Glad I could help James and thanks for the kind words! Darren
From: [email protected] [mailto:[email protected]] On Behalf Of James Rankin Sent: Wednesday, October 28, 2015 3:21 PM To: [email protected] Subject: RE: [NTSysADM] RE: PowerShell setting registry value via logon script Darren, you are thoroughly deserving of your MVP status and justify the popularity of your articles - that was indeed the issue (the Logon Script Delay). Oddly enough I disregarded it at first because my 2012 R2 DC was powered down but sure enough, when I brought it back up and set the policy to 0 - first time I logged on I noticed the PowerShell window appear (I had the GPO set for Run Logon Scripts Visible, and I was wondering why it had never appeared yet), and my Registry value is now set perfectly! I shall give you the appropriate credit in the article I am doing - I must confess I wasn't aware that logon scripts now run, by default, five minutes after logon had finished. Many thanks! From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Darren Mar-Elia Sent: 28 October 2015 21:58 To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] RE: PowerShell setting registry value via logon script You might be right, as under normal circumstances, there's no guarantee that the user environment is completely "built" before those scripts execute. In that case, you might actually benefit from using the Logon script delay feature I mentioned below. You could set it for a minute, if you can afford to wait that long and the script should be delayed long enough to ensure that the environment is fully available. In any case it might be worth trying the delay to see if your timing thought is correct. Darren From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of James Rankin Sent: Wednesday, October 28, 2015 2:52 PM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] RE: PowerShell setting registry value via logon script Thanks for all the pointers... I have now tried running it as a normal logon script (defined on the user object in AD), simply running these batch commands (which also work fine when logged in as the user) for /f "skip=5 tokens=2 delims= " %%a in ('whoami /user /fo list') do set USERSID=%%a reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\%USERSID%" /v State /t REG_DWORD /d 20 /f When running as a logon script, I simply get the "State" value written to the root of the ProfileList key. Which means that the variable for %USERSID% is blank after running the first line of the logon script. Does anyone know at what point in the logon the user's SID actually is able to be queried in this fashion? I'm guessing that this is a timing thing - but how to get around it without third-party software is a little tricky. Cheers, JR From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Darren Mar-Elia Sent: 28 October 2015 16:45 To: [email protected]<mailto:[email protected]> Subject: Re: [NTSysADM] RE: PowerShell setting registry value via logon script You might also want to make sure you're not hitting the wonderful logon script 5-minute delay feature MS introduced in Windows 8.1/2012-R2. I thought it was disabled by default on 2012-R2 but perhaps not. You can disable that through GP here: Computer Configuration/Policies/Administrative Templates/System/Group Policy/Configure Logon Script Delay (set it to 0 to disable) Darren ________________________________ From: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> on behalf of [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> Sent: Wednesday, October 28, 2015 9:29 AM To: [email protected]<mailto:[email protected]> Subject: Re: [NTSysADM] RE: PowerShell setting registry value via logon script Ok, let me experiment further from that perspective... Sent from my BlackBerry(r) smartphone on O2 ________________________________ From: "Michael B. Smith" <[email protected]<mailto:[email protected]>> Sender: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Wed, 28 Oct 2015 15:54:08 +0000 To: [email protected]<[email protected]<mailto:[email protected]%[email protected]>> ReplyTo: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: RE: [NTSysADM] RE: PowerShell setting registry value via logon script I suspect your security context isn't what you want it to be. I don't have time to test this right now, but I'd generate some debug data around that... From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of James Rankin Sent: Wednesday, October 28, 2015 6:12 AM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] RE: PowerShell setting registry value via logon script GPP wouldn't do the trick, because I need to grab the user's SID first and use it as part of the Registry path, so that would necessitate some scripting anyway. I suppose I could use batch by pulling the user's sid with this command for /f "skip=5 tokens=2 delims= " %%a in ('whoami /user /fo list') do set USERSID=%%a but that just feels clunky to me. I know the script works (when I run it as a logged-in user, it works perfectly) - it just doesn't appear to run at all when I use a PowerShell logon script. Cheers, JR From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Gavin Wilby Sent: 28 October 2015 09:43 To: '[email protected]' <[email protected]<mailto:[email protected]>> Subject: RE: [NTSysADM] RE: PowerShell setting registry value via logon script Any reason why you can't use GPP for this? Or even a basic reg add batch file? Gavin Wilby IT Support Engineer From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of [email protected]<mailto:[email protected]> Sent: 27 October 2015 22:52 To: [email protected]<mailto:[email protected]> Subject: Re: [NTSysADM] RE: PowerShell setting registry value via logon script Group Policy Logon Script, Powershell tab Sent from my BlackBerry(r) smartphone on O2 ________________________________ From: "Michael B. Smith" <[email protected]<mailto:[email protected]>> Sender: <[email protected]<mailto:[email protected]>> Date: Tue, 27 Oct 2015 22:49:02 +0000 To: [email protected]<[email protected]<mailto:[email protected]%[email protected]>> ReplyTo: <[email protected]<mailto:[email protected]>> Subject: [NTSysADM] RE: PowerShell setting registry value via logon script How, exactly, are you executing the PowerShell logon script? From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of James Rankin Sent: Tuesday, October 27, 2015 5:58 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] PowerShell setting registry value via logon script I am trying to use a PowerShell logon script to change the user's profile state value in the Registry to simulate a roaming profile (to allow Cookies to be saved properly in IE11). To do this I need the user's SID, which I am pulling out and then setting the Registry value. The script I am using is this $USERSID = ([Security.Principal.WindowsIdentity]::GetCurrent()).User.Value $regpath = "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\$USERSID" $name = "State" Set-ItemProperty -Path $regpath -Name $name -Value "20" When I run this as the user (logged in), it works perfectly. The Execution Policy is set correctly and also I have used a script to change the Registry permissions at computer startup so that the user has Full Control of the target key. However, when run as a GPO Logon Script the value is never set. Am I missing something here about how PowerShell logon scripts execute? If I use a third-party piece of software (AppSense EM) to do this at logon, it also works perfectly. It's a Windows Server 2012 R2 system running XenApp 7.6 FP3 that I am trying to execute this on, for the record. TIA, James Rankin EUC Director | HTG TaloSys | 07809 668579 | [email protected]<mailto:[email protected]> One Trinity Green, Eldon Street, South Shields, Tyne & Wear, NE33 1SA Tel: 0191 481 3489 Email address: [email protected]<mailto:[email protected]> Website: www.talosys.co.uk<http://www.talosys.co.uk> [phpy9YoGNAM] SMP Partners Limited, SMP Trustees Limited and SMP Fund Services Limited are licensed by the Isle of Man Financial Supervision Commission. SMP Accounting & Tax Limited is a member of the ICAEW Practice Assurance Scheme. SMP Partners Limited registered in the Isle of Man, Company Registration No: 000908V Directors: M.W. Denton, M.J. Derbyshire, S.E McGowan, O. Peck, J.J. Scott, S.J. Turner SMP Trustees Limited registered in the Isle of Man, Company Registration No: 068396C Directors: A.C. Baggesen, J.M. Cubbon, M.W. Denton, K.M. Goldie, O Peck, J. Watterson SMP Fund Services Limited registered in the Isle of Man, Company Registration No: 120288C Directors: V. Campbell, R.K. Corkhill, M.W. Denton, D.A. Manser, S.E McGowan, J.J. Scott SMP Accounting & Tax Limited registered in the Isle of Man, Company Registration No: 001316V Directors: I.F. Begley, A.J. Dowling, P. Duchars, J.J. Scott, S.J. Turner SMP Capital Markets Limited registered in the Isle of Man, Company Registration No: 002438V Directors: M.W. Denton, M.J. Derbyshire, D.F Hudson, S.E McGowan, O. Peck, J.J. Scott. SMP Partners Limited, SMP Trustees Limited, SMP Fund Services Limited, SMP Accounting & Tax Limited and SMP Capital Markets Limited are members of the SMP Partners Group of Companies. This email is confidential and is subject to disclaimers. Details can be found at: http://www.smppartners.com/disclaimer.html ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
