How to Find GPO Logon Scripts and Startup Scripts

Find GPO Logon Scripts with PowerShell

WIth a large GPO structure, it can be challenging to keep track of all your settings.

Also, if you’re a consultant or a fresh hire facing an unknown infrastructure, getting an overview of GPOs can be very time-consuming.

That is unless you pull out a little PowerShell magic from your sleeve!

In other articles we already covered:

This article will enable you to identify logon, logoff, startup, and shutdown scripts in your GPOs.

(for detailed instructions on how you can create your own GPO analysis scripts, read this)

Using PowerShell to Identify GPO Logon Scripts

It’s tempting to use GPO names and try to guess what settings they handle.

But if you have more than 5 GPOs, it will be very time-consuming to click through all of them to verify actual settings.

If you want to know for 100% which of your GPOs holds settings for logon, logoff, startup, or shutdown scripts – check out this script:

Function Get-Scripts ($ExtData, $Gpo, $Scope) {
    $ArrResult = @()
    ForEach ($ExtensionData In $ExtData) {
        If ($ExtensionData.Name -eq "Scripts") {
            $GPOScripts = $ExtensionData.Extension.Script
            ForEach ($GPOScript In $GPOScripts) {
                $GPOScriptConfig = New-Object PSObject -Property @{
                    GPO          = $GPO.Name
                    LinkCount    = $LinkCount
                    Enabled      = $Enabled
                    Name         = $GPOScript.Command
                    Type         = $GPOScript.Type
                }
                $ArrResult += $GPOScriptConfig
            }
        }
    }
    Write-Output $ArrResult
}
  
$Reports = Get-GPO -All | Get-GPOReport -ReportType Xml
$Scripts = @()
ForEach ($Report In $Reports) {
    $GPO = ([xml]$Report).GPO
    $LinkCount = ([string[]]([xml]$Report).GPO.LinksTo).Count
    $Enabled = $GPO.Computer.Enabled
    $ExtData = $GPO.Computer.ExtensionData
    $Scripts += Get-Scripts $ExtData $GPO "Computer"
    $Enabled = $GPO.User.Enabled
    $ExtData = $GPO.User.ExtensionData
    $Scripts += Get-Scripts $ExtData $GPO "User"
}
Write-Output $Scripts | ft GPO, LinkCount, Enabled, Name, Type

The output from the script will look similar to this:

GPO              LinkCount Enabled Name               Type
---              --------- ------- ----               ----
StartupScript_DK         2 true    ClearTempFiles.bat Startup
LogonScript              1 true    MapDrives.bat      Logon

With this overview in hand, you have a great starting point for examining your GPO logon scripts further.

Look at this article for a thorough primer on GPO, application order, filtering, etc.

Consolidate AD and Office 365 Management

And hey, now we have your attention:

Check out our awesome Office 365 management snap-in for AD Users & Computers:

Easy365Manager will allow you to perform all daily Office 365 management in user properties in AD Users & Computers.

Easy365Manager even eliminates the need for complex PowerShell scripting, e.g., when delegating calendar access:

It’s absolutely free to test-drive all the many features in your own environment.

Download your fully-functional 30-day trial here.

You can install it to any PC or server with AD Users & Computers, it makes no changes to AD or your infrastructure, and can be easily uninstalled.

Did you like this post? Maybe your friends will too!