How to run PowerShell scripts using Group Policy
PowerShell offers a wide range of commands to accomplish many different tasks on Windows workstations and servers. You can download applications from online repositories, query information from an Active Directory server, schedule tasks to have them run routinely in the background at certain times, or make use of a number of other useful PowerShell modules. There may come a time where you'd want to run these commands on all workstations in an Active Directory domain, but physically or even remotely accessing each workstation one at a time to run these PowerShell commands would be an inefficient and tedious task.
The use of Group Policy or GPO objects is the best solution to this problem. Group Policy will allow for these PowerShell scripts to run on workstations or servers within the entire domain or computers arranged in select organizational units. Depending on how Active Directory has been structured. This article will outline the steps needed to make use of scheduled tasks in Group Policy to run a PowerShell script immediately. So that each computer in which this GPO applies will run the PowerShell script once they've update their group policy configurations with the domain controller. This procedure has been tested and confirmed as working on all modern versions of Windows workstations and servers at the time of writing. Including Windows 10 and Windows 11.
Step 1: Create PowerShell script & save it to a shared directory
Before a scheduled task can be configured using Group Policy, the PowerShell script file will first need to be created. What this PowerShell script accomplishes will be entirely dependent upon your needs. For the purpose of this article, we'll be creating a PowerShell script called Create-Folder.ps1 as an example. This PowerShell file will contain the following syntax that'll create a folder named "GaulTech" on the C: drive of the computer once this PowerShell script has been run via the GPO that'll be created in the steps to follow.
New-Item -Path "C:\" -Name "GaulTech" -ItemType "directory"
Once this file has been created, it then needs to be saved to a shared directory on a computer within the local LAN. All other computers that would need to run this file via the GPO will need to have access to this shared directory over the network. You'll want to make sure this directory is secure by ensuring that write access is not allowed to unauthorized users. Catastrophic results could occur if someone with malicious intent were to be able to edit the contents of the PowerShell script file that you've created. The following security permissions are recommended for this directory.
- Administrators: Full Control
- SYSTEM: Full Control
- Users: Read Only
In the steps to follow, the SYSTEM account will be used to authenticate and run this PowerShell script via an immediate scheduled task configured by Group Policy. If you require the PowerShell script to contain sensitive information, you may want to remove the read-only permissions assigned to the Users group shown above and consider configuring the shared directory as a hidden share by placing a dollar sign at the end of the share name.
Step 2: Create a scheduled task in the domain using Group Policy
A GPO or Group Policy Object now needs to be created in the domain to reference this file in an immediate scheduled task. This will need to be setup and done from a domain controller on the network using the Group Policy Management console. It's best that a new GPO be created for these tasks for a better ease of management. Do not edit an already existing GPO, such as the Default Domain Policy, to include the scheduled tasks as part of that policy.
Follow the steps below to create the Group Policy Object:
- On a domain controller, open the Group Policy Management console located under Administrative Tools.
- Expand the domain tree in the left navigation and right click Group Policy Objects. Then select New in the context menu.
- Give the GPO a distinctive name and leave the source starter GPO set to none.
- Right click the newly created GPO in the list and select Edit.
- In the left navigation, expand Computer Configuration -> Preferences -> Control Panel Settings -> Scheduled Tasks
- Right click Scheduled Tasks and select New -> Immediate Task (At least Windows 7.)
You should now be at a window requesting the creation of a new immediate scheduled task. The General and Actions tabs are where the configuration will take place to setup the task to run automatically on the domain joined computers. The General tab has four important configuration steps shown below.
- Assign a distinctive name for this task in the Name field.
- Click the button that says Change User or Group and enter SYSTEM in the object name selection field. Then click OK.
- Check the box labeled Run with highest privileges.
- Set the task to be configured for Windows 7, Windows Server 2008 R2 or whichever option that shows the most latest versions of Windows at the current time. This field is located at the bottom of the General tab.
Once the above steps are complete, you can proceed onto the Actions tab. This is where we'll reference the PowerShell script at the shared location to run as part of this scheduled task. Click the button that says New and keep Start a program as the selected item in the Action field. Here we'll first reference the file path to where the PowerShell executable is located locally on the computer that'll be running the immediate scheduled task. Paste the following string into the field labeled Program/script.
C:\WINDOWS\SYSTEM32\WindowsPowerShell\v1.0\powershell.exe
The next code snippet below will need to be placed in the Add arguments field. The arguments in the string below will contain two parameters. The first will set the PowerShell execution policy to Bypass. This will ensure that the PowerShell script you're running will not be limited by an execution policy that may prevent it from running. The second parameter references the network path to where you have your PowerShell script file saved on the network. In this section, you'll need to modify the syntax to include the UNC path to where your PowerShell script file is located and shared from on your local LAN.
-ExecutionPolicy Bypass -command "& \\GTSRV1\Share\Create-Folder.ps1"
Step 3: Assign the GPO to the domain or OU and test the results
With the GPO successfully created, it now needs to be assigned to the domain root or a specific organizational unit. Depending on if you only want the PowerShell script to be run automatically on all computer or only on select workstations and servers. Keep in mind that the configurations made using Group Policy Management are nested under the Computer Configuration section. Meaning that if you want this PowerShell script to only run on certain computers, then it's the computer objects that need to be located in the OU where you'll be assigning this GPO. Applying the GPO to an organizational unit that contains only user accounts will not yield any results.
- With the Group Policy Management console still open, right click the domain root or the organizational unit where you'd like to apply this policy and select Link an Existing GPO.
- Select the new GPO that was just created from the list of Group Policy objects and then click the OK button to assign the policy.
Once this policy is assigned, the computers in the domain should then run the scheduled task immediately during the next time they check in with a domain controller to update their Group Policy configurations. A process that'll take about two to three hours before being applied on all computers within the domain or organizational unit that you've selected. From our example PowerShell file created in step 1, we could then check to see if the GaulTech folder has appeared successfully on the C: drive on one of the computers that would've been set to run the immediate scheduled task configured within Group Policy.