admin to run PoSH script as startups, shutdown, logon and logoff scripts. I am curious as to how would a startup script (etc) overwrite a local script of yours or its last write date when you have a 'all signed' policy in place. I can see where a GPO pushed script can potentially overwrite some other tasks you may have setup internally local to your box, but thats just domain policy overwriting a local policy...or in other words group policy setting the preferences for general users.

by Rick on Tue 09 Feb 2010

I'm not sure I understand what you mean by "overwriting a local script." or "overwrite some other tasks". A script run through a GPO is really no different than running it manually except that the GPO-delivered PowerShell script isn't affected by any execution policy. Can you give me a more specific example?

Or are you saying "overwrite" when you really mean "override"? Those are two separate concepts.

by JeffHicks on Wed 10 Feb 2010

Hi Jeff,

I was trying to understand what you said regarding the Group Policy making a temporary bypass of execution policy, you said that "I don't want a corrupted PowerShell script to run that might have some unexpected result on the client or a script that has been modified (intentionally or otherwise) by someone else."

How would a PoSH script having been pushed via GP irrespective of the local execution policy set on your machine potentially affect a local script ? Also, how does it affect your ability to know that your local scripts have not or have been modified since you signed it.

Forgive me if I am misunderstanding this, but my initial thought of this was the GP making a temporary bypass of local execution policy would do just that i.e process what's in the script. And yes that may entail overriding something locally driven by a script of yours.

Thanks,

by Rick on Thu 11 Feb 2010

Hi Jeff,

Forgive me if I am misunderstanding this, but my initial thought of this was the GP making a temporary bypass of local execution policy would do just that i.e process what's in the script.

Thanks,