Prof. Powershell

Start Me Up: Scripting a Logon with PowerShell

I advise against it. But if you must use a logon script to authenticate, here's how to get it done with PowerShell.

In my PowerShell training classes or at conferences I inevitably face the question about using PowerShell for logon scripts. You could extend this question to logoff scripts, as well as computer startup and shutdown scripts. My first question back is, why are you still using logon scripts? There is so much that can be done now with Group Policy settings and preferences that we used to script. Your logon script (or logoff, etc.) should be used to handle those tasks and settings that can't be done with Group Policy. And even then, you need to ask if PowerShell is the best tool for the job.

One important thing to remember is scope: Once your PowerShell script ends, any variables, PSDrives or the like cease to exist. So if your logon script is mapping drives, you can't use New-PSDrive and the techniques you would use like a simple NET USE or the VBScript COM objects don't require PowerShell. I suppose some things are easier to script in PowerShell, such as logging. I also know some admins use logon scripts as management tools to gather user or computer information and I can see where PowerShell might make those tasks easier. So how do you use a PowerShell script as a logon script?

The first way, which shouldn't require much in the way of requirements other than PowerShell 2.0, is to wrap your PowerShell command or script inside a batch file:

@echo off
powershell -nologo -file \\chi-fp01\logs\pslogon.ps1 -windowstyle hidden -noprofile -executionpolicy bypass

I would recommend not loading any PowerShell user profiles. Your logon script should be short and self-contained. There be script execution policy issues but since I'm creating the command and know what I'm running, I can explicitly set this PowerShell command to bypass the execution policy. Of course be sure to test your script in an interactive PowerShell session with standard user credentials. When finished create a standard group policy setting for logon script as shown in Figure 1.

A legacy logon script running PowerShell

Figure 1. A legacy logon script running PowerShell. (Click image to view larger version.)


A legacy logon script running PowerShell

Figure 2. A PowerShell logon script setting. (Click image to view larger version.)

This approach should work for just about any domain. But, if you happen to have at least one 2008 R2 domain controller and Window 7 desktops (or Windows Server 2008 R2 for computer scripts), you can use a "native" approach.

Notice the PowerShell Scripts tab in Fig. 1? Add your PowerShell script to the GPO. If your script takes parameters you can add those as well. If you have legacy scripts and PowerShell in the same GPO, be sure to configure the priority (see Fig. 2).

So there you have it in a nutshell. It is not difficult to set up PowerShell logon script. All I ask is that you think about what PowerShell brings to the party and if this is the right tool for the job.

The execution policy will automatically be set to Bypass on the assumption that if you are creating the GPO you know what you are doing with the script.

About the Author

Jeffery Hicks is an IT veteran with over 25 years of experience, much of it spent as an IT infrastructure consultant specializing in Microsoft server technologies with an emphasis in automation and efficiency. He is a multi-year recipient of the Microsoft MVP Award in Windows PowerShell. He works today as an independent author, trainer and consultant. Jeff has written for numerous online sites and print publications, is a contributing editor at, and a frequent speaker at technology conferences and user groups.

comments powered by Disqus
Most   Popular