Active Directory

Run a Script or Batch File with Administrative Privileges as Windows Starts

Logon scripts have long been used to configure users’ desktop environments, adding network drive mappings and desktop shortcuts etc. But there are some tasks that require administrative privileges and can’t be executed as part of a logon script if users don’t have administrative access to their PCs. In this Ask the Admin, I’ll show you how to configure a Group Policy Object (GPO) to run a startup script with administrative privileges.

Computer Startup Scripts vs. Logon Scripts

Startup scripts run just before the boot process gets to the logon screen, and in the context of the local computer account, which has local administrative privileges. Startup scripts can be stored in the GPO itself, removing the need to configure a network share.

Configure a Computer Startup Script

Log on to a Windows Server 2012 R2 domain controller (DC) with a domain administrator account and follow the instructions below.

Create a new Group Policy Object in Active Directory:

Sponsored Content

What is “Inside Microsoft Teams”?

“Inside Microsoft Teams” is a webcast series, now in Season 4 for IT pros hosted by Microsoft Product Manager, Stephen Rose. Stephen & his guests comprised of customers, partners, and real-world experts share best practices of planning, deploying, adopting, managing, and securing Teams. You can watch any episode at your convenience, find resources, blogs, reviews of accessories certified for Teams, bonus clips, and information regarding upcoming live broadcasts. Our next episode, “Polaris Inc., and Microsoft Teams- Reinventing how we work and play” will be airing on Oct. 28th from 10-11am PST.

  • Open Server Manager using the icon on the desktop taskbar or from the Start screen.
  • In the Tools menu, select Group Policy Management.
  • In the Group Policy Management Console (GPMC), expand your Active Directory (AD) forest, domain and click the Group Policy Objects container.
  • Right-click the Group Policy Objects container and select New from the menu.
  • In the New GPO dialog box, give the new Group Policy Object (GPO) a name and press OK.
  • Now right-click the new GPO in the right pane and select Edit from the menu.

Add the startup script settings to the GPO:

  • In the left pane of the Group Policy Management Editor window, expand Computer Configuration, Policies and click Scripts.
  • In the right pane, double-click Startup.
  • On the Scripts tab of the Startup Properties dialog, click Show Files. Copy the file(s) you want to run to this location.
  • Once the script you want to run has been added to the GPO, click Add on the Scripts tab.
  • Click Browse in the Add a Script dialog and select the file using the file browser.  Additionally in the Add a Script dialog, you can optionally specify parameters to configure how the script runs. Click OK to continue.

Configure a computer startup script in Group Policy

You can additional scripts and set the order in which they run by using the Up and Down buttons. Additionally, PowerShell scripts can be added on a separate tab and set to run before or after scripts specified on the first tab.

  • Complete the configuration by clicking OK in the Startup Properties window.
  • Close the Group Policy Management Editor window.

Finally, link the GPO to an OU, domain, forest or site:

  • Back in GPMC, decide where you want to link the new GPO. Right click the desired OU, domain, site or forest in the left pane and select Link an Existing GPO from the menu.
  • In the Select GPO dialog, select the GPO you just created and click OK.

The startup script will now run on computers that have the GPO applied. For more information on using the Group Policy Management Console and linking GPOs, see Working with Group Policy on Petri.

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (2)

2 responses to “Run a Script or Batch File with Administrative Privileges as Windows Starts”

  1. I use this to mount and share a TrueCrypt partition as a member of Users.
    It works fine in Windows XP. It shows the window of TrueCrypt where the user places the password.
    But in Windows 7 it doesn’t work. The window of TrueCrypt is not appear. I believe that login screen of Windows 7 hides login window of TrueCrypt.
    Any suggestions?

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by:

 
Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: