1
00:00:03,100 --> 00:00:07,510
So now I want to talk about start up and shut down scripts in particular.

2
00:00:08,520 --> 00:00:14,460
So let's talk a little bit about the capabilities and the limitations in start up and shutdown scripts.

3
00:00:15,440 --> 00:00:20,990
So the thing to understand about start up and shutdown scripts, they're running per computer, so they're

4
00:00:20,990 --> 00:00:23,300
running before the user is logged in.

5
00:00:24,230 --> 00:00:28,280
And that means that they have to run in some kind of security context.

6
00:00:29,230 --> 00:00:33,040
And as it turns out, they run in the local system context.

7
00:00:34,020 --> 00:00:37,440
Or essentially they run as the machine account.

8
00:00:38,470 --> 00:00:43,990
So this allows you to do pretty much anything you want in a startup script in terms of managing the

9
00:00:43,990 --> 00:00:47,740
configuration or making changes to a Windows computer system.

10
00:00:48,680 --> 00:00:54,260
So what that means is you can change registry keys that the user would normally have permission to.

11
00:00:55,160 --> 00:00:59,300
You can update files that the user wouldn't normally have permissions to.

12
00:01:00,140 --> 00:01:05,270
Any privileged access is available to you within the context of a start up script.

13
00:01:06,280 --> 00:01:12,730
The other thing to recognize is, is that that startup script is trying to access resources on the network.

14
00:01:13,730 --> 00:01:19,460
For example, if you're trying to copy a file from a network share to the local system within a start

15
00:01:19,460 --> 00:01:20,270
up scripture.

16
00:01:21,280 --> 00:01:27,340
Then the context in which that access to the network is happening is essentially the machine account.

17
00:01:28,360 --> 00:01:33,620
So the machine account has to have permissions to the share in order to be able to do that copy.

18
00:01:33,820 --> 00:01:36,340
And that's something that's important to keep in mind.

19
00:01:37,330 --> 00:01:43,270
So again you can these startup scripts and shut down scripts run at boot or it shut shutdown.

20
00:01:44,200 --> 00:01:48,730
And in the case of a startup script, don't require the user to be logged in.

21
00:01:49,680 --> 00:01:53,940
It's pretty self-explanatory, but I just wanted to underscore that.

22
00:01:54,890 --> 00:02:01,190
That in fact the startup script runs before the user even gets their log on prompt to log in.

23
00:02:02,150 --> 00:02:04,610
So what are some of the limitations?

24
00:02:05,610 --> 00:02:12,300
So it does require a reboot or a shut down restart to log on or to generate or to execute a startup

25
00:02:12,300 --> 00:02:12,780
script.

26
00:02:13,770 --> 00:02:18,360
So that reboot is kind of the trigger for executing start up scripts.

27
00:02:19,360 --> 00:02:23,740
Startup scripts in and of themselves don't provide much in the way of logging.

28
00:02:24,690 --> 00:02:30,720
If you run a are soapy report or a results set of policy report, and I talked about that in the earlier

29
00:02:30,720 --> 00:02:34,320
module against a system that has received a start up script.

30
00:02:34,500 --> 00:02:41,250
You only get the last execute time, so you only see what actually happened or when that script actually

31
00:02:41,250 --> 00:02:42,030
ran last.

32
00:02:42,150 --> 00:02:44,190
So at least you can see if it did run.

33
00:02:45,100 --> 00:02:50,400
But the downside is you can't you don't get any logging of what it did because it's a script.

34
00:02:51,340 --> 00:02:53,260
It could be doing anything.

35
00:02:54,170 --> 00:02:58,160
And it will run every time, regardless of whether you needed to.

36
00:02:59,030 --> 00:03:04,490
So in other words, whatever you're doing in that startup script, whether it's doing a file copy or

37
00:03:04,490 --> 00:03:08,780
doing a registry hack, it's going to run every time that system reboots.

38
00:03:09,720 --> 00:03:15,150
And it's going to redo the file copy and redo the registry hack unless you have coding in your script

39
00:03:15,150 --> 00:03:18,750
that tests for the thing you're trying to do to see if it's already been done.

40
00:03:19,700 --> 00:03:24,110
So scripts don't have any intelligence in them other than what you put in that script.

41
00:03:25,040 --> 00:03:30,290
And that's a really important point about all of the script capabilities in group policy.

42
00:03:31,260 --> 00:03:34,200
You need to think about what you're doing in your script.

43
00:03:35,190 --> 00:03:40,890
And ideally you want to add the logging and the testing of whether it needs to run so that it doesn't

44
00:03:40,890 --> 00:03:41,910
do extra work.

45
00:03:42,870 --> 00:03:46,320
And so that if it does have problems, you know what's going on.

46
00:03:47,280 --> 00:03:50,520
So let's look again at the UI and see how this works.

47
00:03:51,530 --> 00:03:56,770
So remember I mentioned that if you hit that show files button that browses to the folder, insists

48
00:03:56,780 --> 00:04:00,920
more, which is the default location to store startup or shutdown scripts.

49
00:04:01,850 --> 00:04:07,760
And the add button will add the reference to the script into the GPO and the script could be in sizzle

50
00:04:07,760 --> 00:04:11,720
in that startup folder, or it could be out on a network share somewhere.

51
00:04:12,660 --> 00:04:14,310
It doesn't really matter.

52
00:04:15,300 --> 00:04:21,390
The advantage of keeping it in the GPL and system is that as long as the GPL is available, the script

53
00:04:21,390 --> 00:04:25,170
is always available to the machine or the user that's executing it.

54
00:04:26,130 --> 00:04:31,710
And from a permissions perspective, you probably have less challenges around managing access to the

55
00:04:31,710 --> 00:04:32,220
script.

56
00:04:33,170 --> 00:04:37,880
With the up and down buttons, you can change the execution order of the script.

57
00:04:38,880 --> 00:04:44,880
So if you have multiple startup script, which is perfectly legitimate, you can change the order in

58
00:04:44,880 --> 00:04:47,820
which they execute based on that up and down button.

59
00:04:48,740 --> 00:04:54,080
And then finally, if you hit the PowerShell Scripts tab, you can add PowerShell scripts.

60
00:04:55,010 --> 00:05:01,490
And these are differentiated from regular scripts just by virtue of the fact that they have a PS1 extension

61
00:05:01,490 --> 00:05:03,320
and they run in the PowerShell engine.

62
00:05:04,290 --> 00:05:08,480
So they're treated differently from a scrips perspective in group policy.

63
00:05:09,450 --> 00:05:14,310
So let's dive in and kind of show you how to deploy a startup script and what it looks like.