Group Policy (GPO) Scripts run from 2012 domain run as admin/elevated

Hello all!

We are using a a Powershell script that maps a drive. Running the script locally (non-elevated) works perfectly. Running the script using group policy does not work as expected.

I've put the script in User Configuration | Policies | Windows Settings | Scripts | Logon

When running the script from the GPO, the script completes but does not map drives in an accessible manner. No errors come up. Looking in Windows Explorer the mapped drive is not there. However, if I run "net use" from an elevated command prompt I see the drive. For some reason that I can't put my finger on, the script is running with an admin token when running from GPO. It maps the drive, but elevated, so I can't access it without elevating everything.

The script is just a batch file that runs this command:

powershell.exe -NoProfile -ExecutionPolicy bypass -command ScriptName.ps1

The Powershell script runs a net use command (among other things) to map the drive. Again, if it is run locally (without any elevation) the drive maps with no issue, accessible from Windows Explorer, etc.

The script is running on a Win8.1x64 machine on a Windows 2012 AD domain.
robklubsAsked:
Who is Participating?
 
robklubsAuthor Commented:
You cannot map network drives via powershell via GPO logon script as described. UAC and/or admin token does not allow the drive to be mapped in a usable fashion in Windows Explorer. The exact reason has eluded me. If anyone can shine a light on this I'd love to know the why/how this happens.

However, adding the powershell script (or a batch file calling a powershell script) to the Active Directory | Profile | Logon script WILL allow the script to run as intended. It successfully maps the drive as a "normal" or un-elevated user.
0
 
Cliff GaliherCommented:
UAC strikes again. Don't use logon scripts. Use group policy preferences instead. It's designed for such things.
0
 
robklubsAuthor Commented:
Thanks for the comment. Can you point me in the right direction with group policy preferences? I'm not sure what you mean.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Cliff GaliherCommented:
Technet has blogs on the subject. They've been around since Vista. They are easy to figure out.
0
 
robklubsAuthor Commented:
I think you're referring to User Configuration | Preferences | Windows Settings | Drive Maps

If so, I don't think that would work as the Powershell script we run enumerates the path based on information for which the script prompts. It also generates a user specific location with other variables as well for Office365.
0
 
robklubsAuthor Commented:
Just to be clear, the method provided will not work. It's for predetermined network shares.

Really my question boils down to this - how does one run a script at login via GPO that does not run with an admin token?
0
 
robklubsAuthor Commented:
No expert solutions were given that were reasonable, found this workaround on my own. Gave plenty of time for experts to chime in - question do not receive all that much attention.
1
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.