Integrating scripts into Group Policy

Preprogrammed

Controlling Group Policy Settings

In addition to special scripts, various settings can also be stored in the group policies that control the execution of the scripts and regulate them accordingly. The settings can also be found in the group policies. The corresponding explanations and help can be found directly in the respective setting. The following policy settings play a role:

  • Computer Configuration | Policies | Administrative Templates | System | Scripts
  • Computer Configuration | Policies | Administrative Templates | System | Logon
  • Computer Configuration | Policies | Administrative Templates | System | Group Policy
  • User Configuration | Policies | Administrative Templates | System | Scripts
  • User Configuration | Policies | Administrative Templates | System | Logon

Group Policy Loopback Processing

If you use remote desktop session hosts together with Group Policy, you can store the servers in a separate OU and then enable group policies with the desired settings for these OUs. Such a scenario is not only useful for Remote Desktop Services, but it also can be used with multiple computers.

For policies used with Remote Desktop Services or multiple machines, you can enable loopback processing mode in a Group Policy. In this mode, Group Policy also applies user tree settings when the user's accounts are not stored in the OU where the policy is defined, but instead on the corresponding server or computer account. This means that you can define user settings for remote desktop servers that are only applied when users log on to the remote desktop servers, not when they log on to their local computers.

You can find this setting under Computers | Policies | Administrative Templates | System | Group Policy . Under Configure user Group Policy loopback processing mode , click on Enabled . Then, you can choose between Replace and Merge modes. If you select Replace , the policy overwrites settings already set by other policies in the same place. Merge applies the user's normal policies and user settings in the Remote Desktop Server policy. If there are conflicts, the Remote Desktop Server policy wins (Figure 3).

Figure 3: The loopback processing mode allows you to run scripts and settings in parallel on computers and remote desktop session hosts.

Security in PowerShell

To protect the computer from attacks, PowerShell offers various security features, including execution policy for scripts, which specifies whether scripts may be executed at all, whether they must at least be signed digitally, or whether all scripts are generally allowed. This also applies to execution in group policies. By default, PowerShell only processes signed scripts. If you want to write your own scripts, you must sign them digitally or adapt the policy to run them. The latter is the best way to get started with scripts. You can use the Get-ExecutionPolicy cmdlet to view the execution policy and change it with Set-ExecutionPolicy. The following options are available:

  • Restricted: No scripts are allowed. This option provides security, but you cannot work with scripts.
  • AllSigned: Only signed scripts are allowed.
  • RemoteSigned: Scripts must be signed by a certification authority.
  • Unrestricted: All scripts work. This setting is suitable for tests with login scripts. However, it also reduces the security level, which is why only signed scripts should be used in production environments.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus