VBScript Logon Script to Set Users HomeDirectory/HomeDrive Attributes

Similar Messages

• Create a signature when a user runs their logon script.

  Hi All,
  Is it possible to add a signature by a logon script to a user? I would like to do this as I have over 80 users and going to each individual is becoming a pain. I also don't want them to know there the logos are as they could sign it fraudulently.
  When I say logon script, I mean the user runs a script to make their signature. All we need is for it to link to their Microsoft Certificate base and just have the logo that we make.
  Please help.

  Signatures cannot be on a drive. They are not dissociated from documents. Signatures reside inside signed PDFs. You probably confuse signature appearances with digital signatures. Signature appearances do reside on a hard drive.
  I can create my signature appearance that says (in the image on the page) that I am Bill Clinton. But if you open the signature panel and inspect signer's certificate you can see who the actual signer is (unless it is a self-signed certificate in which case the signer's identity is unknown). I believe that your problem is more related to misunderstanding how digital signatures work than being a real problem at all.
  Or maybe you are not using digital signatures at all and are using electronic signatures which are just stamps (or images) and you are concerned that someone can access a stamp (image) that belongs to another person and fraudulently sign with this other person's stamp (image). Well, if this is the case then only person who owns a stamp/image must have access to it. You cannot place all stamps/images for all people in one location. You need to place each in a protected location to which only this person has access (like password-protected folder). This is what signature services like EchoSign do.
  This is why I like digital signatures so much better. If you procure signer's certificate from a reputable Certificate Authority all these problems (besides signature appearance) just do not exist.

• Logon script delayed by 5 minutes (300 seconds)

  It appears Windows 8.1 may have a built in delay processing logon scripts of 5 minutes.  Obviously, seems how it is brand new I'm not finding an ounce of information about it anywhere.
  Basically, I have troubleshooted this problem for hours now.  It boils down to the simple fact that I have several brand new Windows 8.1 systems joined to a Server 2003 domain.  Users have a GPO applied to them that assigns a logon script that
  maps network drives and printers.  After logging in, the script does not execute until 5 minutes have passed.
  I have removed all other GPOs, eliminated all non-microsoft services and shut off all startup items.  It makes no difference of admin or limited account, roaming profiles or folder redirection makes no difference.  Looking through the event viewer
  -> Microsoft -> Group Policy I can follow the the process step by step and everything looks great.  The event log shows the policy processing and application is happening within milliseconds.  Then there is exactly a 5 minute delay down to
  the second between:
  Group Policy Winlogon Start Shell handling complete
  and
  Starting Logon script for domain\user
  Task manager confirms that wscript.exe does not run until 5 minutes after logging in.  Once wscript.exe starts the logon script is processed as normal and the drives and printers are mapped as expected.
  I do not have any Windows 8 machines at this location, but I checked another location that has very similar policies and scripting and Windows 8 processes the logon script immediately.  This issue appears isolated to Windows 8.1.
  It appears that part of Microsoft's attempt to optimize the startup and logon process of Windows they may have added a 5 minute delay before processing logon scripts.  What I need to know is why, and where is the registry key to change this.
  Thanks

  Mark Russinovich had a very good session about troubleshooting slow logins this year at Teched.  I highly recommend you try running Procmon during bootup to identify exactly why its taking so long.  In his example it was trying to access a path
  for updates that no longer existed and it waited until it timed out and then continued on.  Another example of this was an environment that was installing McAffee every time during bootup which was causing slow logons.  Its worth a shot to at least
  ensure all your policies have been applied as the event log isn't verbose enough.
  This is not my blog, nor am I affiliated, but it seemed like a good tutorial for doing this.
  http://www.msigeek.com/6231
  Be kind and Mark as Answer if I helped.

• Powershell User logon script not Exiting With "Exit" scripts are set to be visible in GPO

  I am trying to run this script as a user logon script and it is set to visible to the user. There are other parts of the script but It won't ever Exit. It works fine if I run it directly I only have the trouble when it is in the logon script. I'm thinking
  of tryin "Kill -Id $PID" but I'm sure I'll get a bad return code.
  Has anyone else experienced this or hav any ideas what I could try?
  If (Test-Path U:){
  Robocopy U:\ $Destination /E /move /XF "*.inf"
  New-Item -Path HKCU:\Software\test\test -Name Test –Force
  Else{
  Exit
  Else{
  New-Item -Path HKCU:\Software\test\1 -Name Test1 –Force
  Exit       #here is where it will not stop!
  Exit

  Sorry, I did mention this was only a subset of the complete script.
  So, what I am trying to accomplish in words.
  1. Check for the existence of a certain folderon the c: Drive (that is created as apart of a different process)
  2.  Look to see if a registry key exisits that tells the script if it should run or not. So if certain registry key exists under HKCU then don't run if not continue.)
  3. The first time a user logs in and does not find the value that the process is allready complete show the user a message box aski9ng them if they are ready to do (something) if not write a registry key saying step one has completed and then quit.
  4. When the user logs in again the script looks to see if the process is complete and or if step one is complete, if step one is complete it allows the user to skip the process 2 more times but on the forth login forces the user to complete the process and
  writes the final registry key that it is complete.
  Like I say I have this all working correctly if I manually have the user run it. I just don't know why Exit is not being recognized when in the users login script processing of the script. I appreciate your reply and any direction you can point me to.

• How do I have an exe in a logon script run as a different user (either a domain admin or even the local system account)

  So, I'm having some problems getting a logon script to work.  I need a way to deploy the agent that we use via login/startup scripts and what I have works fine if the user has admin rights, or if UAC is disabled.  I've tried to convert the .exe
  to an .msi to make it easier, but the .msi never works and it's only distributed as an .exe.  We deploy this to different clients, I can't disable UAC in their environment unless they specifically tell us to.  Can anyone think of a way around this? 
  I've been searching for days and I'm just lost.  If we could execute the file as the system account, or connect to shares using a startup script instead of logon, that would be perfect.  Basically what it does is check to see if the process for the
  agent is running (agentmon.exe) so we don't attempt to install it if it is already installed, if it's not, then it calls on a different agent installer depending on the IP address of the system (for clients that have more than one location).  Here's what
  I've got written that works for me in my test environment:
  Const strAgent1 = "\\home.wiginton.local\SysVol\home.wiginton.local\Policies\{CD4ED3BD-0709-4E3D-A303-C9E3B0F5198D}\User\Scripts\Logon\Test-KcsSetup1.exe"
  Const strAgent2 = "\\home.wiginton.local\SysVol\home.wiginton.local\Policies\{CD4ED3BD-0709-4E3D-A303-C9E3B0F5198D}\User\Scripts\Logon\Test-KcsSetup2.exe"
  Const strAgent3 = "\\home.wiginton.local\SysVol\home.wiginton.local\Policies\{CD4ED3BD-0709-4E3D-A303-C9E3B0F5198D}\User\Scripts\Logon\Test-KcsSetup3.exe"
  Const strFolder = "C:\Temp\"
  Const Overwrite = True
  dim objFSO, objNIC1, arrNIC, strIP, strMask, objShell, objWMIService
  dim
  'Checks for Kaseya agent process, AgentMon.exe, exits if running
  Set objWMIService = GetObject ("winmgmts:")
  Set proc = objWMIService.ExecQuery("select * from Win32_Process Where Name='agentmon.exe'")
  If proc.count > 0 Then
      WScript.Quit
  End If
  'Instantiate a NIC configuration object
  Set objNIC1 = GetObject("winmgmts:").InstancesOf("Win32_NetworkAdapterConfiguration")
  'Instantiate a shell object
  Set objShell = CreateObject("wscript.shell")
  Set objFSO = CreateObject("Scripting.FileSystemObject")
  'Create Temp Dir if it doesn't exist
  If Not objFSO.FolderExists(strFolder) Then
      objFSO.CreateFolder strFolder
  End If
  For Each arrNIC in objNIC1
      if arrNIC.IPEnabled then
          StrIP = arrNIC.IPAddress(i)
          strMask = arrNIC.IPSubnet(i)
          Set WshNetwork = WScript.CreateObject("WScript.Network")
      end if
  next
  Function NetworkID(Address, Mask)
      Dim AddressOctets, MaskOctets, Result, N
      AddressOctets = Split(Address, ".")
      MaskOctets = Split(Mask, ".")
      ReDim Result(UBound(AddressOctets))
      For N = 0 To UBound(AddressOctets)
          Result(N) = AddressOctets(N) And MaskOctets(N)
      Next
      NetworkID = Join(Result, ".")
  End Function
  Select Case NetworkID(strIP,strMask)
      Case "192.168.0.0"
      ' Kaseya install commands for 192.168.0.0 subnet
      objFSO.CopyFile strAgent1, strFolder, Overwrite
      Wscript.Sleep 1*60*1000
      objShell.run "C:\Temp\Test-KcsSetup1.exe"
      Case "192.168.1.0"
      ' Kaseya install commands for 192.168.1.0 subnet
      objFSO.CopyFile strAgent2, strFolder, Overwrite
      Wscript.Sleep 1*60*1000
      objShell.run "C:\Temp\Test-KcsSetup2.exe"
      Case "192.168.2.0"
      ' Kaseya install commands for 192.168.2.0 subnet
      objFSO.CopyFile strAgent3, strFolder, Overwrite
      Wscript.Sleep 1*60*1000
      objShell.run "C:\Temp\Test-KcsSetup3.exe"
      Case Else
      ' Some sort of error checking. Maybe a BLAT SMTP command to send an email
  End Select
  Set objWMIService = Nothing
  Set objNIC1 = Nothing
  Set objShell = Nothing
  Set WshNetwork = Nothing
  Wscript.quit

  You need to read the documentation carefully:
  The Deploy Agents install package is created using a Configure Automatic Account Creation wizard. The wizard copies agent settings from an existing machine ID or machine ID template and generates an install package called
  KcsSetup.All settings and pending agent procedures from the machine ID you copy from—except the machine ID, group ID, and organization ID—are applied to every new machine ID created with the package.
  Including Credentials in Agent Install Packages
  If necessary, an agent install package can be created that includes an administrator
  credentialto access a customer network. Credentials are only necessary if users are installing
  packages on machines and do not have administrator access to their network. The administrator credential is encrypted, never available in clear text form, and bound to the install package.
  ¯\_(ツ)_/¯

• How to create a logon script to delete folder, subfolders and contents when a user logs on ?

  I need to create a logon script which will delete a folder, subfolder and contents when a user logs on. I have no experience with scripting so any pointers you can give would be much appreciated.
  Thanks

  depending on how you have thing set up, it might be easier to make a LaunchAgent to handle this.  do this:
  copy the text below into a text editor
  save it as a plain text file in /Library/LaunchAgents with the file name "user.startup.folderDeleter.plist" (the name doesn't matter so much, but the 'plist' extension is required)
  load the plist into launchd by restarting the machine or by opening terminal and running the command launchctl load /Library/LaunchAgents/user.startup.folderDeleter.plist
  This will delete the folder any time any user logs in.  You could also expand this to delete the folder periodically (once a day, for instance) if that would be helpful.
  Note, this file must be saved as plain text. apps like TextEdit sometimes default to making rich text files which will not work.  Either download a programmer's text editor like TextWrangler, or make sure that TextEdit is using plain text (if the window has a formatting toolbar it's using rich text;  select "Make Plain Text" from the Format menu).
  copy the text below:
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
  <plist version="1.0">
  <dict>
            <key>Label</key>
            <string>user.startup.folderDeleter</string>
            <key>RunAtLoad</key>
            <true/>
            <key>ProgramArguments</key>
            <array>
                      <string>osascript</string>
                      <string>-e</string>
                      <string>tell application "Finder" to delete folder "Final Cut Express Data" of folder (path to preferences from user domain)</string>
                      <string>-e</string>
                      <string>tell application "Finder" to empty trash</string>
            </array>
  </dict>
  </plist>

• GPO apply user Logon script or GPP who Wins

  hi
  i have 2 GPO's linked to a OU1 GPO with precedence 1 has a GPP setting which applies a Value 
  the 2nd GPO has a Logon script which applies a value that is different that the 1st GPO
  How does Precedence take place if both have conflicting settings.
  How can i have change Linkorder/Precedence so that GPO 1 always wins
  Who Wins the battle between Logon Script for a setting or GPP for a setting 
  Also 
  None of these GPO's apply HKLM settings 
  But even though i see following when i run ProcMon during User logon. Why is HKLM setting being set when user logon , is it not a computer logon thing
  Operation - RegSetValue
  Result - Success
  Path - HKLM\SOFTWARE\MySoftware\Licensing\1\Server
  Command Line "C:\Windows\regedit.exe" /s \\DC01\NETLOGON\ABC\License.reg

  Also 
  None of these GPO's apply HKLM settings 
  But even though i see following when i run ProcMon during User logon. Why is HKLM setting being set when user logon , is it not a computer logon thing
  Operation - RegSetValue
  Result - Success
  Path - HKLM\SOFTWARE\MySoftware\Licensing\1\Server
  Command Line "C:\Windows\regedit.exe" /s \\DC01\NETLOGON\ABC\License.reg
  Does the file "License.reg" contain HKLM settings ?
  Is the (user) Logon Script, launching this? : Command Line "C:\Windows\regedit.exe" /s \\DC01\NETLOGON\ABC\License.reg
  If so, it's because the Logon script is simply executing what it has been configured to do.
  Group Policy Admin Templates and settings which are specific to \User Configuration\ vs. \Computer Configuration\, will only be executed "per-user" or "per-computer" - just as executing "Startup Scripts" are a per-computer thing,
  and executing "Logon Scripts" are a per-user thing - but that is only the trigger to execute - not what the executed payload might really do.
  I would also expect such a process to fail (a user would not usually have permissions to a HKLM regkey) unless the regkey security has been relaxed, or, the user logging in has admin rights or similar.
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• Setting default member of attribute hierarchy in MDX script. Default member not taken into account while using user defined hierarchy

  Hi all
  I have a date dimension that (type time) with attributes
  - [FiscalYear] (type years)
  - [FiscalMonth] (type months)
  - [FiscalWeek] (type weeks)
  In addition to the attributes used in the natural hierarchy, I have an attribute [PerType] containing one member comming from the relational table 'WTD' which corresponds to 'Current Date'. All other members of this attribute hierarchy are calculated members (defined in the MDX script). Examples:
  --Last year
  CREATE MEMBER CURRENTCUBE.[Date].[PerType].[LY] AS NULL,
  VISIBLE = 1;
  SCOPE([Date].[PerType].[LY]);
  SCOPE(DESCENDANTS([Date].[Fiscal].[All], [Date].[Fiscal].[Year], SELF_AND_AFTER));
  THIS = ([Measures].CurrentMember, [Date].[PerType].[WTD], ParallelPeriod([Date].[Fiscal].[Year], 1));
  END SCOPE;
  END SCOPE;
  --Month to date
  CREATE MEMBER CURRENTCUBE.[Date].[PerType].[MTD] AS NULL,
  VISIBLE = 1;
  SCOPE([Date].[PerType].[MTD]);
  SCOPE(DESCENDANTS([Date].[Fiscal].[All], [Date].[Fiscal].[Week], SELF_AND_AFTER));
  THIS = Aggregate(CrossJoin({[Date].[PerType].[WTD]}, MTD([Date].[Fiscal].CurrentMember)));
  END SCOPE;
  END SCOPE;
  --Year to date
  CREATE MEMBER CURRENTCUBE.[Date].[PerType].[YTD] AS NULL,
  VISIBLE = 1;
  SCOPE([Date].[PerType].[YTD]);
  SCOPE(DESCENDANTS([Date].[Fiscal].[All], [Date].[Fiscal].[Period], SELF_AND_AFTER));
  THIS = Aggregate(CrossJoin({[Date].[PerType].[WTD]}, YTD([Date].[Fiscal].CurrentMember)));
  END SCOPE;
  END SCOPE;
  The defalut member of FiscalWeek attribute hierarchy is set dynamically in the MDX script:
  ALTER CUBE CURRENTCUBE UPDATE DIMENSION [Date].[FiscalWeek], DEFAULT_MEMBER =
  Filter(
  [Date].[FiscalWeek].Members,
  [Date].[FiscalWeek].Properties( "FiscalWeekStartDate", TYPED) <= DateAdd("d", -2, CDate(CStr(Month(Now())) + "/" + CStr(Day(Now())) + "/" + CStr(Year(Now()))))
  AND
  [Date].[FiscalWeek].Properties( "FiscalWeekEndDate", TYPED) >= DateAdd("d", -2, CDate(CStr(Month(Now())) + "/" + CStr(Day(Now())) + "/" + CStr(Year(Now()))))
  )(0).PrevMember;
  If I run the following query:
  with member
  measures.x as [Date].[Fiscal].DefaultMember.Name
  measures.y as [Date].[FiscalWeek].DefaultMember.Name
  select
  measures.x,
  measures.y
  } on axis(0)
  from [GLWeekly]
  it gives me back correctly the default member set over the MDX script.
  I order the statements in the MDX Script so that the default period (week) is set at the beginning of the script (just after the calculate).
  I do not understand why creating the following calculated member I am obliged to specify [Date].[Fiscal].CurrentMember in the tuple to have correct results:
  MEMBER [Account].[CoA].[Standard Engagement Revenue (MTD)] AS ([Account].[CoA].[Standard Engagement Revenue], [Date].[PerType].[MTD], [Date].[Fiscal].CurrentMember)
  I would expect that:
  ([Account].[CoA].[Standard Engagement Revenue], [Date].[PerType].[MTD])
  is sufficient.
  If the default week is specified in the slicer using a member of the natural hierachy (=> [Date].[Fiscal].x) it works.
  Why can't SSAS use the default member if it is must defined in the MDX script?
  Can someone explains me this. Thanks a lot in advance.

  Hi Ina,
  have you thought about adding a dynamic statement inside the MDX script? You could define the default member like this:
  ... DEFAULT_MEMBER = iif( Day( Now() ) = 3, <expression for previous month>, <expression for current month> );
  This way you don't need to change it everytime by running a script.
  By the way, what do you mean it doesn't update the default member? When you execute this MDX what does it says?
  with member measures.x as [Dimension].[HierarchyName].DefaultMember.Name
  select { measures.x } on 0 from Cubename
  If this returns the correct name, then the problem is somewhere else. I believe it should return you the correct name. Look here, test this on Adventure Works, statement by statement and see what happens.
  ALTER
  CUBE [Adventure Works]
  UPDATE
  DIMENSION [Product].[Product Categories],
  DEFAULT_MEMBER = [Product].[Product Categories].[Category].&[1]
  with
  member measures.x
  as [Product].[Product Categories].DefaultMember.Name
  select measures.x on 0
  from [Adventure Works]
  ALTER
  CUBE [Adventure Works]
  UPDATE
  DIMENSION [Product].[Product Categories],
  DEFAULT_MEMBER = [Product].[Product Categories].[All Products]
  with
  member measures.x
  as [Product].[Product Categories].DefaultMember.Name
  select measures.x on 0
  from [Adventure Works]
  I think you can see which members are default (on related hierarchies) using
  MDX Studio. This should help you detect which attributes have not moved accordingly and hence cause problems in your report. The usual suspects are those attributes used in your last month reports. If that's too much for you, just copy paste the definition
  of the measure x and use .CurrentMember instead .DefaultMember. And so for all related hierarchies of your dimension. You can run it as one query, just put enough measures (x1, x2, ...), one for each hierarchy, ok?
  Here's a test for Day():
  with
  member measures.y
  as
  iif( Day(Now()) = 28, 'Yes', 'No' )
  select
  measures.y on 0
  from [Adventure Works]
  Today this returns Yes, tomorrow it will be No.
  Ups, I just checked one more thing. When you run the script, it sets the default member only for that session. If you execute the first two of the four statements that I've sent you, it will set the default member on Bikes and show you that.
  But, if you open another query windows and execute that select statement (only), you'll see All member instead. So, it has set it to Bikes only for the currect session. Consequence? You reports are not aware of it. So, better use dynamic statement in
  your MDX script.
  Regards,
  Tomislav Piasevoli
  Business Intelligence Specialist
  www.softpro.hr

• Group Policy - Computer Startup Scripts - Add/Set Default printer

  Good Morning.
  Let's say we have 2 offices, A and B, and only 1 user.  The user is using Roaming Profiles.  Each office has its own printer.
  What I am trying to do, is make a Startup script that is specific to the COMPUTER being logged into so when any user logs into that computer, they get the printer in that office defined and set as default.
  I am able to do this successfully with my script but ONLY if i have the script be on the USER side of GP (i.e. in the Logon script section)
  That is great that that is working however, when my user goes to Office B, they still get mapped to Office A's printer if I use that method.
  So I figured I could just modify my GP and run the same script from the STARTUP section of the computer, rather than the LOGON section of the user.  It does not work.
  Here is my script:
  Set WRFCUNetwork = CreateObject("Wscript.Network")
  PrinterPath = "\\fileserver\MAINTELLER"
  PrinterDriver = "PrinterDriver"
  WRFCUNetwork.AddWindowsPrinterConnection PrinterPath, PrinterDriver
  WRFCUNetwork.SetDefaultPrinter "\\fileserver\MAINTELLER"
  This is where I Have the script placed:
       Computer Configuration -> Windows Settings -> Scripts(Startup/Shutdown)
  Once i'm in there, I double click Startup, click Add, and select my script which is named:
       MainPrinterSetup.vbs
  I have this GP applied to ONE OU, and that OU has ONE computer in it (my test computer)
  I login with a brand new user called "testuser" (creative, huh?) and basically nothing happens
  except they log in and have some Microsoft Document Image Writer printer set as default (which by the way sure does slow the PC down to the point of it almost being broke if anyone actually tries to print to that by accident)
  No Main Teller Printer, no anything.
  The strangest part about this is, if i apply this script to the user LOGON scripts, it works fine, the printer is there, and is set as default. (but see above why that wont work for my situation)
  So obviously the script works fine, but I guess i'm missing something when it comes to applying GP's to Computers rather than Users.
  Can anyone shed some light as to why the script is not running (i'm guessing the script isn't even attempting to run, rather than failing, but i have no way to know that)
  Thank you in advance!!
  Derek Conlon
  Network Administrator
  WRFCU
  EDIT:  Here are the PC's info that i'm working on:
       Server:  Windows Server 2003 Standard Edition (where my GP's are created and managed with AD)
       Target PC:  Windows XP Professional SP3
  EDIT #2:  I manually navigated to the Script file after logging in and "opened" it and it added and set the default printer no problem.  the issue is definately with the script running at startup.

  I wanted to clarify a few things:
  1. While it is true that printer connections are usually per user, it is definitely possible to create "global printers".  There are a number of ways to do this, but two methods that come to mind are using:
  a. "Rundll32 printui.dll,PrintUIEntry" option with the "/ga" switch.  The "/ga" switch is the key here since it allows you to deploy printers "per machine" instead of "per user".  More information
  about this is available at:
  http://members.shaw.ca/bsanders/NetPrinterAllUsers.htm
  http://technet.microsoft.com/en-us/library/ee624057%28WS.10%29.aspx
  http://www.computerperformance.co.uk/Logon/logon_printer_computer.htm
  http://www.robvanderwoude.com/2kprintcontrol.php
  b. The Print Management console that is available in Windows 2003 R2 and higher can help you deploy printers "per machine" in addition to "per user".  More information about this is available at:
  http://www.czsolution.com/print-management/print-management/print-management-console.htm#DeployingPrintersByGroupPolicy
  http://technet.microsoft.com/en-us/library/cc753109%28WS.10%29.aspx
  2. As Guy mentioned, Group Policy Preferences can help set the default printer.  But there is another way to accomplish this.  The problem with the computer startup portion is that it runs before the user logs in.  And applying this script
  in the login script section would not work per computer unless you used loopback processing.  So another way to do this is to place a script that sets the default printer into the "All Users" startup folder.  Items in the "All Users"
  startup folder run for any user that logs into the computer, but it runs in the user's context.  So, this script would effectively set the default printer on a "per machine" basis.  The script method is a cruder way to approach the problem,
  but it will help get the job done.  Here are some resources on setting the default printer via script:
  http://www.intelliadmin.com/index.php/2007/08/set-default-printer-from-a-script
  http://www.computerperformance.co.uk/ezine/ezine17.htm

• Group Policy Logon Script to create folder based on username, run as admin

  Hello,
  I'm at a loss as to how to make this work.  I wrote the following PowerShell script that will check to see if the currently logged in user has a folder on a share, and if not it will create the folder and set appropriate permissions.  I want to
  run it as a Group Policy Logon Script, however I need to run this script as an administrator because users don't have any write/create access at the folder level of the file share.  The problem with that then becomes $ENV:Username resolves to the admin
  account the script is running under.
  Any ideas?
  Thanks!
  Ryan
  # Declare Variables
  $strName = $env:USERNAME
  $strDomain = $env:USERDOMAIN
  If ($strDomain -eq "domain.org") {
  # Split Username into 2 variables
  $data = $strName.Split("_")
  $fname = $data[0]
  $lname = $data[1]
  #Find first character of last name
  $firstcharacter = $lname[0]
  # Figure out if last name begins with A-M or N-Z
  $A_M=$firstcharacter -match "[a-m]"
  $N_Z=$firstcharacter -match "[n-z]"
  # Checks to see if folder exists
  If ($A_M -eq $true){$FolderExists = Test-Path "\\staff-files\staff\Last Name A-M\$strName"}
  elseif ($N_Z -eq $true){$FolderExists = Test-Path "\\staff-files\staff\Last Name N-Z\$strName"}
  # Creates folder if it doesn't exist
  If (($FolderExists -eq $false) -and ($A_M -eq $true)){
  New-Item "\\staff-files.domain.org\Staff\Last Name A-M\$strName" -type directory
  $DirPath = "\\staff-files.domain.org\Staff\Last Name A-M\$strName"
  elseif (($FolderExists -eq $false) -and ($N_Z -eq $true)){
  New-Item "\\staff-files.domain.org\Staff\Last Name N-Z\$strName" -type directory
  $DirPath = "\\staff-files.domain.org\Staff\Last Name N-Z\$strName"
  ElseIf ($strDomain -eq "students.domain.org") {
  # Pull 2 digit year from username and make 4 digit year
  $4digityear = "20" + $strName.Substring(0,2)
  # Checks to see if folder exists
  $FolderExists = Test-Path "\\files.domain.org\students\$4digityear\$strName"
  # Creates folder if it doesn't exist
  If ($FolderExists -eq $false) {
  New-Item "\\files.domain.org\students\$4digityear\$strName" -type directory
  $DirPath = "\\files.domain.org\students\$4digityear\$strName"
  # Assign Permissions
  If ($FolderExists -eq $false){
  $target = $DirPath
  $acl = Get-Acl $target
  $inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
  $propagation = [system.security.accesscontrol.PropagationFlags]"None"
  $accessrule = new-object system.security.AccessControl.FileSystemAccessRule ("CREATOR OWNER","Modify",$inherit,$propagation,"Allow")
  $acl.AddAccessRule($accessrule)
  $accessrule = new-object system.security.AccessControl.FileSystemAccessRule ("NT AUTHORITY\SYSTEM","FullControl",$inherit,$propagation,"Allow")
  $acl.AddAccessRule($accessrule)
  $accessrule = new-object system.security.AccessControl.FileSystemAccessRule ("administrators","FullControl",$inherit,$propagation,"Allow")
  $acl.AddAccessRule($accessrule)
  If ($strDomain -eq "students.hempfieldsd.org"){
  $accessrule = new-object system.security.AccessControl.FileSystemAccessRule ("DOMAIN\Domain Users","Modify",$inherit,$propagation,"Allow")
  $acl.AddAccessRule($accessrule)
  $accessrule = new-object system.security.AccessControl.FileSystemAccessRule ("DOMAIN\Staff_Tech","FullControl",$inherit,$propagation,"Allow")
  $acl.AddAccessRule($accessrule)
  $accessrule = new-object system.security.AccessControl.FileSystemAccessRule ("DOMAIN\Enterprise Admins","FullControl",$inherit,$propagation,"Allow")
  $acl.AddAccessRule($accessrule)
  $accessrule = new-object system.security.AccessControl.FileSystemAccessRule ($strName,"FullControl",$inherit,$propagation,"Allow")
  $acl.AddAccessRule($accessrule)
  $acl.SetAccessRuleProtection($true,$false)
  $acl.SetOwner([System.Security.Principal.NTAccount]$strName)
  Set-Acl -AclObject $acl $target
  Ryan Breneman - Systems Administrator - Hempfield School District

  Thanks jrv.  That is kind of what I thought but wasn't sure.  I think I will attack this a different way and modify the script to run through all the AD accounts and check for folder existence and create if needed.  Perhaps I'll play
  with System Center Orchestrator and run it inside there.
  These folders aren't being used for profile storage, and we already have folder redirection pointing to them, however I don't want a user to login to citrix and not have anywhere to save if they didn't have a folder to redirect to.
  Folders are supposed to be created when the staff member/student AD account is created, but it doesn't always happen.
  Thanks for your help!
  Ryan Breneman - Systems Administrator - Hempfield School District

• Logon Script with Credential

  Hello everybody.
  Let me explain my problem. 
  I have a Powershell shell Logon Script for a Domain user without privileges that has to:
  Run IE as Domain user.
  When user close al IE open windows, Script have to make some process as soon as finish, script run again IE.
  The user that run the script doesn’t have any kind of access to the any drive and doesn’t have any access to any app or windows config setting, he has only access to IE through Powershell Logon Script, no more.
  I gave to user privileges as a part of the operating system through GPO.
  Well, let me show you the script before continue with the explanation: 
  Function fCredenciales([String]$FileTXT, [String]$UserIE)
                 $UsIE1       = Get-Credential -Credential $UserIE 
                $SecureIE  = $UsIE1.Password
                 $BytesIE    = ConvertFrom-SecureString $SecureIE
                 $BytesIE   | Out-File $FileTXT
  #                     SCRIPT                              
  $Folder  = "C:\Cred"
  $FileIE   = $Folder + "\IE.txt"
  $UsIE     = "Domain\User"
  If(-Not (Test-Path $Folder))
                 New-Item $Folder -Type Directory
                  fCredenciales $FileIE $UsIE
  If (-Not (Test-Path $FileIE))
                 fCredenciales $FileIE $UsIE
  $UsIETxt   = Get-Content $FileIE | ConvertTo-SecureString
  If ($UsIETxt -eq $Null)
                 fCredenciales $FileIE $UsIE
  $UsuarioIE      = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $UsIE, $UsIETxt
  $MyNetwork    = Get-WMIObject Win32_NetworkAdapterConfiguration -ComputerName LocalHost | Where-Object { $_.IPAddress -ne $null } # | Select-Object IPAddress
  $MyIPAddress = $MyNetwork.IPAddress[0]
  $URL                   = "https://www.mywebpage.com/?qwerty="
  + $MyIPAddress + " -private"
  $IE                       = "C:\Program Files\Internet Explorer\iexplore.exe"
  While ($True)
      Start-Process $IE -ArgumentList $URL -ArgumentList $URL  -Credential $UsuarioIE
      $IDProcess = Get-Process -Name iexplore | ?{$_.MainWindowTitle} | %{$_.ID}
      Wait-Process -Id $IDProcess
      # Proccess 1                                             
      # Process2                                                                
  I need to execute IE as other user.
  As logon user doesn’t have drive access, he cannot read credential.
  If logon script wants to ask for credential, credential windows never shown.
  I don’t know why, but if the user hasn’t  administratives privileges
  Start-Proccess with –Credential doesn´t work, exactly as
  Wait-Process -Id $IDProcess.
  The security department wants:
  User Without any access (No drives, no menu, no nothing
  J).
  Script has to run IE as domain simple user.
  If script needs administrative privileges to run  Wait-Window the script can be run as administrative user, but not the Start-Process.
   I hope that you can understand me.
  Thanks in advanced,
  Angel Biurrun C.

  Sorry but what you seem to be trying to do is not possible.  You cannot make a user an admin by having them do something that only an admin can do.
  If your company says a user cannot have access to any drives then there is no way they can open a file on a drive they have no access to.
  The script you posted is also impossible to read.  Can you try and post it correctly.  Maybe someone can decode what you are trying to do.
  As a quick example this is how we post scripts.
  Function fCredenciales([String]$FileTXT, [String]$UserIE){
  $UsIE1=Get-Credential -Credential $UserIE
  $SecureIE=$UsIE1.Password
  $BytesIE=ConvertFrom-SecureString $SecureIE
  $BytesIE | Out-File $FileTXT
  Notice that it is readable and better indented. The eye can follow the code.  By using the code control the code becomes color keyed which makes it even more readable.
  ¯\_(ツ)_/¯

• Assign a local logon script using Group Policy

  Is there a way to assign a local logon script using Group Policy? The reason I ask is that I wrote a logon/logoff script that will record the date/time, user, and computer for everyone who logs on to any machine in the domain. Right now it's set on a domain
  GPO, so it works great for domain accounts, but I'd like to extend that functionality to local accounts as well. The only way I know how to do that would be to set my script to run using the local policy. Since I don't want to manually go around to all 400+
  machines in my domain, I would rather find a simpler way of modifying the local policy. Any ideas?

  Martin, thank you for your response. That's exactly the kind of out-of-the-box answer I was looking for, unfortunately, it looks like I can only do that for Logon scripts. I don't see an option for Logoff. (Maybe the took the Logoff functionality out?
  This article says there should be a Logoff item in the GPO, but they're talking about Windows 2000 in that article.)
  Matthias, I started playing around with what you said, and I noticed that the "Scripts" key only seems to show up on my Windows 7 clients. The XP workstations don't have that key. Plus I did some testing, and I think I can do it without having
  to mess with the registry at all.
  So I think I have a workable solution at the moment. I found
  this article that talks about copying Local Polices from one computer to another. I tried manually setting the Logon/Logoff scripts in the Local policy on a fresh machine. From that reference computer I copied the Scripts folder out of the %SYSTEMROOT%\System32\GroupPolicy\User
  directory. It also created a gpt.ini file in the %SYSTEMROOT%\System32\GroupPolicy directory. The gpt.ini file contained an attribute called gPCUserExtensionNames, and one called Version. The gPCUserExtensionNames attribute specified two GUIDs, which
  I assumed to be the GUIDs that identify the Local Policy. I tried manually creating the Local policy on several different machines, with several different Operating Systems, and those GUIDs always seemed to be the same (not sure why). So I copied the gpt.ini
  file off the reference machine as well. When I placed all of the files I copied from the reference machine on to a new machine, everything seemed to work just fine (no registry modification necessary), with one caveat. It seemed to be running the script twice.
  So I went back into the gpt.ini file and deleted one of the GUIDs listed under gPCUserExtensionNames, and now the script runs just once!
  So I think this solution will work ok for me. We don't have any other Local Policies in place, so demolishing all existing Local Policies is perfectly acceptable in my case. I'm just not sure if I'm doing any damage by copying the gpt.ini file from a reference
  machine (if anyone can expand on how that works, I would appreciate the peace of mind that I'm not making things worse by doing this). So all I need now is to write a Startup script, or an SCCM package to deliver the Logon scripts and associated ini files
  to the appropriate location on all the domain PCs. Easy enough to do on my own. If anyone knows of a reason why this method is a bad idea, please post here. I'll be testing it out on a handful of PCs in the mean time.
  Hi Guys,
  Will this solution work for my case? I have a forcereboot batch script that I need to load on the local policy (logoff script through GPEDIT) however I can only load it manually. I need to do it on multiple machines (approx 5000 computers). I am having
  trouble doing it using powershell. Is there any other options to do it? 
  Will I have to use the same GUID's you mentioned on the gpt.ini file? (gPCUserExtensionNames=[{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B66650-4972-11D1-A7CA-0000F87571E3}] since it refers to the local script and how about the version on the gpt.ini file?
  Thanks in advance.
  Dash
  https://social.technet.microsoft.com/Forums/en-US/1f636042-bcff-498d-93c0-e1aa89f80961/how-to-load-a-script-on-the-local-group-policy-on-multiple-computers?forum=mdopagpm

• Help with logon script

  Hi
  We have a legacy reporting app (Crystal Distribution 8.5) that relies on DLLs to export data from it to other apps such as Excel.
  In XP/2003 the DLLs are installed and accessed from the WINDOWS & System32 directory but due to changes that MS made in Vista/2008 and higher the DLLS need to be installed in the user's local profile for the app to work properly on Vista/2008+.  Example:
  C:\Users\user.name\WINDOWS\Crystal
  This has been easy to manage for the few users on Win 7 workstations but we are now making the move to Server 2008R2 RDS.  Therefore using a script to put these DLLs in the right place via Group Policy when a user logs on to an RDS server (there will be
  multiple and they will be load balanced) seems the logical answer.
  I am not however an expert on scripting by any means.  I can just about manage a logon script to map a network drive.  Could do with some help on:
  > A logon script that runs once per server per user that I can deploy with a GPO
  > The script needs to create a directory in their local user profile path (as previously mentioned) and copy a list of DLLs to it (or just copy the "Crystal" folder to the WINDOWS folder in their local profile).
  Many thanks

  Hi Flanjman,
  If the servers are deployed on server 2008 R2+, you can try a powershell script, and the script below may be helpful for you, which can create a new directory and copy the local folder to the new created folder:
  $newfolder = "C:\Users\user.name\WINDOWS\Crystal"
  New-Item -Path $newfolder -ItemType directory #create new folder
  copy-item -Path d:\test1 -Destination $newfolder -Force -Recurse #copy all the files in the folder
  Then please save the script above as .ps1 file, and follow this article to deploy in GPO:
  Start Me Up: Scripting a Logon with PowerShell
  Please also note, if the powershell execution policy on all the servers haven't been set to allow to run a powershell script locally, you also need delopy the execution policy in GPO firstly:
  Computer Configuration\ Administrative Templates\ Windows Components\ Windows Powershell" and configure the "Turn on script execution" setting, and choose "Allow local script and remote signed scripts"
  If you have any feedback on our support, please click here.
  Best Regards,
  Anna
  TechNet Community Support

• GP logon script with PowerShell

  We have a Windows Server 2012 domain and would like to create a GP logon script with PowerShell.
  So if you execute the .ps1 file, the specified logon script settings (including parameters) would be applied automatically in the GP.
  Any idea of such command line?

  Thanks for the tips!
  May not be the easiest solution, but it works:
  I created a backup of the GPO set fully graphical interface, and I've copied ps1 file in the same folder.
  #Start
  #Create GPO
  $gponame = "Program_AutoStart"
  Write-Host ""
  $ou = Read-Host "What is your Organisational Unit name?"
  Write-Host ""
  $enforce = Read-Host "Do you want enforce Group Policy link? (Yes/No)"
  $dc1 = $env:userdnsdomain
  $dc1length = $env:userdnsdomain.Length
  $dc1s = $env:userdnsdomain.Split(".")
  $dc1count = $dc1s[$dc1s.Count-1].Length+1
  $dc1max = $dc1length-$dc1count
  $dc1 = $dc1.Substring(0,$dc1max)
  $dc2 = $env:userdnsdomain.Split(".")
  $dc2 = $dc2[$dc2.Count-1]
  Write-Host ""
  Write-Host -Object "Create a new Group Policy Object..."
  #replace GPO settings
  ##backup.xml file
  $backupFilePath = ".\backup\{2F708EB2-F154-4739-8F6D-1F16C954649C}\Backup.xml"
  $content = Get-Content -path $backupFilePath
  $content | foreach { $_.Replace("mydomainname","$env:userdnsdomain") } | Set-Content $backupFilePath
  $content = Get-Content -path $backupFilePath
  $content | foreach { $_.Replace("mycomputername","$env:COMPUTERNAME") } | Set-Content $backupFilePath
  $content = Get-Content -path $backupFilePath
  $content | foreach { $_.Replace("mynetbiosname","$env:userdomain") } | Set-Content $backupFilePath
  ##backup.xml file
  $bkupinfoFilePath = ".\backup\{2F708EB2-F154-4739-8F6D-1F16C954649C}\bkupinfo.xml"
  $content = Get-Content -path $bkupinfoFilePath
  $content | foreach { $_.Replace("mydomainname","$env:userdnsdomain") } | Set-Content $bkupinfoFilePath
  $content = Get-Content -path $bkupinfoFilePath
  $content | foreach { $_.Replace("mycomputername","$env:COMPUTERNAME") } | Set-Content $bkupinfoFilePath
  $content = Get-Content -path $bkupinfoFilePath
  $content | foreach { $_.Replace("mynetbiosname","$env:userdomain") } | Set-Content $bkupinfoFilePath
  ##gpreport.xml file
  $gpreportFilePath = ".\backup\{2F708EB2-F154-4739-8F6D-1F16C954649C}\gpreport.xml"
  $programexe = "$env:logonserver\$share\My_Program\program.exe"
  $content = Get-Content -path $gpreportFilePath
  $content | foreach { $_.Replace("mycommand","$programexe") } | Set-Content $gpreportFilePath
  Write-Host ""
  $parameters = Read-Host "Add your parameters"
  $content = Get-Content -path $gpreportFilePath
  $content | foreach { $_.Replace("myparameters","$parameters") } | Set-Content $gpreportFilePath
  ##scripts.ini file
  $gpreportFilePath = ".\backup\{2F708EB2-F154-4739-8F6D-1F16C954649C}\DomainSysvol\GPO\User\Scripts\scripts.ini"
  $content = Get-Content -path $gpreportFilePath
  $content | foreach { $_.Replace("mycommand","$programexe") } | Set-Content $gpreportFilePath
  $content = Get-Content -path $gpreportFilePath
  $content | foreach { $_.Replace("myparameters","$parameters") } | Set-Content $gpreportFilePath
  #Import GPO and link
  Write-Host ""
  Write-Host -Object "Import Group Policy settings..."
  Import-GPO -BackupGpoName "$gponame" -TargetName "$gponame" -Path ".\backup" -CreateIfNeeded
  New-GPLink -Name "$gponame" -target "ou=$ou,dc=$dc1,dc=$dc2" -Enforced $enforce -LinkEnabled Yes
  #Replace undo
  ##backup.xml file
  $content = Get-Content -path $backupFilePath
  $content | foreach { $_.Replace("$env:userdnsdomain","mydomainname") } | Set-Content $backupFilePath
  $content = Get-Content -path $backupFilePath
  $content | foreach { $_.Replace("$env:COMPUTERNAME","mycomputername") } | Set-Content $backupFilePath
  $content = Get-Content -path $backupFilePath
  $content | foreach { $_.Replace("$env:userdomain","mynetbiosname") } | Set-Content $backupFilePath
  ##backup.xml file
  $content = Get-Content -path $bkupinfoFilePath
  $content | foreach { $_.Replace("$env:userdnsdomain","mydomainname") } | Set-Content $bkupinfoFilePath
  $content = Get-Content -path $bkupinfoFilePath
  $content | foreach { $_.Replace("$env:COMPUTERNAME","mycomputername") } | Set-Content $bkupinfoFilePath
  $content = Get-Content -path $bkupinfoFilePath
  $content | foreach { $_.Replace("$env:userdomain","mynetbiosname") } | Set-Content $bkupinfoFilePath
  ##gpreport.xml file
  $content = Get-Content -path $gpreportFilePath
  $content | foreach { $_.Replace("$programexe","mycommand") } | Set-Content $gpreportFilePath
  $content = Get-Content -path $gpreportFilePath
  $content | foreach { $_.Replace("$parameters","myparameters") } | Set-Content $gpreportFilePath
  ##scripts.ini file
  $content = Get-Content -path $gpreportFilePath
  $content | foreach { $_.Replace("$programexe","mycommand") } | Set-Content $gpreportFilePath
  $content = Get-Content -path $gpreportFilePath
  $content | foreach { $_.Replace("$parameters","myparameters") } | Set-Content $gpreportFilePath
  #End

• PowerShell logon script with function parameters

  Hi,
  I've made file, something.ps1, that has to functions: Set-Something and Remove-Something. Unless necessary I will not explain what they do (though the names should provide the gist of it).
  These functions can be run successfully with the commands.
  Set-Something -Path "C:\Path\To\Somtehing"Remove-Something -Path "C:\Path\To\Somtehing"
  I'm trying to implement these as logon and logof in GPO. What i set for example in logon is:
  Tab: PowerShell
  Name: "C:\Scripts\something.ps1"
  Parameters: "Set-Something -Path 'C:\Path\To\Something'"
  This does not work. Why?
  PS: I can get it to work with adding the following to the end of the script, and run it without parameters at login.
  Set-Something -Path 'C:\Path\To\Something'
  But that isn't what I'm trying to do, because that means I will have to create one script for logon and one for logoff. I wish I want to run the same script, but different functions at logon and logoff.

  Hi,
  Check the following points,
  - Check the availability of your PowerShell scripts in the netlogon share - \\Server\NETLOGON
  - Check whether the GPO is linked to the OU containing users, because GPO with logon script need to assigned for scope with users, where as  GPO with startup script need to be assigned for scope with computers.
  - To confirm whether GPO settings are applied - run gpresult from command prompt.
  - To force the GPO settings - run gpupdate /force from command prompt.
  - Then logoff and login again to check the status.
  Regards,
  Gopi
  JiJi
  Technologies