Windows: Launching a Powershell script from a GPO

Created: 1-06-19

Updated: 8-17-21

A task I’m asked to do often is launching PowerShell script for all desktops and servers on a domain. While I’ve been doing this for years, perhaps a short article is worthy of this topic.

Create a GPO and place it in your root or OU folder, I’ll leave this up to you.

I prefer doing it on computer startup instead of doing it per user, below is the path:

Computer Configuration -> Policies -> Windows Settings -> Scripts (Startup / Shutdown)

Now select Startup policy and navigate to the Powershell Scripts tab.

Note: you should have placed your script in the scripts folder inside of the sysvol folder on your domain controller.

Add the PowerShell script you want to push via GPO.

Note: make sure you set the permissions of Domain Computers on the PowerShell script and ensure it has the Read & Execute permission assigned.

After the PowerShell script has be added to the Startup Policy, click on the Edit button.

Add in this parameter:

-Noninteractive -ExecutionPolicy Bypass –Noprofile -file %~dp0powershellscript.ps1

Take note of this command:

%~dp0

This simply implies for the parameters to look in the Sysvol folder when the script is launched from the client

Lastly, you need to set a logon script delay for a few minutes for the script to be applied on startup, this is accomplished by navigating to this location in the GPO:

Computer Configuration -> Administrative Templates -> System -> Group Policy

Find the policy labeled:

Configure Logon Script Delay

Set the policy to “Enabled” and specify 2-3 minutes and then click on apply and close the GPO.

Then all you need to do is a GPO update for the OU in the GPOM or manually from each desktop you want this to be applied.