Powershell GPO

Similar Messages

• Outlook 2013 - Calendar - weather bar

  can I populate the locations with Powershell,GPO or registry settings?

  Hi,
  You can make this via GPO. You need to specify a custom weather service url under
  User Configuration\Administrative Templates\Microsoft Outlook 2013\Outlook Options\Preferences\Calendar Options
  in Group Policy.
  You need to append the "weasearchstr=city" parameter to the base URL. This parameter indicates the location,
  city, for which the user wants a weather forecast (for example, London).
  For more reference, please refer to Weather Bar Protocol:
  http://msdn.microsoft.com/en-us/library/office/jj228383(v=office.15).aspx#ol15_weatherbar_theprotocol
  If you have any doubts about how to use this protocol, please seek assistance in our
  Office for Developers forum.
  Thanks,
  Ethan Hua CHN
  Forum Support
  Come back and mark the replies as answers if they help and unmark them if they provide no help.
  If you have any feedback on our support, please click
  here

• WinRM HTTPS Certificate

  I'm trying to get WinRM to run over HTTPS using GPO configuration, and I'm having difficulty with the Certificate part.
  I've got it working fine over HTTP.
  The article
  http://otherdutiesasrequired.com/wp-content/uploads/2014/07/PSRemotingHTTPsConfig.pdf is very promising, but he glosses over the Certificate part.
  TechNet indicates: "This certificate needs to be marked as a Server Authentication Certificate.  It must also support Secure Sockets Layer (SSL).  No certificate needs to be configured for the WinRM client.  The certificate is used only
  if the WinRM service is enabled for remote access."
  I haven't found any other step-by-step. What I have found (especially on TechNet) related to WinRM HTTPS has been extremely vague.
  I'm running AD Server 2012 with Win7 and Win 8.1 clients. I have a Certificate Server running on my domain.
  I just need a step-by-step for configuring whatever I need on the CA and for the clients. Interestingly, I haven't seen any indication anywhere on whether the Certificates need to be User or Computer level Certs. And whether every session (User or Computer)
  needs one, or only the initiating machine, or the target machine, or both.
  Any help would be appreciated. Thanks.
  Can anyone point me to a resource/doc or provide instructions?

  I corresponded with Eric, whose blog on this topic of WinRM over HTTPS I referenced; the article is on his site
  OtherDutiesAsRequired.
  Eric pointed me to a  TechNet Article, which basically covers exactly what I want - EXCEPT that it's for Server 2008. I’m running a native Server 2012
  AD and Certificate Server.
  I followed the directions in the
  TechNet Article, and implemented Eric's script as it had successfully worked for him. But the script results in an error.
  Here's the script:
  $ipProperties = [System.Net.NetworkInformation.IPGlobalProperties]::GetIPGlobalProperties()
  $Hostname = “{0}.{1}” -f $ipProperties.Hostname,$ipProperties.DomainName
  $CertThumbprint = Get-ChildItem “Cert:\LocalMachine\My” | Select -First 1
  $CertThumbprintValue = $CertThumbprint | foreach-Object {$_.Thumbprint}
  New-WSManInstance winrm/config/listener -SelectorSet @{Address=”*”;Transport=”HTTPS”} -ValueSet @{Hostname=$Hostname;CertificateThumbprint=$CertThumbprintValue}
  And here's the error:
  New-WSManInstance : The WinRM client cannot process the request. The Enhanced Key Usage (EKU) field of the certificate is not set to “Server Authentication”. Retry the request
  with a certificate that has the correct EKU. At C:\Users\administrator\Desktop\WinRM-config-https-listener.ps1:5 char:1  + New-WSManInstance winrm/config/listener -SelectorSet @{Address=”*”;Transport=”HT … + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   + CategoryInfo : InvalidOperation: (:) [New-WSManInstance], InvalidOperationException  + FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.NewWSManInstanceCommand
  Eric wasn't sure what was going on, but wasn't able to spend the time to troubleshoot.
  The problem appears that the issue seems to be related to the “Enhanced Key Usage” field of the certificate.
  In the certificate template in the Extensions tab - Application Policies, I tried first to ADD “Server Authentication” and then to replace “Client” with “Server Authentication”, but I’m still getting the same error.
  Do any of you Certificate / PowerShell / GPO guru's out there have any ideas?

• How to change maintenance powershell script via GPO?

  Per suggestion reposted from here: http://social.technet.microsoft.com/Forums/windowsserver/en-US/6eece9d6-a524-48aa-8e64-7554f0ec9b31/how-to-change-maintenance-powershell-script-via-gpo?forum=winserverGP
  Posted at http://answers.microsoft.com/en-us/windows/forum/windows_7-desktop/desktop-shortcuts-to-items-on-network-drives/94eddb27-342b-40fc-9ad4-677ff4ee8ebe?page=9&tm=1403700614489 originally.
  There is a very annoying "feature" in Windows 7 called BrokenShortcuts.ps1 which is being called out weekly via maintenance task and if it finds more than 4 "broken" network shortcuts it removes them all. So it means if a user at this
  moment is disconnected from the network he will lose all links to shares, network applications sitting on his desktop. Funny that there was no such script on Vista and i don't see this on Win8. On the post i have attached one user suggested to edit this script
  and change 4 to 500 or whatever high number. That's fine for one time fix. But i need to do this for 200+ users. This file cannot be simply replaced by a script, so i'm wondering is there any way to do it via GPO?
  I have already tried various startup scripts, but i'm not sure which user to put into commands.
  I need to run this on startup:
  takeown /F C:\Windows\diagnostics\scheduled\Maintenance\TS_BrokenShortcuts.ps1
  icacls c:\windows\diagnostics\scheduled\maintenance\TS_BrokenShortcuts.ps1 /grant "some user":F
  copy \\share\folder$\TS_BrokenShortcuts.ps1 C:\Windows\diagnostics\scheduled\Maintenance\ /Y

  You need to take time to study how Windows does these things.  You can control them with GP which is what you asked.  The article shows you how to disable elements of the tasks.  Each task controls a script.  If you disable the task the
  script that deletes shortcuts will be stopped. Other maintenance tasks will continue to run.
  Most of your problem is that you seem to want someone to provide a magical solution.  In technology it is necessary to fully research your issues until you understand all aspects.  After fully studying the issue you should understand the possible
  solutions if they exist.
  You claim to have deployed the patch that Microsoft released to fix the issue.  You claim it didn't work.  If that is the case then you need to call MS and \p[en a support incident.  If  Microsoft determines that you are right about the
  patch not working you will not be charged for the call.
  I know that learning how to support technology is hard and frustrating for newcomers.  In time, by using these incidents to learn, you will become a seasoned technician and all of this will seem trivial.  Until then we can only suggest that you
  do things that most of us are familiar with.  We cannot fix your network for you.
  I think you haven't really posted in the GP forum but posted a question about GP in the server forum.  Try posting in the GP forum.
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverGP
  Here is one answer from the GP forum:
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverGP
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/600ca14f-8b1b-400c-b27f-a7f5733407ac/windows-scheduled-maintenance-task?forum=winserverGP
  ¯\_(ツ)_/¯

• Powershell Edit GPO deploy Printer

  Hi Guys,
  I tried to make Powershell script with GUI to add printers to print server. I would like that my super user just write new printer name and IP adresse in textbox and script suppose to add printer to printer server, create new ADGroupe to each
  printer (name of groupe = printer name), create GPO to each AD Groupe (GPO name = <Printer name>64bit)with premissions level assign to the AD group.
  Everything is working fine, script is adding printer, adding port for the printer, creating AD Group, creating (empty) GPO, i don´t know how to edit gpo via powershell and deploy printer to the AD Group.
  Have you got any suggetions?
  to make a GUI i followed this guide:
  blogs.technet.com/b/heyscriptingguy/archive/2014/08/01/i-39-ve-got-a-powershell-secret-adding-a-gui-to-scripts.(a)(s)(p)(x)
  my PS script code :
  Import-Module Activedirectory
  Import-Module Grouppolicy
  .\loadDialog.ps1 -XamlPath ".\MainWindow.xaml"
  Get-PrinterDriver | ForEach-Object {$x=$cbPrinterDriver.Items.Add($_.Name)}
  $tbPrinterName.add_TextChanged({
      $tbADGroupeName.Text = "PRN-"+$tbPrinterName.Text
      $tbGPOName.Text = $tbPrinterName.Text+"-64bit"
      $tbSkoleName.Text = $tbPrinterName.Text.Substring(0,[system.math]::min(3,$tbPrinterName.Text.Length))
  $btnCreate.add_Click({
  $btnCreate.IsEnabled = $FALSE
  $PrinterName = $tbPrinterName.Text
  $PrinterIP = $tbPrinterIP.Text
  $ADGroupeName = $tbADGroupeName.Text
  $GPOName = $tbGPOName.Text
  $Driver = $cbPrinterDriver.SelectedItem.ToString()
  $SkoleName = $tbSkoleName.Text
  $NL = "`r`n"
  Add-PrinterPort -PrinterHostAddress "$PrinterIP" -Name "$PrinterIP"
  $tbInfo.AppendText("Printer port created: $PrinterIP$NL")
  Add-Printer -Name "$PrinterName" -PortName $PrinterIP -DriverName "$Driver" -shared -ShareName "$PrinterName" -Published
  $tbInfo.AppendText("Printer created: $PrinterName$NL")
  New-ADGroup -name "$ADGroupeName" -GroupScope Global -GroupCategory Security -DisplayName "$PrinterName" -path "ou=XXXXXXXXXX,ou=$SkoleName,ou=XXXX,ou=XXXXX,dc=XXXXXXX,dc=XXXX" -Description "Members of this group get $PrinterName
  added"
  $tbInfo.AppendText("Active Directory group created: $ADGroupeName$NL")
  New-GPO -Name "$GPOName" | new-gplink -target "ou=XXXXXXX,ou=$SkoleName,ou=XXXXXX,ou=XXXXX,dc=XXXXXX,dc=XXXX"
  $tbInfo.AppendText("GPO created: $GPOName$NL")
  Set-GPPermission -name "$GPOName" -permissionlevel gporead -replace -targetname "Authenticated Users" -targettype Group
  Set-GPPermission -name "$GPOName" -permissionlevel gpoapply -replace -targetname "$ADGroupeName" -targettype Group
  $tbInfo.AppendText("GPO permissions set.$NL")
  $tbInfo.AppendText("Done!.$NL")
  #$btnCreate.IsEnabled = $TRUE
  $xamGUI.ShowDialog() | out-null
  My loadDialog.ps1
  [CmdletBinding()]
  Param(
   [Parameter(Mandatory=$True,Position=1)]
   [string]$XamlPath
  [xml]$Global:xmlWPF = Get-Content -Path $XamlPath
  #Add WPF and Windows Forms assemblies
  try{
   Add-Type -AssemblyName PresentationCore,PresentationFramework,WindowsBase,system.windows.forms
  } catch {
   Throw "Failed to load Windows Presentation Framework assemblies."
  #Create the XAML reader using a new XML node reader
  $Global:xamGUI = [Windows.Markup.XamlReader]::Load((new-object System.Xml.XmlNodeReader $xmlWPF))
  #Create hooks to each named object in the XAML
  $xmlWPF.SelectNodes("//*[@Name]") | %{
   Set-Variable -Name ($_.Name) -Value $xamGUI.FindName($_.Name) -Scope Global
  My MainWindow.xaml
  <Window 
        Title="Pirinter tool" Height="413.298" Width="525">
      <Grid>
          <Grid.ColumnDefinitions>
              <ColumnDefinition Width="23*"/>
              <ColumnDefinition Width="10*"/>
              <ColumnDefinition Width="28*"/>
              <ColumnDefinition Width="21*"/>
              <ColumnDefinition Width="126*"/>
              <ColumnDefinition Width="24*"/>
              <ColumnDefinition Width="285*"/>
          </Grid.ColumnDefinitions>
          <TextBox Name="tbADGroupeName" HorizontalAlignment="Left" Height="23" Margin="68,148,0,0" TextWrapping="Wrap" Text="" VerticalAlignment="Top"
  Width="120" Grid.Column="4" Grid.ColumnSpan="3"/>
          <TextBox Name="tbPrinterIP" HorizontalAlignment="Left" Height="23" Margin="68,76,0,0" TextWrapping="Wrap" VerticalAlignment="Top" Width="120"
  Grid.Column="4" Grid.ColumnSpan="3"/>
          <TextBox Name="tbPrinterName" HorizontalAlignment="Left" Height="23" Margin="68,45,0,0" TextWrapping="Wrap" VerticalAlignment="Top" Width="120"
  RenderTransformOrigin="0.049,3.073" Grid.Column="4" Grid.ColumnSpan="3"/>
          <Label Content="AD Groupe" HorizontalAlignment="Left" Margin="11,148,0,0" VerticalAlignment="Top" RenderTransformOrigin="0.599,-0.868" Grid.ColumnSpan="3"
  Grid.Column="2"/>
          <Label Content="IP" HorizontalAlignment="Left" Margin="11,72,0,0" VerticalAlignment="Top" RenderTransformOrigin="0.435,0.329" Grid.ColumnSpan="2" Grid.Column="2"/>
          <Label Content="Printer Name" HorizontalAlignment="Left" Margin="11,41,0,0" VerticalAlignment="Top" Grid.ColumnSpan="3" Grid.Column="2"/>
          <TextBox Name="tbGPOName" HorizontalAlignment="Left" Height="23" Margin="68,185,0,0" TextWrapping="Wrap" Text="" VerticalAlignment="Top"
  Width="120" Grid.Column="4" Grid.ColumnSpan="3"/>
          <ComboBox Name="cbPrinterDriver" HorizontalAlignment="Left" Margin="67,114,0,0" VerticalAlignment="Top" Width="169" Grid.Column="4" Grid.ColumnSpan="3"/>
          <Label Content="Driver" HorizontalAlignment="Left" Margin="10,114,0,0" VerticalAlignment="Top" Grid.ColumnSpan="3" Grid.Column="2"/>
          <Label Content="GPO Name" HorizontalAlignment="Left" Margin="11,182,0,0" VerticalAlignment="Top" RenderTransformOrigin="0.599,-0.868" Grid.ColumnSpan="3"
  Grid.Column="2"/>
          <Button Name="btnCancel" Content="Cancel" HorizontalAlignment="Left" Margin="68,339,0,0" VerticalAlignment="Top" Width="75" Grid.Column="4"
  IsCancel="True" Grid.ColumnSpan="2" Height="33"/>
          <Button Name="btnCreate" Content="Create" HorizontalAlignment="Left" Margin="45,339,0,0" VerticalAlignment="Top" Width="75" Grid.Column="6"
  IsDefault="True" Height="33"/>
          <TextBox Name="tbSkoleName" Grid.ColumnSpan="3" HorizontalAlignment="Left" Height="23" TextWrapping="Wrap" VerticalAlignment="Top" Width="120"
  Grid.Column="4" Margin="68,227,0,0"/>
          <Label Content="Skole" HorizontalAlignment="Left" VerticalAlignment="Top" Grid.Column="2" Margin="15,224,0,0" Grid.ColumnSpan="3" Width="76"/>
          <TextBox Name="tbInfo" Grid.Column="2" HorizontalAlignment="Left" Height="79" Margin="0,255,0,0" TextWrapping="Wrap" VerticalAlignment="Top"
  Width="447" IsReadOnly="True" Grid.ColumnSpan="5" ScrollViewer.CanContentScroll="True" SelectionBrush="{x:Null}" VerticalScrollBarVisibility="Auto"/>
      </Grid>
  </Window>
  I will be gratefull for any help.

  Print Manager does all of that and is already installed in Windows.  Why do you want to recreate it?  It sets up the printers and the GPO for assigning the printers.
  Start here:
  https://technet.microsoft.com/en-us/library/cc753109(v=ws.10).aspx
  Post questions about printer management in the server forum for you OS.
  ¯\_(ツ)_/¯

• Miracast in a Company / Deploy over GPO or Powershell

  HI
  Has anyone a Idea how we can deploy on all Tables the Miracast Adapters from our Company.
  wand deploy all Miracast Beamer from the hole Company<o:p></o:p>
  I am looking for Powershell or GPO.<o:p></o:p>
  But nothing is full working.<o:p></o:p>
  <o:p> </o:p>
  Thanks in advanced for any Feedback<o:p></o:p>
  <o:p> </o:p>
  Best Regards<o:p></o:p>
  Roendi<o:p></o:p>
  Roendi

  Hi Roendi,
  Here are two blogs talking about Miracast in Enterprise Environments:
  Miracast in Enterprise Environments
  Miracast in Enterprise Environments - FAQ
  Check if the information would help in your scenario.
  Best regards
  Michael Shao
  TechNet Community Support

• Powershell not honoring GPO to hide drives

  Hello,
  I have a farm of terminal servers running windows 2008 r2. I have a GPO that hides and restricts access to the C drive and cmd.exe. If I use MSWord or another app and do file open, the drive is not displayed and if I type it in it says access denied. This
  all works correctly. However if I run Powershell I can change to the C drive and run any command I want, like dir and see everything. Why can powershell see restricted drives when no other app can? Anyone know a way to fix besides restrict powershell itself,
  which is an option just not a good one.
  Thanks in advance
  Life moves pretty fast. If you don't stop and look around once in a while, you could miss it.

  Hi,
  If you want tight control over which exes are able to run on the server then you should take a look at AppLocker.  You may also consider NTFS permissions.
  In general group policy works as I described.  It is trivial to create a program that does not honor the two group policy settings you mentioned.  There are other group policy settings that do potentially have a more significant system-wide
  impact that is difficult for an individual program to bypass but the ones you are referring to do not.
  Please read the explain text for the group policy settings you are using for more information.  For example, below is the text for Prevent access to drives from My Computer:
  Prevents users from using My Computer to gain access to the content of selected drives.
  If you enable this setting, users can browse the directory structure of the selected drives in My Computer or Windows Explorer, but they cannot open folders and access the contents. Also, they cannot use the Run dialog box or the Map Network Drive
  dialog box to view the directories on these drives.
  To use this setting, select a drive or combination of drives from the drop-down list. To allow access to all drive directories, disable this setting or select the "Do not restrict drives" option from the drop-down list.
  Note: The icons representing the specified drives still appear in My Computer, but if users double-click the icons, a message appears explaining that a setting prevents the action.
  Also, this setting does not prevent users from using programs to access local and network drives. And, it does not prevent them from using the Disk Management snap-in to view and change drive characteristics.
  Also, see the "Hide these specified drives in My Computer" setting.
  Thanks.
  -TP

• GPO Folder redirection using Powershell

  Dear,
  how can i configure a gpo for Folder Redirection using powershell.
  I would like to create gpo's with all kinds of folder redirection configurations using a script.
  Davy

  Hi,
  Just checking in to see if the suggestions were helpful. Please let us know if you would like further assistance.
  TechNet Subscriber Support
  If you are
  TechNet Subscription
  user and have any feedback on our support quality, please send your feedback
  here.
  Regards, Yan Li

• Powershell and gpo inheritance

  Gods of comm, hear my plea!
  I've been playing around with powershell, trying to make a script to pull gpo settings and compare it to gpo inheritance on all objects upon my network to show me where there's discrepancies// doubly applied coverage on said objects
  but I have got nowhere at all, and I got there fast. If anyone has anything, it would be a great help
  if anyone has any direction, it would be a great help.
  Thankyou, and may Google always be there for you

  GP inheritance is not set on the GPO it is set on the container.  A GPO can be linked to many containers.  THe GOP link determines how the GPO is applied.
  To learn about and understand GP you can post in the GP forum.
  https://technet.microsoft.com/en-us/library/ee461032.aspx
  ¯\_(ツ)_/¯

• Automatically create ODBC DSN connection with powershell or GPO

  Hi,
  I'm trying to create a ODBC connection that has a special network port and also password automatically stored.
  I have tried to do this with the add-odbcdsn cmdlet and adding attributes to a group policy object configuration without luck.
  If I try to export settings with regedit and import them trough logonscript, the normal users dont have user rights to the LOCAL Machine hive.
  Therefore I have tried to export a USER DSN instead, but either of the port or password settings are exported.
  Please help.

  Hello,
  You can create a VB Script (.vbs) as the one create by Clamp77 on the following thread.
  http://stackoverflow.com/questions/23552529/can-i-create-a-bat-file-to-automate-data-sources-adding-in-odbc-data-source-adm
  Then you can run the script on computers using GPOs as explained on the following article.
  http://technet.microsoft.com/en-us/library/dn789196.aspx
  Hope this helps.
  Regards,
  Alberto Morillo
  SQLCoffee.com

• Powershell User logon script not Exiting With "Exit" scripts are set to be visible in GPO

  I am trying to run this script as a user logon script and it is set to visible to the user. There are other parts of the script but It won't ever Exit. It works fine if I run it directly I only have the trouble when it is in the logon script. I'm thinking
  of tryin "Kill -Id $PID" but I'm sure I'll get a bad return code.
  Has anyone else experienced this or hav any ideas what I could try?
  If (Test-Path U:){
  Robocopy U:\ $Destination /E /move /XF "*.inf"
  New-Item -Path HKCU:\Software\test\test -Name Test –Force
  Else{
  Exit
  Else{
  New-Item -Path HKCU:\Software\test\1 -Name Test1 –Force
  Exit       #here is where it will not stop!
  Exit

  Sorry, I did mention this was only a subset of the complete script.
  So, what I am trying to accomplish in words.
  1. Check for the existence of a certain folderon the c: Drive (that is created as apart of a different process)
  2.  Look to see if a registry key exisits that tells the script if it should run or not. So if certain registry key exists under HKCU then don't run if not continue.)
  3. The first time a user logs in and does not find the value that the process is allready complete show the user a message box aski9ng them if they are ready to do (something) if not write a registry key saying step one has completed and then quit.
  4. When the user logs in again the script looks to see if the process is complete and or if step one is complete, if step one is complete it allows the user to skip the process 2 more times but on the forth login forces the user to complete the process and
  writes the final registry key that it is complete.
  Like I say I have this all working correctly if I manually have the user run it. I just don't know why Exit is not being recognized when in the users login script processing of the script. I appreciate your reply and any direction you can point me to.

• Use gpo to determine computername, request certificate and import certificate to computer powershell

  Hey everyone,
  For deployment of winrm i need to deploy certificates in our environment.
  Now every certificate has to have a different name (computername)
  Is there a way to automate this?
  I would like to create a script that checks the computername, requests and imports the personalised certificate.
  Kind regards,
  Borrie

  Jrv,
  I don't think that's correct, as you can see in the link underneath for each computer or server you need to create a certificate and import in:
  http://blogs.technet.com/b/meamcs/archive/2012/02/25/how-to-force-winrm-to-listen-interfaces-over-https.aspx
  That's why i would like to create a script to automate this task.
  The script should check the computername, check if the cert already exists, if not request and import it with the computername as parameter.
  Borrie
  * edit, the procedure in the link describes using the domain name in stead of computername but I really need the computername, after importing the cert i also need it's thumbnail for use with configuring winrm and soon also another application.

• Need Help on powershell Script to send mails in different languages

  Hello, Just wanted to use the script below to remind users of password expiry date (I got it from internet New-Passwordreminder.ps1). We have companies in many countries, so the email should be in the language of that country. So since our users are in different
  OU's according to countries, I thought some one could help me edit this script and say if the user is in AB ou then email in english will be sent, if in BC ou then the email will be in Russian....So in the script I will have all the languages I need
  to have written.
  <#
  .SYNOPSIS
    Notifies users that their password is about to expire.
  .DESCRIPTION
      Let's users know their password will soon expire. Details the steps needed to change their password, and advises on what the password policy requires. Accounts for both standard Default Domain Policy based password policy and the fine grain
  password policy available in 2008 domains.
  .NOTES
      Version            : v2.6 - See changelog at
  http://www.ehloworld.com/596
      Wish list      : Better detection of Exchange server
                : Set $DaysToWarn automatically based on Default Domain GPO setting
                : Description for scheduled task
                : Verify it's running on R2, as apparently only R2 has the AD commands?
                : Determine password policy settings for FGPP users
                : better logging
      Rights Required   : local admin on server it's running on
      Sched Task Req'd  : Yes - install mode will automatically create scheduled task
      Lync Version    : N/A
      Exchange Version  : 2007 or later
      Author           : M. Ali (original AD query), Pat Richard, Exchange MVP
      Email/Blog/Twitter :
  [email protected]  http://www.ehloworld.com @patrichard
      Dedicated Post   :
  http://www.ehloworld.com/318
      Disclaimer       : You running this script means you won't blame me if this breaks your stuff.
      Info Stolen from   : (original)
  http://blogs.msdn.com/b/adpowershell/archive/2010/02/26/find-out-when-your-password-expires.aspx
                : (date)
  http://technet.microsoft.com/en-us/library/ff730960.aspx
              : (calculating time)
  http://blogs.msdn.com/b/powershell/archive/2007/02/24/time-till-we-land.aspx
  http://social.technet.microsoft.com/Forums/en-US/winserverpowershell/thread/23fc5ffb-7cff-4c09-bf3e-2f94e2061f29/
  http://blogs.msdn.com/b/adpowershell/archive/2010/02/26/find-out-when-your-password-expires.aspx
              : (password decryption)
  http://social.technet.microsoft.com/Forums/en-US/winserverpowershell/thread/f90bed75-475e-4f5f-94eb-60197efda6c6/
              : (determine per user fine grained password settings)
  http://technet.microsoft.com/en-us/library/ee617255.aspx
  .LINK    
      http://www.ehloworld.com/318
  .INPUTS
    None. You cannot pipe objects to this script
  .PARAMETER Demo
    Runs the script in demo mode. No emails are sent to the user(s), and onscreen output includes those who are expiring soon.
  .PARAMETER Preview
    Sends a sample email to the user specified. Usefull for testing how the reminder email looks.
  .PARAMETER PreviewUser
    User name of user to send the preview email message to.
  .PARAMETER Install
    Create the scheduled task to run the script daily. It does NOT create the required Exchange receive connector.
  .EXAMPLE
    .\New-PasswordReminder.ps1
    Description
    Searches Active Directory for users who have passwords expiring soon, and emails them a reminder with instructions on how to change their password.
  .EXAMPLE
    .\New-PasswordReminder.ps1 -demo
    Description
    Searches Active Directory for users who have passwords expiring soon, and lists those users on the screen, along with days till expiration and policy setting
  .EXAMPLE
    .\New-PasswordReminder.ps1 -Preview -PreviewUser [username]
    Description
    Sends the HTML formatted email of the user specified via -PreviewUser. This is used to see what the HTML email will look like to the users.
  .EXAMPLE
    .\New-PasswordReminder.ps1 -install
    Description
    Creates the scheduled task for the script to run everyday at 6am. It will prompt for the password for the currently logged on user. It does NOT create the required Exchange receive connector.
  #>
  #Requires -Version 2.0
  [cmdletBinding(SupportsShouldProcess = $true)]
  param(
   [parameter(ValueFromPipeline = $false, ValueFromPipelineByPropertyName = $true, Mandatory = $false)]
   [switch]$Demo,
   [parameter(ValueFromPipeline = $false, ValueFromPipelineByPropertyName = $true, Mandatory = $false)]
   [switch]$Preview,
   [parameter(ValueFromPipeline = $false, ValueFromPipelineByPropertyName = $true, Mandatory = $false)]
   [switch]$Install,
   [parameter(ValueFromPipeline = $false, ValueFromPipelineByPropertyName = $true, Mandatory = $false)]
   [string]$PreviewUser
  Write-Verbose "Setting variables"
  [string]$Company = "Contoso Ltd"
  [string]$OwaUrl = "https://mail.contoso.com"
  [string]$PSEmailServer = "10.9.0.11"
  [string]$EmailFrom = "Help Desk <[email protected]>"
  [string]$HelpDeskPhone = "(586) 555-1010"
  [string]$HelpDeskURL = "https://intranet.contoso.com/"
  [string]$TranscriptFilename = $MyInvocation.MyCommand.Name + " " + $env:ComputerName + " {0:yyyy-MM-dd hh-mmtt}.log" -f (Get-Date)
  [int]$global:UsersNotified = 0
  [int]$DaysToWarn = 14
  [string]$ImagePath = "http://www.contoso.com/images/new-passwordreminder.ps1"
  [string]$ScriptName = $MyInvocation.MyCommand.Name
  [string]$ScriptPathAndName = $MyInvocation.MyCommand.Definition
  [string]$ou
  [string]$DateFormat = "d"
  if ($PreviewUser){
   $Preview = $true
  Write-Verbose "Defining functions"
  function Set-ModuleStatus {
   [cmdletBinding(SupportsShouldProcess = $true)]
   param (
    [parameter(ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, Mandatory = $true, HelpMessage = "No module name specified!")]
    [string]$name
   if(!(Get-Module -name "$name")) {
    if(Get-Module -ListAvailable | ? {$_.name -eq "$name"}) {
     Import-Module -Name "$name"
     # module was imported
     return $true
    } else {
     # module was not available (Windows feature isn't installed)
     return $false
   }else {
    # module was already imported
    return $true
  } # end function Set-ModuleStatus
  function Remove-ScriptVariables { 
   [cmdletBinding(SupportsShouldProcess = $true)]
   param($path)
   $result = Get-Content $path | 
   ForEach { if ( $_ -match '(\$.*?)\s*=') {     
     $matches[1]  | ? { $_ -notlike '*.*' -and $_ -notmatch 'result' -and $_ -notmatch 'env:'} 
   ForEach ($v in ($result | Sort-Object | Get-Unique)){  
    Remove-Variable ($v.replace("$","")) -ErrorAction SilentlyContinue
  } # end function Get-ScriptVariables
  function Install {
   [cmdletBinding(SupportsShouldProcess = $true)]
   param()
  http://technet.microsoft.com/en-us/library/cc725744(WS.10).aspx
   $error.clear()
   Write-Host "Creating scheduled task `"$ScriptName`"..."
   $TaskPassword = Read-Host "Please enter the password for $env:UserDomain\$env:UserName" -AsSecureString
   $TaskPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($TaskPassword))
   # need to fix the issue with spaces in the path
   schtasks /create /tn $ScriptName /tr "$env:windir\system32\windowspowershell\v1.0\powershell.exe -psconsolefile '$env:ExchangeInstallPath\Bin\exshell.psc1' -command $ScriptPathAndName" /sc Daily /st 06:00 /ru $env:UserDomain\$env:UserName /rp
  $TaskPassword | Out-Null
   if (!($error)){
    Write-Host "done!" -ForegroundColor green
   }else{
    Write-Host "failed!" -ForegroundColor red
   exit
  } # end function Install
  function Get-ADUserPasswordExpirationDate {
   [cmdletBinding(SupportsShouldProcess = $true)]
   Param (
    [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline = $true, HelpMessage = "Identity of the Account")]
    [Object]$accountIdentity
   PROCESS {
    Write-Verbose "Getting the user info for $accountIdentity"
    $accountObj = Get-ADUser $accountIdentity -properties PasswordExpired, PasswordNeverExpires, PasswordLastSet, name, mail
    # Make sure the password is not expired, and the account is not set to never expire
      Write-Verbose "verifying that the password is not expired, and the user is not set to PasswordNeverExpires"
      if (((!($accountObj.PasswordExpired)) -and (!($accountObj.PasswordNeverExpires))) -or ($PreviewUser)) {
       Write-Verbose "Verifying if the date the password was last set is available"
       $passwordSetDate = $accountObj.PasswordLastSet      
        if ($passwordSetDate -ne $null) {
         $maxPasswordAgeTimeSpan = $null
          # see if we're at Windows2008 domain functional level, which supports granular password policies
          Write-Verbose "Determining domain functional level"
          if ($global:dfl -ge 4) { # 2008 Domain functional level
            $accountFGPP = Get-ADUserResultantPasswordPolicy $accountObj
            if ($accountFGPP -ne $null) {
             $maxPasswordAgeTimeSpan = $accountFGPP.MaxPasswordAge
       } else {
        $maxPasswordAgeTimeSpan = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
      } else { # 2003 or ealier Domain Functional Level
       $maxPasswordAgeTimeSpan = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
      if ($maxPasswordAgeTimeSpan -eq $null -or $maxPasswordAgeTimeSpan.TotalMilliseconds -ne 0) {
       $DaysTillExpire = [math]::round(((New-TimeSpan -Start (Get-Date) -End ($passwordSetDate + $maxPasswordAgeTimeSpan)).TotalDays),0)
       if ($preview){$DaysTillExpire = 1}
       if ($DaysTillExpire -le $DaysToWarn){
        Write-Verbose "User should receive email"
        $PolicyDays = [math]::round((($maxPasswordAgeTimeSpan).TotalDays),0)
        if ($demo) {Write-Host ("{0,-25}{1,-8}{2,-12}" -f $accountObj.Name, $DaysTillExpire, $PolicyDays)}
              # start assembling email to user here
        $EmailName = $accountObj.Name      
        $DateofExpiration = (Get-Date).AddDays($DaysTillExpire)
        $DateofExpiration = (Get-Date($DateofExpiration) -f $DateFormat)      
  Write-Verbose "Assembling email message"      
  [string]$emailbody = @"
  <html>
   <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
   </head>
  <body>
   <table id="email" border="0" cellspacing="0" cellpadding="0" width="655" align="center">
    <tr>
     <td align="left" valign="top"><img src="$ImagePath/spacer.gif" alt="Description: $ImagePath/spacer.gif" width="46" height="28" align="absMiddle">
  if ($HelpDeskURL){     
  $emailbody += @" 
     <font style="font-size: 10px; color: #000000; line-height: 16px; font-family: Verdana, Arial, Helvetica, sans-serif">If this e-mail does not appear properly, please <a href="$HelpDeskURL" style="font-weight:
  bold; font-size: 10px; color: #cc0000; font-family: verdana, arial, helvetica, sans-serif; text-decoration: underline">click here</a>.</font>
  $emailbody += @"   
     </td>
    </tr>
    <tr>
  if ($HelpDeskURL){  
  $emailbody += @"
     <td height="121" align="left" valign="bottom"><a href="$HelpDeskURL"><img src="$ImagePath/header.gif" border="0" alt="Description: $ImagePath/header.gif"
  width="655" height="121"></a></td>
  }else{
  $emailbody += @" 
     <td height="121" align="left" valign="bottom"><img src="$ImagePath/header.gif" border="0" alt="Description: $ImagePath/header.gif" width="655" height="121"></td>
  $emailbody += @"
    </tr>
    <tr>
     <td>
      <table id="body" border="0" cellspacing="0" cellpadding="0">
       <tr>
        <td width="1" align="left" valign="top" bgcolor="#a8a9ad"><img src="$ImagePath/spacer50.gif" alt="Description: $ImagePath/spacer50.gif" width="1"
  height="50"></td>
        <td><img src="$ImagePath/spacer.gif" alt="Description: $ImagePath/spacer.gif" width="46" height="106"></td>
        <td id="text" width="572" align="left" valign="top" style="font-size: 12px; color: #000000; line-height: 17px; font-family: Verdana, Arial, Helvetica, sans-serif">
  if ($DaysTillExpire -le 1){
   $emailbody += @"
    <div align='center'>
     <table border='0' cellspacing='0' cellpadding='0' style='width:510px; background-color: white; border: 0px;'>
      <tr>
       <td align='right'><img width='36' height='28' src='$ImagePath/image001b.gif' alt='Description: $ImagePath/image001b.gif'></td> 
       <td style="font-family: verdana; background: #E12C10; text-align: center; padding: 0px; font-size: 9.0pt; color: white">ALERT: You must change your password today or you will be locked out!</td>  
       <td align='left'><img border='0' width='14' height='28' src='$ImagePath/image005b.gif' alt='Description: $ImagePath/image005b.gif'></td>
      </tr>
     </table>
    </div>
  $emailbody += @"
     <p style="font-weight: bold">Hello, $EmailName,</p>
     <p>It's change time again! Your $company password expires in <span style="background-color: red; color: white; font-weight: bold;">&nbsp;$DaysTillExpire&nbsp;</span> day(s), on $DateofExpiration.</p>
     <p>Please use one of the methods below to update your password:</p>
     <ol>
      <li>$company office computers and Terminal Server users: You may update your password on your computer by pressing Ctrl-Alt-Delete and selecting 'Change Password' from the available options. If you use a $company laptop in addition
  to a desktop PC, be sure and read #3 below.</li>
      <li>Remote Outlook Client, Mac, and/or Outlook Web App users: If you only access our email system, please use the following method to easily change your password:</li>
      <ul>
       <li>Log into <a href="$owaurl">Outlook Web App</a> using Internet Explorer (PC) or Safari or Firefox (Mac).</li>
       <li>Click on the Options button in the upper right corner of the page.</li>  
       <li>Select the &quot;Change Password&quot; link to change your password.</li>
       <li>Enter your current password, then your new password twice, and click Save</li>
       <li><span style="font-weight: bold">NOTE:</span> You will now need to use your new password when logging into Outlook Web App, Outlook 2010, SharePoint, Windows Mobile (ActiveSync) devices, etc. Blackberry
  Enterprise Users (BES) will not need to update their password. Blackberry Internet Service (BIS) users will be required to use their new password on their device.</li>
      </ul>
      <li>$company issued laptops: If you have been issued a $company laptop, you must be in a corporate office and directly connected to the company network to change your password. If you also use a desktop PC in the office, you must
  remember to always update your domain password on the laptop first. Your desktop will automatically use the new password.</li>
      <ul>
       <li>Log in on laptop</li>
       <li>Press Ctrl-Alt-Delete and select 'Change Password' from the available options.</li>
       <li>Make sure your workstation (if you have one) has been logged off any previous sessions so as to not cause conflict with your new password.</li>
      </ul>
     </ol>
     <p>Think you've got a complex password? Run it through the <a href="The">http://www.passwordmeter.com/">The Password Meter</a></p>
     <p>Think your password couldn't easily be hacked? See how long it would take: <a href="How">http://howsecureismypassword.net/">How Secure Is My Password</a></p>
     <p>Remember, if you do not change your password before it expires on $DateofExpiration, you will be locked out of all $company Computer Systems until an Administrator unlocks your account.</p>
     <p>If you are traveling or will not be able to bring your laptop into the office before your password expires, please call the number below for additional instructions.</p>
     <p>You will continue to receive these emails daily until the password is changed or expires.</p>
     <p>Thank you,<br />
     The $company Help Desk<br />
     $HelpDeskPhone</p>
  if ($accountFGPP -eq $null){
   $emailbody += @"
     <table style="background-color: #dedede; border: 1px solid black">
      <tr>
       <td style="font-size: 12px; color: #000000; line-height: 17px; font-family: Verdana, Arial, Helvetica, sans-serif"><b>$company Password Policy</b>
        <ul>
         <li>Your password must have a minimum of a $MinPasswordLength characters.</li>
         <li>You may not use a previous password.</li>
         <li>Your password must not contain parts of your first, last, or logon name.</li>
         <li>Your password must be changed every $PolicyDays days.</li>
  if ($PasswordComplexity){
   Write-Verbose "Password complexity"
   $emailbody += @"
         <li>Your password requires a minimum of two of the following three categories:</li>
         <ul>
          <li>1 upper case character (A-Z)</li>
          <li>1 lower case character (a-z)</li>
          <li>1 numeric character (0-9)</li>        
         </ul>
  $emailbody += @"
         <li>You may not reuse any of your last $PasswordHistory passwords</li>
        </ul>
       </td>
      </tr>
     </table>
  $emailbody += @"        
         </td>
         <td width="49" align="left" valign="top"><img src="$ImagePath/spacer50.gif" alt="" width="49" height="50"></td>
         <td width="1" align="left" valign="top" bgcolor="#a8a9ad"><img src="$ImagePath/spacer50.gif" alt="Description: $ImagePath/spacer50.gif" width="1"
  height="50"></td>
        </tr>
       </table>
       <table id="footer" border="0" cellspacing="0" cellpadding="0" width="655">
        <tr>
         <td><img src="$ImagePath/footer.gif" alt="Description: $ImagePath/footer.gif" width="655" height="81"></td>
        </tr>
       </table>
       <table border="0" cellspacing="0" cellpadding="0" width="655" align="center">
        <tr>
         <td align="left" valign="top"><img src="$ImagePath/spacer.gif" alt="Description: $ImagePath/spacer.gif" width="36" height="1"></td>
         <td align="middle" valign="top"><font face="Verdana" size="1" color="#000000"><p>This email was sent by an automated process.
  if ($HelpDeskURL){
  $emailbody += @"               
         If you would like to comment on it, please visit <a href="$HelpDeskURL"><font color="#ff0000"><u>click here</u></font></a>
  $emailbody += @"               
          </p><p style="color: #009900;"><font face="Webdings" size="4">P</font> Please consider the environment before printing this email.</p></font>
         </td>
         <td align="left" valign="top"><img src="$ImagePath/spacer.gif" alt="Description: $ImagePath/spacer.gif" width="36" height="1"></td>
        </tr>
       </table>
      </td>
     </tr>
    </table>
   </body>
  </html>
        if (!($demo)){
         $emailto = $accountObj.mail
         if ($emailto){
          Write-Verbose "Sending demo message to $emailto"
          Send-MailMessage -To $emailto -Subject "Your password expires in $DaysTillExpire day(s)" -Body $emailbody -From $EmailFrom -Priority High -BodyAsHtml
          $global:UsersNotified++
         }else{
          Write-Verbose "Can not email this user. Email address is blank"
  } # end function Get-ADUserPasswordExpirationDate
  if ($install){
   Write-Verbose "Install mode"
   Install
  Write-Verbose "Checking for ActiveDirectory module"
  if ((Set-ModuleStatus ActiveDirectory) -eq $false){
   $error.clear()
   Write-Host "Installing the Active Directory module..." -ForegroundColor yellow
   Set-ModuleStatus ServerManager
   Add-WindowsFeature RSAT-AD-PowerShell
   if ($error){
    Write-Host "Active Directory module could not be installed. Exiting..." -ForegroundColor red;
    if ($transcript){Stop-Transcript}
    exit
  Write-Verbose "Getting Domain functional level"
  $global:dfl = (Get-AdDomain).DomainMode
  # Get-ADUser -filter * -properties PasswordLastSet,EmailAddress,GivenName -SearchBase "OU=Users,DC=domain,DC=test" |foreach {
  if (!($PreviewUser)){
   if ($ou){
    Write-Verbose "Filtering users to $ou"
    $users = Get-AdUser -filter * -SearchScope subtree -SearchBase $ou -ResultSetSize $null
   }else{
    $users = Get-AdUser -filter * -ResultSetSize $null
  }else{
   Write-Verbose "Preview mode"
   $users = Get-AdUser $PreviewUser
  if ($demo){
   Write-Verbose "Demo mode"
   # $WhatIfPreference = $true
   Write-Host "`n"
   Write-Host ("{0,-25}{1,-8}{2,-12}" -f "User", "Expires", "Policy") -ForegroundColor cyan
   Write-Host ("{0,-25}{1,-8}{2,-12}" -f "========================", "=======", "===========") -ForegroundColor cyan
  Write-Verbose "Setting event log configuration"
  $evt = new-object System.Diagnostics.EventLog("Application")
  $evt.Source = $ScriptName
  $infoevent = [System.Diagnostics.EventLogEntryType]::Information
  $EventLogText = "Beginning processing"
  $evt.WriteEntry($EventLogText,$infoevent,70)
  Write-Verbose "Getting password policy configuration"
  $DefaultDomainPasswordPolicy = Get-ADDefaultDomainPasswordPolicy
  [int]$MinPasswordLength = $DefaultDomainPasswordPolicy.MinPasswordLength
  # this needs to look for FGPP, and then default to this if it doesn't exist
  [bool]$PasswordComplexity = $DefaultDomainPasswordPolicy.ComplexityEnabled
  [int]$PasswordHistory = $DefaultDomainPasswordPolicy.PasswordHistoryCount
  ForEach ($user in $users){
   Get-ADUserPasswordExpirationDate $user.samaccountname
  Write-Verbose "Writing summary event log entry"
  $EventLogText = "Finished processing $global:UsersNotified account(s). `n`nFor more information about this script, run Get-Help .\$ScriptName. See the blog post at
  http://www.ehloworld.com/318."
  $evt.WriteEntry($EventLogText,$infoevent,70)
  # $WhatIfPreference = $false
  # Remove-ScriptVariables -path $MyInvocation.MyCommand.Name
  Remove-ScriptVariables -path $ScriptPathAndName

  Hi petro_jemes,
  Just a little claritification, you need to add the value to the variable "[string]$ou", and also change the language in the variable "$emailbody" in the function "Get-ADUserPasswordExpirationDate".
  I hope this helps.

• How can I get a Powershell script which maps network drives to execute at logon to any workstation in my domain

  I want to map network drives for each user when they logon to any workstation in the network.  I have created and tested the PS1 script which works fine where the drives attach and used persistent parameter.  I have updated the Windows 7 Professional
  64-bit workstation to the latest PS 4.0 code.  I have created the GPO and believe everything is assigned properly.  I made changes to allow execution of local and remote signed scripts.  I have forced the changes on a workstation using GPUPDATE
  /force, but the drives do not connect.  The GPRESULT is as follows which shows the policies are in place as shown below.  
  What am I missing to get the script to execute? 
  RSOP data for MRC\mikeg on MIDRUBD03 : Logging Mode
  OS Configuration:            Member Workstation
  OS Version:                  6.1.7601
  Site Name:                   N/A
  Roaming Profile:             N/A
  Local Profile:               C:\Users\mikeg.MRC
  Connected over a slow link?: No
  USER SETTINGS
      CN=My Name,CN=Users,DC=mrc,DC=net
      Last time Group Policy was applied: 7/21/2014 at 8:22:05 AM
      Group Policy was applied from:      MIDSRVR01.mrc.net
      Group Policy slow link threshold:   500 kbps
      Domain Name:                        MRC
      Domain Type:                        Windows 2000
      Applied Group Policy Objects
          StartingUp
      The following GPOs were not applied because they were filtered out
          Default Domain Policy
              Filtering:  Not Applied (Empty)
          Local Group Policy
              Filtering:  Not Applied (Empty)
      The user is a part of the following security groups
          Domain Admins
          Everyone
          BUILTIN\Administrators
          BUILTIN\Users
          NT AUTHORITY\INTERACTIVE
          CONSOLE LOGON
          NT AUTHORITY\Authenticated Users
          This Organization
          LOCAL
          MRCAdmins
          Domain Users
          Enterprise Admins
          Schema Admins
          AS400_Permanent_Users
          Denied RODC Password Replication Group
          DnsAdmins
          High Mandatory Level
      The user has the following security privileges
      Resultant Set Of Policies for User
          Software Installations
              N/A
          Logon Scripts
              GPO: StartingUp
                  Name:         C:\Windows\SYSVOL\sysvol\mrc.net\Policies\{47773A6D-1115-4A3D-BB74-F672B315A430}\User\Scr
  pts\Logon\MapDriveScript.ps1
                  Parameters:
                  LastExecuted: This script has not yet been executed.
          Logoff Scripts
          Public Key Policies
              N/A
          Administrative Templates
              GPO: StartingUp
                  KeyName:     Software\Policies\Microsoft\Windows\PowerShell\EnableScripts
                  Value:       1, 0, 0, 0
                  State:       Enabled
              GPO: StartingUp
                  KeyName:     Software\Policies\Microsoft\Windows\PowerShell\ExecutionPolicy
                  Value:       82, 0, 101, 0, 109, 0, 111, 0, 116, 0, 101, 0, 83, 0, 105, 0, 103, 0, 110, 0, 101, 0, 100,
  0, 0, 0
                  State:       Enabled
          Folder Redirection
              N/A
          Internet Explorer Browser User Interface
              N/A
          Internet Explorer Connection
              N/A
          Internet Explorer URLs
              N/A
          Internet Explorer Security
              N/A
          Internet Explorer Programs
              N/A

  >                  Name:
  > C:\Windows\SYSVOL\sysvol\mrc.net\Policies\{47773A6D-1115-4A3D-BB74-F672B315A430}\User\Scr
  > pts\Logon\MapDriveScript.ps1
  >                  Parameters:
  First: Only one of all current answers points in the right direction.
  You picked the local sysvol path on the DC which does not exist on
  clients, of course...
  The Path to the script MUST be an UNC path starting like
  \\mrc.net\sysvol\mrc.net\Policies\...
  Second: You CANNOT execute PS1 directly (unless you change the .ps1 file
  extension configuration). The "Name" MUST be "powershell.exe", and the
  script itself goes into "Parameters".
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• How can I grant users to access/modify system folders (C:/Windows/Fonts) by using GPO in Win7 ?

  In our company there are some folks that require often new fonts that they take from the internet. Unfortunately, some of them have offices on in a diferrent country, so going there to insert my admin paswoord is not a solution.
  If you copy the ttf file into the C:/Windows/Font folder is enough, you don't have to also add the registry.
  One way to bypass the window that asks for admin credentials is to insert my crdentials into the bat file (runas). But this is very unsecure, as I am an administrator.
  Is there a way to create a shared folder that can also store fonts that can be used by windows? Can I give them the right to modify files in this folder without making them administrators? Or do you see any solution to this issue? Any help would
  be greatly appreciated.
  Thank you in advance.

  Another solution which will not compromise your security is to create a share folder and have the users to download fonts to the folder. After that a simple schedule task GPO on clients to copy the
  *.ttf files from the folder to the C:\Windows\Fonts folder. Since tha task can be run by administrative privileges I guess there will be no problem.
  Regards.
  Mahdi Tehrani Loves Powershell
  Please kindly click on Propose As Answer
  or to mark this post as
  and helpful to other people.