Skip navigation
Adding Startup Scripts to GPOs

Adding Startup Scripts to GPOs

To add a script to a new or existing Group Policy Object (GPO), open the Microsoft Management Console (MMC) Active Directory Users and Computers console, which Figure 1 shows.

Figure 1

Right-click the organizational unit (OU) in which you want to create a new policy or access an existing policy. Select Properties from the context menu, then select the Group Policy tab, which Figure 2 shows. Click New to add a new policy. Name the new policy, then click Edit.

Figure 2

Under the new policy, drill down to Computer Configuration, Windows Settings, Scripts (Startup/Shutdown), as Figure 3 shows.

figure 3

Double-click Startup in the right panel to open the Startup Properties page, which Figure D shows, and click Show Files.

Figure 4

Copy to the Startup folder the file that contains the script you want to add, then return to the properties page and Click Add. Figure E shows that I've added a file called PWScript.bat, which consists of the following command-shell code to change a computer's Administrator password when a user reboots

Figure 5

NET USER Administrator %1

Close the Startup window. Return to the Startup Properties window and click Add to open the Add a Script window, which Figure F shows.

Figure 6

In this window, enter the name of the script you want to add or click Browse to locate the script you previously copied to the Startup folder. In the Script Parameters field, type the password you want to pass to the script. The script will push this password to computers in the OU on their next reboot. Click OK and exit the cascaded windows.

The final step in adding a startup script to a GPO is to make any necessary adjustments to the GPO's security settings. In this example, I need to set the security so that the password parameter isn't visible. Return to the GPO Properties page that Figure B shows.

Right click the Group Policy, select Properties, then select the Security tab, which Figure G shows.

Figure 7

By default, the Authenticated Users group, which contains both users and computers in the domain, has Read and Apply Group Policy permissions. This setup works fine on most policies, but giving Authenticated Users Read and Apply Group Policy permissions in this example would expose the password to everyone in the domain rather than to just the group to which the password applies. Therefore, clear the Allow check boxes for the Read and Apply Group Policy permissions for Authenticated Users. Then, grant these permissions to the computer group that contains the computers to which you want this GPO to apply, as Figure H shows. Click Apply, then click OK to close the Security window.

Figure 8

Be sure to thoroughly test your computer startup scripts in a test OU before implementing them in your production environment. Also, test your security settings thoroughly to ensure that the GPO is being applied to the proper computers and that users can’t see any sensitive data.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.