Run a PowerShell script once on all computers as admin via GPO without changing execution policy

CMS

10/1/23, 6:42 PM

I have a PowerShell script that I need to run once on all computers in my Active Directory domain. A large number of computers are off at any given time, so a GPO would allow us to ensure that it applies to all affected machines. However, the script needs to run as administrator because of the registry values being modified. Also, per our security department, we cannot change the ExecutionPolicy on these devices.

Is there any way to get this script to run?

New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT -Name HKCR
$regKey = 'ms-msdt'
$saveFolder = 'C:\Temp\'
$savePath = $saveFolder + 'CVE-2022-30190.reg'
$PSRegPath = 'HKCR:\' + $regkey
$CMDRegPath = 'HKCR\' + $regkey
if(Test-Path $PSRegPath)
{
    if(!(Test-Path $saveFolder))
    {
        New-Item -Path $folder -ItemType Directory
    }
    Invoke-Command {reg export $CMDRegPath $savePath -Y}
    Remove-Item -Path $PSRegPath -Recurse -Force
}

This script backs up a registry entry before deleting it, as recommended by the Microsoft mitigation work-around to CVE-2022-30190.

0 + 0

windows

powershell

active-directory

group-policy

administrative-privileges

SamErde

10/1/23, 8:13 PM

What is the current execution policy?

Greg Askew

10/1/23, 8:24 PM

`A large number of computers are off at any given time, so a GPO would allow us to ensure that it applies to all affected machines.` How is that? A GPO can only help you if an endpoint is *on* the network.

SamErde

10/1/23, 8:26 PM

I suspect their hope is that a GPO would ensure that the script runs as soon as the computer is turned on (once it picks up and processes the new GPO setting).

Score:0

Server

SamErde

10/1/23, 8:24 PM

You can deploy the script as a Computer setting using Windows Settings > Scripts (Startup/Shutdown.

These scripts will run in the system context and not the user. To limit this to only running once, you can add a little bit of logic in the script to check for the existence of the registry data.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Run a PowerShell script once on all computers as admin via GPO without changing execution policy

TH: เรียกใช้สคริปต์ PowerShell ครั้งเดียวบนคอมพิวเตอร์ทุกเครื่องในฐานะผู้ดูแลระบบผ่าน GPO โดยไม่ต้องเปลี่ยนนโยบายการดำเนินการ

RO: Rulați un script PowerShell o dată pe toate computerele ca administrator prin GPO fără a modifica politica de execuție

RU: Запустите сценарий PowerShell один раз на всех компьютерах от имени администратора через объект групповой политики без изменения политики выполнения.

VI: Chạy tập lệnh PowerShell một lần trên tất cả các máy tính với tư cách quản trị viên qua GPO mà không thay đổi chính sách thực thi

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.