0

I would like to remotely activate a logon script to computers (Win10 and 11) not connected to a domain.

I can already remotely deploy software/script/files as admin, for example: I can deploy a logon.bat in C:\WINDOWS\System32\GroupPolicy\User\Scripts\Logon or C:\Windows\System32\Repl\Import\Scripts or run commands/install sw.

I know that there are a local group policy to do so and also that is possibile to set a logon script at user level in the profile tab of a users (users/group snap-in).

The thing that I can't find is a command/registry that can enable and specify what scritp to run without using the GUI.

Kintaro
  • 3
  • 1
  • 4

2 Answers2

1

I would use a scheduled task for this. Under the triggers specify At Logon, and Any User. This way you get total control over the script name, location, type of script, etc. Just be sure to place the script in a location that non-admins cannot make changes to, or else call the script using a powershell command line like this with powershell.exe as the program to run, and arguments something like

-Command "&{if ((get-filehash c:\myscript.ps1).Hash -eq sdf83uf23f288vf0939r23) {& powershell.exe -file c:\myscript.ps1}}

Does it matter to you whose context the command runs under? SYSTEM, as that user, etc?

James63
  • 31
  • 2
  • It needs to be run as the user so I think don't need to send admin credential. So, do you think that there's no way to activate "logon script local policy" without the GUI? I have local admin right over those machines. – Kintaro Jan 16 '23 at 09:37
0

To do it there are two file to be edited and then launch gpupdate so the registry get updated to.

for Startup/Shutdown script.ini in C:\Windows\System32\GroupPolicy\Machine\Scripts
for Logon/Logoff script.ini in C:\Windows\System32\GroupPolicy\User\Scripts
You need to add for example:

[Logon]
0CmdLine=first_logon_scritp.bat
0Parameters=
1CmdLine=second_logon_script.bat
1Parameters=

In this case as is a logon script the file have to be deployed in:

C:\Windows\System32\GroupPolicy\User\Scripts\

The second file is:

GPT.ini in C:\Windows\System32\GroupPolicy You need to add:

gPCUserExtensionNames=[{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B66650-4972-11D1-A7CA-0000F87571E3}]

After that run gpupdate to update the registry

sources:

https://simplecodesoftware.com/articles/how-to-set-up-group-policy-scripts-programmatically

https://social.technet.microsoft.com/Forums/windowsserver/en-US/0a68a605-3f3f-4c0a-a402-f549e25b9cba/assign-a-local-logon-script-using-group-policy?forum=winserverGP

Kintaro
  • 3
  • 1
  • 4