Trying to configure a logon script (via Group Policy) on a Windows AMI (running on AWS). One of the things the script does is prompt the user for credentials at logon (via $host.ui.PromptForCredential) and use New-PSDrive to mount a network drive with said credentials.
This all works fine...with one exception, it runs the script using elevated "Administrator" PowerShell. The result is that the drive mounts but is only accessible via Admin powershell or Admin command prompt, not regular command prompt or Windows Explorer.
I've tried using a batch script to start the PowerShell script but that batch script ends up running in Admin command prompt and launching the PowerShell script in admin PowerShell as well. I've set the execution policy for the instance to RemoteSigned (the script is stored locally as part of the image).
I don't understand this, all the documentation seems to indicate that scripts run via the Local Group Policy > User Configuration > Windows Settings > Scripts(Logon/Logoff) run as the user, it even says that in the Description of "Scripts (Logon/Logoff)"! Is there some setting somewhere that's causing the script to run with elevated permissions?
OS info: OS Name Microsoft Windows Server 2019 Datacenter Version 10.0.17763 Build 17763
Five hours of searching and somehow this didn't come up until I specifically looked in serverfault.com:
https://serverfault.com/questions/586683/gpo-run-powershell-logon-script-after-explorer-exe-has-been-loaded
The answer? To run scripts at logon as non-admin instead of elevated:
:|