Set a Workstation in Maintenance Mode Remotely using PowerShell

In this article, I’ll show you how to put a workstation in maintenance mode remotely using Active Directory and PowerShell.

Launch the Active Directory MMC snap in and navigate to the Organization Unit (OU) for your workstations. Create a new OU called Maintenance and and set your security permissions.

Next, navigate to C:\Windows\System32\WindowsPowerShell\v1.0\Modules and copy the contents in the folder ActiveDirectory to a network share accessible by Group Policy. Create a folder in the NETLOGON folder named PowerShell and a sub-folder called Modules and copy the ActiveDirectory folder here.

To use this module on a workstation without RSAT installed, we will need to copy the Active Directory module assemblies to the remote computers using Group Policy. Navigate to C:\Windows\Microsoft.NET\assembly\GAC_64 and copy the folders Microsoft.ActiveDirectory.Management and Microsoft.ActiveDirectory.Management.Resources to a location accessible by the Group Policy.

Copy these two folders to the PowerShell folder created earlier in a sub folder called Assemblies.

Start the Group Policy MMC snap-in and open the Group Policy Object that contains the computer settings for the workstations you wish to apply this to. I named it Maintenance Machine Policy.

At this point we need to specify the policy settings that are going to copy down the PowerShell Active Directory modules and assemblies. Since standard users cannot import modules or assemblies to the global assembly cache, we must copy the files down with Group Policy.

Navigate to Computer Configuration-> Preferences -> Windows Settings -> Files and add a new file. For the source file, enter the folder path to the Active Directory Management DLL assembly you saved on the network share accessible by Group Policy. To ensure all contents get copied over, append the text \*.* to the end of the folder path.

For the Source file(s), enter \\cloud.local\NETLOGON\PowerShell\Assemblies\Microsoft.ActiveDirectory.Management\v4.0_10.0.0.0__31bf3856ad364e35\*.*. Add another new file with the source file path to the Active Directory Management Resources DLL assembly you saved on the network share accessible by Group Policy. Again, to ensure all contents get copied over, append the text \*.* to the end of the folder path.

For the destination folder, enter C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.ActiveDirectory.Management\v4.0_10.0.0.0__31bf3856ad364e35.

Result:

Add another new file with the source file path to the Active Directory module you saved on the network share accessible by Group Policy. To ensure all contents get copied over, append the text \*.* to the end of the folder path. For the destination folder, enter C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory.

Once more, add a new file and for the source file, enter the folder path to the Active Directory module sub-folder en-US you saved on the network share accessible by Group Policy. To ensure all contents get copied over, append the text \*.* to the end of the folder path. For the destination folder, enter C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\en-US.

Rename both assembly files to something a little friendlier, such as Active Directory Management assembly and Active Directory Management Resources assembly, respectively. Likewise, rename both module files to something a little friendlier, such as Active Directory PowerShell module and Active Directory PowerShell module en-US.

Final result:

The PowerShell code we need for this script is:

Save the PowerShell script above to a network share accessible by Group Policy and give it a name for example maintenance.ps1 as well for the PNG banner maintenance.png.

Now we going to configure our group policy to run this script at logon.

Start the Group Policy MMC snap-in and open the Group Policy Object that contains the logon scripts for the workstations. Navigate to User Configuration -> Policies -> Windows Settings -> Scripts (Logon/Logoff) and add the script to the Logon item.

Lastly, navigate to Computer Configuration -> Administrative Templates -> System -> Scripts and disable the setting Run logon scripts synchronously. This will allow Windows to display the form after loading the desktop.

When you move the computer object to the Maintenance OU, all users will receive the pop-up window below notifying them that the workstation is out of service and that the system will sign them out in 15 seconds.

News Source: techsupportpk

About Lex van der Horst 201 Articles
Techwire

Be the first to comment

Leave a Reply