How do I run Powershell and VBScripts on Windows PCs using AD and Group Policy?
We all know that Windows Active Directory (AD) Group Policy is very powerful. It can apply policies on the PCs in your Windows AD domain. However, the list of policies is limited as are the scheduling and reporting of those policies. While you might be able to run a Powershell script or VB script on the remote PC via some method, Windows GP is still the preferred method. What is lacking in GP is the ability to deploy PowerShell & VB Scripts, as well as feedback, reporting, and scheduling. To get this level of functionality that most Windows Admins desire, what you need is the new tool from Special Operations Software – Specops Command.
Who is Specops?
Special Operations Software (Specops) is a software company, focused on providing enhanced tools for Active Directory Management and Group Policy. They have been in business since 2001 and, today, they offer a variety of products that are tailored to this market.
Their products include:
- Specops Command
- Specops Deploy
- Specops Inventory
- Specops Gpupdate (free)
- Specops Suite
- Specops Password Policy Basic (free) and full versions
- Active Directory Janitor
- and many more…
So what is Specops Command?
Specops Command is what combines the power of AD Group Policy and Windows Powershell and, at the same time, adds a ton of new features.
Before I go into more detail on Command, let’s talk about the two technologies that Command takes advantage of.
Windows Group Policy is used as the script distribution method to distribute your PowerShell and VB Scripts.
Once installed, Specops Command becomes a new node within the Group Policy Object Editor that shows up under both Computer and Users. The options that you will find under this new Specops area are: New Script Assignment, Edit, or Delete Scripts, Get Detailed Feedback, and Add PowerShell snap-ins.
With this, you can choose to run / assign your scripts on either Computers in your AD or Users in your AD. These scripts don’t have to be installed or copied to your PCs ahead of time, Specops Command takes care of that.
Another cool tool from Specops is Specops Gpupdate. This free tool does a group policy update on all Windows GP clients in the domain.
How can Specops Command help you?
I think that, for many of us, the power of Specops Command is not immediately realized. Microsoft’s Powershell is relatively new to most of us but I believe that we all agree that Powershell is, well, “powerful”. What gives it that power is that I can write a script that can perform just about any Windows administrative task needed.
Windows AD GP gives you that connection to all the Windows machines in your domain.
What Specops Command gives you is the integration of Powershell and Windows AD Group Policy – taking the two powerful technologies and combining them – to double that power!
Key features of Specops Command include:
- Execute scripts at intervals- every 90 minutes, at startup, login, etc.
- Scheduling – Decide when and how often a script executes
- Targeting – Point and click where you want the script to execute
- Undo scripts – Handy when scripts (Group Policy) fall out of scope
- Instant reporting and script execution feedback – Learn what happened, why and when it did
- Run scripts with user or computer credentials
- Automatic Windows PowerShell deployment and automatic management/deployment of PowerShell Cmdlets
Downloading and Installing Specops Command
You can request a free trial of Specops Command from their website. After filling out the contact form, you will be taken to a download site and be emailed a license file.
Once you download the installer, there are a few things you should know before you start the installation.
As you can see from the Specops Command Setup Assistant graphic above, there are a number of distinct parts that make up the Specops Command infrastructure. You should already have a Windows AD domain and, with that comes Group Policy. Additionally, you will already have PC clients in your Windows domain and you will have an administrative PC that you are viewing this article on. What may be lacking from your current infrastructure is a Specops Command server. This server is where you should launch the Specops Command installation application.
Requirements for Server & Client Systems
- Specops Command Server: Windows Server 2003, SQL Server 2000 or 2005, MSDE, or SQL Express
- Specops Command Admin Tools: on XP, Vista, Win 2003 & require .NET framework 2.0 or higher, MMC 3.0+, and the GPMC
- Specops Command Client Side Extension: runs on any OS supported by Powershell
Once you have your server with the proper software on it, you should run the Specops Command installation. That installation will unzip itself and run the Specops Command Setup Assistant. This is an excellent tool because it makes installing a complex product, easy. It will lead you, step by step, through the installation process.
During the install, you will point the installer to your existing SQL Server (because SQL was already installed).
The install application will create two security groups – an Admin group and a User group. These groups get full access and read-only access, respectively.
You can use the same installer to install the admin tool on the local machine or another machine.
Additionally, you can install the Specops Reporting application which uses IIS to provide Specops Command reports via a web browser.
If this all sounds complicated and time consuming, I assure you it is really not difficult at all. This is thanks to the Specops Command Setup Assistant which is your friend in the install process.
How do you run PowerShell Scripts on your Windows Client PCs using Specops Command?
To run PowerShell scripts on machines in your Window AD, you simply open the Microsoft Management Console (MMC), go to the Group Policy Object (GPO) that you want to run the scripts on (such as all Computers), and to the Specops Command Folder below that.
Inside this window, click on New Script Assignment.
Next, you will enter the script either by typing it or importing it. You can choose to send feedback, or not, when the script completes.
After that, you will select the Target for the script. Over all, the targeting mechanism is very flexible making it easy to target exactly the specific users or computers you want. Another advantage with the targeting is that, since Specops Command supports VBScript as well, targeting code can now be extracted from all your existing VBScripts out there to make the scripts more manageable.
Then you will choose the schedule that your script will run on.
I can’t stress enough what a powerful feature this scheduling of script processing is. I mean, think about it, Windows Group Policy does not allow for scheduling, reporting or deployment of anything but an MSI setup. With Specops Command, you are able to run whatever PowerShell or VB script you want, on whatever type of systems you want to run them on, in whatever GPO you choose. Additionally, you are able to get detailed reports of the results.
After the script is assigned, you should run Gpupdate to immediately force a GP refresh and get your new script executed.
You should note that, not only does Specops command automate the running of scripts on computers but Specops Command, itself, can also be automated with scripts.
What does Specops Command cost?
Specops Command is free to Download and try for 21 days. For that time, all the features will fully function and there is no limit to the number of clients you can distribute scripts to, nor the number of scripts you can deploy.
After that time, a number of features will be disabled unless you purchase the full version of Specops Command. However, even with these features disabled, you are still getting a number of very very useful Specops features at zero cost.
If you choose to go ahead and purchase Specops Command, you will find that it is licensed at about $20 per seat with the price going down as the number of seats you purchase goes up.
Without Specops Command you are limited to VBScript-based Startup, Logon, Logoff, & Shutdown scripts. This means that the only way to get Group Policy scripts run on a computer is for users to logoff and logon, or restart the PC, and that is a major inconvenience to you and the user.
With Specops Command in place, these problems are solved. You can run Powerful scripts on any system in your AD, whenever you want. You can also get immediate feedback and web-based reporting. I would say that Specops Command very soon will be the standard for distributing and executing PowerShell on remote systems. If you are a Windows Admin interested in making your life easier and giving you more control, I hope you will try out Specops Command today!