Solved Run a Powershell Script Once for New Users

spicedup7 · Feb 21, 2024

I have this powershell script for Windows which would do a few changes for all new users that log into the computer for the first time, It should only run once, I have tried Taskscheduler, Runonce registry key and even modifying the Default user to run this script once but nothing so far. Would you guys help me or reference a guide to get this done? Please see the script below.

Powershell:

# Define the path to the flag file
$flagFilePath = "C:\path\to\flag.txt"

# Check if the flag file exists
if (-not (Test-Path $flagFilePath)) {
    # Additional check for new user condition
    if (Test-Path "C:\path\to\new_user_setting.txt") {
# Your script logic goes here


# Set start menu to the left
$regPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"

If (!(Test-Path $regPath)) {
    New-Item -Path $regPath -Force
}

$alignment = 0

New-ItemProperty -Path $regPath -Name TaskBarAl -Value $alignment -PropertyType DWORD -Force

# Disable search box
Set-ItemProperty -Path “HKCU:\Software\Microsoft\Windows\CurrentVersion\Search” -Name “SearchboxTaskbarMode” -Value 0

#Turn Off Copilot
reg add HKCU\Software\Policies\Microsoft\Windows\WindowsCopilot /v "TurnOffWindowsCopilot" /t REG_DWORD /f /d 1

#Unpin Microsoft Edge From taskbar or any other app
function Unpin-App([string]$appname) {
        ((New-Object -Com Shell.Application).NameSpace('shell:::{4234d49b-0245-4df3-b780-3893943456e1}').Items() |
        ?{$_.Name -eq $appname}).Verbs() | ?{$_.Name.replace('&','') -match 'Unpin from taskbar'} | %{$_.DoIt()}
}

Unpin-App("Microsoft Edge")

#Remove task view from taskbar
New-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "ShowTaskViewButton" -Value 0 -Force


# Restart explorer refresh changes
Stop-Process -Name Explorer
Start-Process explorer

Write-Host “Executed”

# The scripts below require elevated permissions, otherwise it throws an error

#Removes personalized News
$AppxRemoval = Get-AppxProvisionedPackage -Online | Where-Object {$_.PackageName -like “WebExperience*”}
    ForEach ($App in $AppxRemoval) {
    Remove-AppxProvisionedPackage -Online -Package $App.PackageName }

# Remove widgets
Get-AppxPackage -AllUsers | Where-Object {$_.Name -like “*WebExperience*”} |
Remove-AppxPackage -AllUsers -ErrorAction SilentlyContinue


        # Create the flag file to indicate the script has been executed
        New-Item -ItemType File -Path $flagFilePath -Force
        Write-Host "Script executed successfully for a new user."
    } else {
        Write-Host "New user condition not met. Script not executed."
    }
} else {
    Write-Host "Script has already been executed once."
}

neemobeer · Feb 21, 2024

Are these devices on a domain? If so why not just do this from a GPP?

CSharpDev · Feb 21, 2024

neemobeer said:
Are these devices on a domain? If so why not just do this from a GPP?

You mean GPO? Yes, I'm also unsure as to why OP didn't try to run it as a logon script via GPO

neemobeer · Feb 21, 2024

If there is a GPO yes, but GPP is part of group policy and part of it allows you to set arbitrary registry values

neemobeer · Feb 21, 2024

Group Policy Preferences

learn.microsoft.com

CSharpDev · Feb 21, 2024

neemobeer said:
If there is a GPO yes, but GPP is part of group policy and part of it allows you to set arbitrary registry values

Ah TIL sorry

LesFerch · Feb 21, 2024

spicedup7 said:
I have this powershell script for Windows which would do a few changes for all new users that log into the computer for the first time, It should only run once, I have tried Taskscheduler, Runonce registry key and even modifying the Default user to run this script once but nothing so far.

The environment matters. As others have mentioned, group policies are the usual configuration starting point for machines in AD. But, for all we know, your "all new users" are family members running Windows Home with no back-end at all. So, more details about the environment would be helpful.

The RunOnce key is obviously a place where you can set a script to run once per user. The trick is how to populate that RunOnce key. One method is to modify the new user template ("C:\Users\Default\NTUSER.DAT"). That is, load the hive, add the registry entry, and unload the hive. All new user profiles will get the RunOnce entry from that template.

If by "modifying the Default user" you meant "HKEY_USERS\.DEFAULT", then you're barking up the wrong tree. See:

The .Default user is not the default user - The Old New Thing

If you ever gone spelunking in the HKEY_USERS registry key, you’ve no doubt found the user named HKEY_USERS.Default. Who is this guy? Despite its name, the profile for the .Default user is not the default user profile. It’s actually the profile for the Local System account and is an alias for...

devblogs.microsoft.com

Note: The article is very old, so when you read "C:\Documents and Settings", take that to mean "C:\Users".

spicedup7 · Feb 22, 2024

LesFerch said:
The environment matters. As others have mentioned, group policies are the usual configuration starting point for machines in AD. But, for all we know, your "all new users" are family members running Windows Home with no back-end at all. So, more details about the environment would be helpful.

The RunOnce key is obviously a place where you can set a script to run once per user. The trick is how to populate that RunOnce key. One method is to modify the new user template ("C:\Users\Default\NTUSER.DAT"). That is, load the hive, add the registry entry, and unload the hive. All new user profiles will get the RunOnce entry from that template.

If by "modifying the Default user" you meant "HKEY_USERS\.DEFAULT", then you're barking up the wrong tree. See:

The .Default user is not the default user - The Old New Thing

If you ever gone spelunking in the HKEY_USERS registry key, you’ve no doubt found the user named HKEY_USERS.Default. Who is this guy? Despite its name, the profile for the .Default user is not the default user profile. It’s actually the profile for the Local System account and is an alias for...

devblogs.microsoft.com

Note: The article is very old, so when you read "C:\Documents and Settings", take that to mean "C:\Users".

Hi LesFerch, I work for a corporation and we have Windows 10 Pro installed on all of our end user computers. I tried the RunOnce key for the current user in the registry and the issue we were having is that it would only run for users with Administrative privileges which defeats the purpose of running the script for Standard users only. I also tried running the script through local GPO at logon and this would not run at all but it would work if I ran the script manually.

I am aware that "HKEY_USERS\.DEFAULT" is NOT the default user, I already tried loading NTUSER.DAT in the registry but the key to "RunOnce" is not in there.

Thank you for your Reply :)

LesFerch · Feb 22, 2024

spicedup7 said:
Hi LesFerch, I work for a corporation and we have Windows 10 Pro installed on all of our end user computers. I tried the RunOnce key for the current user in the registry and the issue we were having is that it would only run for users with Administrative privileges which defeats the purpose of running the script for Standard users only. I also tried running the script through local GPO at logon and this would not run at all but it would work if I ran the script manually.

I am aware that "HKEY_USERS\.DEFAULT" is NOT the default user, I already tried loading NTUSER.DAT in the registry but the key to "RunOnce" is not in there.

Thank you for your Reply :)

Where to begin... there's a lot to learn here to do things right and you can't (or at least shouldn't try) to solve it in one blow.

You currently have a mix of settings where some can be applied directly by a user and some require admin rights. You also have different methods going on (e.g. PowerShell commands vs Reg.exe commands). It appears that you may have been cobbling together settings gathered from the Internet, as I see curvy quotes in your script which won't work and are a telltale sign of code that got corrupted by a website that tries to make things "pretty".

The missing RunOnce key in NTUSER.DAT is not an issue. You can just create the key. However, as you've established that these are Pro machine in a AD environment, you should use GPPs instead, wherever possible. The less you script, the easier it will be for you or others in the future to maintain.

Start with only the user settings that do not require admin rights. Get those working by policy and then start your work on the trickier stuff that requires admin rights. The more modular you keep it, again, the easier it will be to maintain.

Please note that sites like this are mainly targeted to home users and very small businesses. What you're asking about is what a Windows specialist in a corporate environment is expected to already know how to do. If you don't currently have the expertise in house, then you should be paying a consultant to come in and help you out.

Edit: Note I originally mistakenly typed "curly brackets" when I meant to say "curvy quotes".

spicedup7 · Feb 22, 2024

LesFerch said:
Where to begin... there's a lot to learn here to do things right and you can't (or at least shouldn't try) to solve it in one blow.

You currently have a mix of settings where some can be applied directly by a user and some require admin rights. You also have different methods going on (e.g. PowerShell commands vs Reg.exe commands). It appears that you may have been cobbling together settings gathered from the Internet, as I see curvy quotes in your script which won't work and are a telltale sign of code that got corrupted by a website that tries to make things "pretty".

The missing RunOnce key in NTUSER.DAT is not an issue. You can just create the key. However, as you've established that these are Pro machine in a AD environment, you should use GPPs instead, wherever possible. The less you script, the easier it will be for you or others in the future to maintain.

Start with only the user settings that do not require admin rights. Get those working by policy and then start your work on the trickier stuff that requires admin rights. The more modular you keep it, again, the easier it will be to maintain.

Please note that sites like this are mainly targeted to home users and very small businesses. What you're asking about is what a Windows specialist in a corporate environment is expected to already know how to do. If you don't currently have the expertise in house, then you should be paying a consultant to come in and help you out.

Edit: Note I originally mistakenly typed "curly brackets" when I meant to say "curvy quotes".

I'm their IT Support for general troubleshooting. I was able to get it to work, thank you.