Author Posts

September 29, 2014 at 4:03 am

Hi guys!

Hope you have an excellent time in Amsterdam. Wish I was there.

I recently re-experienced a very annoying behavior in Powershell User Logon Scripts.

I needed to use a GPO for fixing several issues on registrykeys, local files and some other small tasks on a bunch of machines. The easiest way for this task was to deploy a Group Policy with a User Logon Script (the registrykey is in the logged on users hive).

All worked fine for most users, but our servicedesk started complaining about very long logon times. It turned out they loaded their Powershell profile with all Active Directory and MSOnline modules, including a connection setup to the tenent and a session import, resulting in Powershell loading all these very usefull tools in the logon process just to set my minor tasks and killing off the session after successfully applying the settings.

Of course it's better practice to load what you need from the console or a script importing the nessesary modules, but administrators will never have control over the $profile of all users. Hense I'm still not able to understand, why the Powershell Script option in Group Policies in general are not run with a hardcoded -NoProfile in stead of the opposite.

Of course I can run an ordinary script, calling Powershell with the -NoProfile switch, but that is a bit altmodish.

Does anyone know, why Powershell Scripts in Group Policies was implemented like this?

September 29, 2014 at 4:08 am

Because the GPO just runs PowerShell.exe, which is the console host, which always loads profiles. Probably it just didn't occur to anyone to include support for -NoProfile in the GPO setup.

You should suggest that in Connect.Microsoft.com under the PowerShell program. I'd suggest getting folks to up-vote your suggestion, so that it gains more attention from the product team.