Home Dashboard Directory Help

Group Policy Powershell Script by Axel B. Andersen



Sign in
to vote
Type: Suggestion
ID: 984532
Opened: 9/29/2014 5:24:54 AM
Access Restriction: Public


When running Powershell Logon or Logoff Scrips in GPO's the -NoProfile switch is not included in the command. This results in very long logon/logoff times, if users have filled their Powershell Profile with a lot of modules. It can take up to 10 minutes, if the profile needs user input to load.
Sign in to post a comment.
Posted by Samuel Leslie on 8/5/2015 at 1:03 AM
I'd actually suggest the issue is more severe than indicated in the description. To provide a recent example, we have some PowerShell scripts which run on user login (in the user's security context). One user account had a PowerShell profile which loaded some password protected SSH keys. Of course, because the Group Policy processing occurs via a non-interactive service, the password could never be entered, and so the policy processing simply hung with the ssh-add.exe process waiting for user input.

This is compounded as in this case another user wanted to login to the system locally using fast user switching, however, because the Group Policy Client service was permanently stuck the user couldn't login as the logon process would fail warning that it couldn't communicate with the Group Policy Client service. We were ultimately be able to workaround this by manually killing the hung ssh-add processes (of which several were spawned) via PowerShell remoting, but this is obviously not a solution or at all workable in most cases.
Sign in to post a workaround.
Posted by Samuel Leslie on 8/5/2015 at 1:04 AM
A possible workaround is to use a standard batch script as a wrapper to execute the PowerShell script being sure to provide the -NoProfile option.