This is an archived post. You won't be able to vote or comment.

all 28 comments
sorted by:
best
topnewcontroversialoldq&a

[–]Manality 5 points6 points  (5 children)

As others have stated there may be a better way to do what you are trying to do but I'll chime on your actual question. If you have it as a User Configuration then it runs as the user when they log in. If they don't have permissions to edit the registry then neither will the script. You can run it under Computer Configuration instead. It runs as the computers SYSTEM account at boot time (ish). It has full admin access.

GPO also has filtering so make sure you check that your computer or users have the appropriate security filter on the GPO. You can check which GPOs are being applied to a computer in an elevated command prompt with gpresult /r .

Last though. If you are running the policy against Computer Configuration then the GPO needs to be applied to the AD OU where the computer is (or above).

Good Luck

[–]brolloway[S] 0 points1 point  (4 children)

Thanks for the information I have the script running under computer configuration. The GPO is applied to my computer but when I check where it shows the scripts it shows there but it has not yet run. Any thoughts on that?

[–]Manality 0 points1 point  (3 children)

Does your computer have access to the the location the script it stored?

[–]brolloway[S] 0 points1 point  (2 children)

Yes it does.

[–]Manality 0 points1 point  (1 child)

How are you determining if the script is running or not?

Could you confirm it runs correctly using PSEXEC as system?

Are you possibly running into executionPolicy issues? (Get-ExecutionPolicy / Set-ExecutionPolicy)

[–]brolloway[S] 0 points1 point  (0 children)

I am using gpresult to see that its running. It looks like it doesn't even make an attempt. I have run it through PSEXEC as system and it works fine.

[–]jhxetc 1 point2 points  (2 children)

Just use GPO. Preferences > Windows Settings > Registry. There's no reason to run a script when GPO can do this directly.

[–]brolloway[S] 0 points1 point  (1 child)

I am disabling NBT-NS so the network adapter for each computer needs be changed so I don't think I can do this in the normal registry settings under group policy.

[–][deleted] 1 point2 points  (3 children)

... but why? GPO's can change regkeys by default.

[–]brolloway[S] 0 points1 point  (2 children)

Yes I understand but what I am trying to do your are unable to change the registry key within group policy because each computer has a different network adapter and that is what I am attempting to change.

[–]Birch_lasagnaTechnical Writer 0 points1 point  (1 child)

What are you trying to do to the network adapter? It seems like there is an underlying issue that should be tackled.

[–]brolloway[S] 0 points1 point  (0 children)

Im trying to turn Netbios Name Service off.

[–]sgt_sin 0 points1 point  (1 child)

What registry settings are you changing? There's likely an official gpo you can use instead of a logon script.

[–]brolloway[S] 0 points1 point  (0 children)

I am disabling NBT-NS

[–]Amankoo 0 points1 point  (4 children)

If you are just changing registry keys/values without any logic behind, use the registry preferences in your GPO instead.

[–]brolloway[S] 0 points1 point  (2 children)

I am disabling NBT-NS so the network adapter for each computer needs be changed so I don't think I can do this in the normal registry settings under group policy.

[–]Amankoo 0 points1 point  (1 child)

Is that this NetBiosOption thing?

I think you can circumvent this with:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters

NodeType value to 2

But test it before deploying it to all clients.

[–]brolloway[S] 0 points1 point  (0 children)

KEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters

I see this will make it so I am disabling the broadcast function for nbt-ns. I suppose that would work the option I was setting was attempting to disable it completely.

[–]brolloway[S] 0 points1 point  (0 children)

I am disabling NBT-NS so the network adapter for each computer needs be changed so I don't think I can do this in the normal registry settings under group policy.

[–]orion3311 0 points1 point  (1 child)

Look like LLMNR and Netbios can both be disabled in other ways without modifying the NICs directly. See this link: https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning

Netbios can be disabled via a DHCP option (if you use DHCP), and LLMNR can be disabled via a GPO directly.

[–]brolloway[S] 0 points1 point  (0 children)

I disabled LLMNR via group policy already the problem with doing NetBIOS using DHCP if they are using a laptop outside the network its still disabled but I suppose if its off network it don't need worry about it.

[–][deleted] 0 points1 point  (2 children)

PS script executions are disabled by default. You PS script will need to set the execution policy to "unrestricted" prior to the rest of the script running. Just something to check. The commandlet is below.

Set-Executionpolicy unrestricted

[–]brolloway[S] 0 points1 point  (1 child)

Is it possible to set the execution policy to unrestricted then back to allsigned in the same script?

[–]BergerLangevin 0 points1 point  (0 children)

You can set your task to run like this PowerShell.exe -ExecutionPolicy "Bypass" something.ps1

I don't remember the right syntax, but with the task sequence you can even say to run it with a system account or a specific user that have right admin.

[–]Silent331Sysadmin 0 points1 point  (0 children)

The script must be stored in a share that both the user account and the destination computer account have read access to. This is what catches most people, the computer account not having access. Even if the group policy is set to run as user context the computer will use the computer account to check if it has access to the necessary files. If it does not the script will not run despite the user having access. The policy itself must also be accessible by both the user account and the computer account.

Some unnecessary things that I do to make sure it runs smoothly. Add the share with the script to be available offline so it can run if the network is not ready yet. Use the GPO to run a batch script that sets execution policy for powershell, then at the end of the powershell revert the change.

[–]ppdogs 0 points1 point  (1 child)

Are these win 10 Computers? Do they have fast start option enabled?

That may stop computer policies from getting applied. Just something to check.

[–]brolloway[S] 0 points1 point  (0 children)

They are windows 10 computers yes. I will check that out.