RE: [NTSysADM] RE: PowerShell setting registry value via logon script

[Melvin Backus]

You could run it as a scheduled task with an 'At Log On' trigger and a defined 
delay.

--
There are 10 kinds of people in the world...
         those who understand binary and those who don't.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of James Rankin
Sent: Wednesday, October 28, 2015 5:52 PM
To: ntsys...@lists.myitforum.com
Subject: RE: [NTSysADM] RE: PowerShell setting registry value via logon script

Thanks for all the pointers...

I have now tried running it as a normal logon script (defined on the user 
object in AD), simply running these batch commands (which also work fine when 
logged in as the user)

for /f "skip=5 tokens=2 delims= " %%a in ('whoami /user /fo list') do set 
USERSID=%%a
reg add "HKLM\Software\Microsoft\Windows 
NT\CurrentVersion\ProfileList\%USERSID%" /v State /t REG_DWORD /d 20 /f

When running as a logon script, I simply get the "State" value written to the 
root of the ProfileList key. Which means that the variable for %USERSID% is 
blank after running the first line of the logon script.

Does anyone know at what point in the logon the user's SID actually is able to 
be queried in this fashion? I'm guessing that this is a timing thing - but how 
to get around it without third-party software is a little tricky.

Cheers,



JR

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Darren Mar-Elia
Sent: 28 October 2015 16:45
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: Re: [NTSysADM] RE: PowerShell setting registry value via logon script


You might also want to make sure you're not hitting the wonderful logon script 
5-minute delay feature MS introduced in Windows 8.1/2012-R2. I thought it was 
disabled by default on 2012-R2 but perhaps not. You can disable that through GP 
here:



Computer Configuration/Policies/Administrative Templates/System/Group 
Policy/Configure Logon Script Delay
(set it to 0 to disable)



Darren
________________________________
From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
<listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com>> on 
behalf of ja...@htguk.com<mailto:ja...@htguk.com> 
<ja...@htguk.com<mailto:ja...@htguk.com>>
Sent: Wednesday, October 28, 2015 9:29 AM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: Re: [NTSysADM] RE: PowerShell setting registry value via logon script

Ok, let me experiment further from that perspective...
Sent from my BlackBerry(r) smartphone on O2
________________________________
From: "Michael B. Smith" <mich...@smithcons.com<mailto:mich...@smithcons.com>>
Sender: "listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com>" 
<listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com>>
Date: Wed, 28 Oct 2015 15:54:08 +0000
To: 
ntsys...@lists.myitforum.com<ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com%3cntsys...@lists.myitforum.com>>
ReplyTo: "ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>" 
<ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>>
Subject: RE: [NTSysADM] RE: PowerShell setting registry value via logon script


I suspect your security context isn't what you want it to be. I don't have time 
to test this right now, but I'd generate some debug data around that...



From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of James Rankin
Sent: Wednesday, October 28, 2015 6:12 AM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: RE: [NTSysADM] RE: PowerShell setting registry value via logon script



GPP wouldn't do the trick, because I need to grab the user's SID first and use 
it as part of the Registry path, so that would necessitate some scripting 
anyway.



I suppose I could use batch by pulling the user's sid with this command



for /f "skip=5 tokens=2 delims= " %%a in ('whoami /user /fo list') do set 
USERSID=%%a



but that just feels clunky to me. I know the script works (when I run it as a 
logged-in user, it works perfectly) - it just doesn't appear to run at all when 
I use a PowerShell logon script.



Cheers,







JR



From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Gavin Wilby
Sent: 28 October 2015 09:43
To: 'ntsys...@lists.myitforum.com' 
<ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>>
Subject: RE: [NTSysADM] RE: PowerShell setting registry value via logon script



Any reason why you can't use GPP for this?



Or even a basic reg add batch file?



Gavin Wilby

IT Support Engineer



From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of 
ja...@htguk.com<mailto:ja...@htguk.com>
Sent: 27 October 2015 22:52
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: Re: [NTSysADM] RE: PowerShell setting registry value via logon script



Group Policy Logon Script, Powershell tab

Sent from my BlackBerry(r) smartphone on O2

________________________________

From: "Michael B. Smith" <mich...@smithcons.com<mailto:mich...@smithcons.com>>

Sender: <listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com>>

Date: Tue, 27 Oct 2015 22:49:02 +0000

To: 
ntsys...@lists.myitforum.com<ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com%3cntsys...@lists.myitforum.com>>

ReplyTo: <ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>>

Subject: [NTSysADM] RE: PowerShell setting registry value via logon script



How, exactly, are you executing the PowerShell logon script?



From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of James Rankin
Sent: Tuesday, October 27, 2015 5:58 PM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] PowerShell setting registry value via logon script



I am trying to use a PowerShell logon script to change the user's profile state 
value in the Registry to simulate a roaming profile (to allow Cookies to be 
saved properly in IE11). To do this I need the user's SID, which I am pulling 
out and then setting the Registry value.



The script I am using is this



$USERSID = ([Security.Principal.WindowsIdentity]::GetCurrent()).User.Value

$regpath = "HKLM:\Software\Microsoft\Windows 
NT\CurrentVersion\ProfileList\$USERSID"

$name = "State"

Set-ItemProperty -Path $regpath -Name $name -Value "20"



When I run this as the user (logged in), it works perfectly. The Execution 
Policy is set correctly and also I have used a script to change the Registry 
permissions at computer startup so that the user has Full Control of the target 
key.



However, when run as a GPO Logon Script the value is never set. Am I missing 
something here about how PowerShell logon scripts execute? If I use a 
third-party piece of software (AppSense EM) to do this at logon, it also works 
perfectly.



It's a Windows Server 2012 R2 system running XenApp 7.6 FP3 that I am trying to 
execute this on, for the record.



TIA,







James Rankin

EUC Director | HTG TaloSys | 07809 668579 | 
ja...@htguk.com<mailto:ja...@htguk.com>

One Trinity Green, Eldon Street, South Shields, Tyne & Wear, NE33 1SA

Tel: 0191 481 3489

Email address: i...@talosys.co.uk<mailto:i...@talosys.co.uk>

Website: www.talosys.co.uk<http://www.talosys.co.uk>

[phpy9YoGNAM]



SMP Partners Limited, SMP Trustees Limited and SMP Fund Services Limited are 
licensed by the Isle of Man Financial Supervision Commission. SMP Accounting & 
Tax Limited is a member of the ICAEW Practice Assurance Scheme.

SMP Partners Limited registered in the Isle of Man, Company Registration No: 
000908V
Directors: M.W. Denton, M.J. Derbyshire, S.E McGowan, O. Peck, J.J. Scott, S.J. 
Turner

SMP Trustees Limited registered in the Isle of Man, Company Registration No: 
068396C
Directors: A.C. Baggesen, J.M. Cubbon, M.W. Denton, K.M. Goldie, O Peck, J. 
Watterson

SMP Fund Services Limited registered in the Isle of Man, Company Registration 
No: 120288C
Directors: V. Campbell, R.K. Corkhill, M.W. Denton, D.A. Manser, S.E McGowan, 
J.J. Scott

SMP Accounting & Tax Limited registered in the Isle of Man, Company 
Registration No: 001316V
Directors: I.F. Begley,  A.J. Dowling, P. Duchars, J.J. Scott, S.J. Turner

SMP Capital Markets Limited registered in the Isle of Man, Company Registration 
No: 002438V
Directors: M.W. Denton, M.J. Derbyshire, D.F Hudson, S.E McGowan, O. Peck, J.J. 
Scott.

SMP Partners Limited, SMP Trustees Limited, SMP Fund Services Limited, SMP 
Accounting & Tax Limited and SMP Capital Markets Limited are members of the SMP 
Partners Group of Companies.



This email is confidential and is subject to disclaimers. Details can be found 
at: http://www.smppartners.com/disclaimer.html
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________