You might also want to make sure you're not hitting the wonderful logon script 5-minute delay feature MS introduced in Windows 8.1/2012-R2. I thought it was disabled by default on 2012-R2 but perhaps not. You can disable that through GP here:
Computer Configuration/Policies/Administrative Templates/System/Group Policy/Configure Logon Script Delay (set it to 0 to disable) Darren ________________________________ From: [email protected] <[email protected]> on behalf of [email protected] <[email protected]> Sent: Wednesday, October 28, 2015 9:29 AM To: [email protected] Subject: Re: [NTSysADM] RE: PowerShell setting registry value via logon script Ok, let me experiment further from that perspective... Sent from my BlackBerry® smartphone on O2 ________________________________ From: "Michael B. Smith" <[email protected]> Sender: "[email protected]" <[email protected]> Date: Wed, 28 Oct 2015 15:54:08 +0000 To: [email protected]<[email protected]> ReplyTo: "[email protected]" <[email protected]> Subject: RE: [NTSysADM] RE: PowerShell setting registry value via logon script I suspect your security context isn’t what you want it to be. I don’t have time to test this right now, but I’d generate some debug data around that… From: [email protected] [mailto:[email protected]] On Behalf Of James Rankin Sent: Wednesday, October 28, 2015 6:12 AM To: [email protected] Subject: RE: [NTSysADM] RE: PowerShell setting registry value via logon script GPP wouldn’t do the trick, because I need to grab the user’s SID first and use it as part of the Registry path, so that would necessitate some scripting anyway. I suppose I could use batch by pulling the user’s sid with this command for /f "skip=5 tokens=2 delims= " %%a in ('whoami /user /fo list') do set USERSID=%%a but that just feels clunky to me. I know the script works (when I run it as a logged-in user, it works perfectly) – it just doesn’t appear to run at all when I use a PowerShell logon script. Cheers, JR From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Gavin Wilby Sent: 28 October 2015 09:43 To: '[email protected]' <[email protected]<mailto:[email protected]>> Subject: RE: [NTSysADM] RE: PowerShell setting registry value via logon script Any reason why you can’t use GPP for this? Or even a basic reg add batch file? Gavin Wilby IT Support Engineer From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of [email protected]<mailto:[email protected]> Sent: 27 October 2015 22:52 To: [email protected]<mailto:[email protected]> Subject: Re: [NTSysADM] RE: PowerShell setting registry value via logon script Group Policy Logon Script, Powershell tab Sent from my BlackBerry® smartphone on O2 ________________________________ From: "Michael B. Smith" <[email protected]<mailto:[email protected]>> Sender: <[email protected]<mailto:[email protected]>> Date: Tue, 27 Oct 2015 22:49:02 +0000 To: [email protected]<[email protected]<mailto:[email protected]%[email protected]>> ReplyTo: <[email protected]<mailto:[email protected]>> Subject: [NTSysADM] RE: PowerShell setting registry value via logon script How, exactly, are you executing the PowerShell logon script? From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of James Rankin Sent: Tuesday, October 27, 2015 5:58 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] PowerShell setting registry value via logon script I am trying to use a PowerShell logon script to change the user’s profile state value in the Registry to simulate a roaming profile (to allow Cookies to be saved properly in IE11). To do this I need the user’s SID, which I am pulling out and then setting the Registry value. The script I am using is this $USERSID = ([Security.Principal.WindowsIdentity]::GetCurrent()).User.Value $regpath = "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\$USERSID" $name = "State" Set-ItemProperty -Path $regpath -Name $name -Value "20" When I run this as the user (logged in), it works perfectly. The Execution Policy is set correctly and also I have used a script to change the Registry permissions at computer startup so that the user has Full Control of the target key. However, when run as a GPO Logon Script the value is never set. Am I missing something here about how PowerShell logon scripts execute? If I use a third-party piece of software (AppSense EM) to do this at logon, it also works perfectly. It’s a Windows Server 2012 R2 system running XenApp 7.6 FP3 that I am trying to execute this on, for the record. TIA, James Rankin EUC Director | HTG TaloSys | 07809 668579 | [email protected]<mailto:[email protected]> One Trinity Green, Eldon Street, South Shields, Tyne & Wear, NE33 1SA Tel: 0191 481 3489 Email address: [email protected]<mailto:[email protected]> Website: www.talosys.co.uk<http://www.talosys.co.uk> [phpy9YoGNAM] SMP Partners Limited, SMP Trustees Limited and SMP Fund Services Limited are licensed by the Isle of Man Financial Supervision Commission. SMP Accounting & Tax Limited is a member of the ICAEW Practice Assurance Scheme. SMP Partners Limited registered in the Isle of Man, Company Registration No: 000908V Directors: M.W. Denton, M.J. Derbyshire, S.E McGowan, O. Peck, J.J. Scott, S.J. Turner SMP Trustees Limited registered in the Isle of Man, Company Registration No: 068396C Directors: A.C. Baggesen, J.M. Cubbon, M.W. Denton, K.M. Goldie, O Peck, J. Watterson SMP Fund Services Limited registered in the Isle of Man, Company Registration No: 120288C Directors: V. Campbell, R.K. Corkhill, M.W. Denton, D.A. Manser, S.E McGowan, J.J. Scott SMP Accounting & Tax Limited registered in the Isle of Man, Company Registration No: 001316V Directors: I.F. Begley, A.J. Dowling, P. Duchars, J.J. Scott, S.J. Turner SMP Capital Markets Limited registered in the Isle of Man, Company Registration No: 002438V Directors: M.W. Denton, M.J. Derbyshire, D.F Hudson, S.E McGowan, O. Peck, J.J. Scott. SMP Partners Limited, SMP Trustees Limited, SMP Fund Services Limited, SMP Accounting & Tax Limited and SMP Capital Markets Limited are members of the SMP Partners Group of Companies. This email is confidential and is subject to disclaimers. Details can be found at: http://www.smppartners.com/disclaimer.html ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
