Solved

GP PowerShell Logoff script only runs for admins - same script as GP PowerShell Logon script runs for all users

Posted on 2016-10-06
26
74 Views
Last Modified: 2016-10-12
In a Windows Server 2008 R2 terminal services scenario with Citrix XenApp shared server desktops, I have this simple PowerShell script to delete items from the recycle bin once they're over 30 days old:

$Path = '\\domain.local\Proffil\' + $env:USERNAME + '\Desktop\$Recycle.Bin'
Get-ChildItem $Path -Force -Recurse -ErrorAction SilentlyContinue |
Where-Object { $_.LastWriteTime -lt (Get-Date).AddDays(-18) } |
Remove-Item -Recurse -Force

This works fine when I put it as a Logon script (Group Policy PowerShell scripts tab).  However when I have it as Logoff script (Group Policy PowerShell scripts tab) it only runs for admin users.  I've tried switching on transcripts to see what's going on but I think there's probably a permissions issue that prevents the transcript files from being written.

Before going down the road of troubleshooting why my transcripts aren't being written, can you suggest why my script isn't running on logoff?

ExecutionPolicy is fine because it runs when logging off as an admin.
Permission of the user at the $Recycle.Bin folder is also fine, because it works as PowerShell logon script.

Thanks.
0
Comment
Question by:meirionwyllt
  • 12
  • 12
  • 2
26 Comments
 
LVL 8

Expert Comment

by:James Rankin
Comment Utility
Firstly, is the gpo actually applying to the non Admin users?  When they are logged in, run gpresult /r and see if the GPO is applied to them.
0
 

Author Comment

by:meirionwyllt
Comment Utility
Hi James.  Yes the GPO is applying for the non-admins.  The logon and logoff scripts were actually in the same GPO (only enabling one at a time!), so it must be applying otherwise it wouldn't have run on logon for them.  Thanks.
0
 

Author Comment

by:meirionwyllt
Comment Utility
By the way, the above script should say AddDays(-30)  rather than AddDays(-18) - that was just me testing different things.
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 100 total points
Comment Utility
Simple tests rule.
Create a logoff script test.bat
Contents:
md %userprofile%\test

Does that folder get created?
0
 
LVL 8

Expert Comment

by:James Rankin
Comment Utility
On my blog there is an article about putting a stop in a powershell script...give that a try and see what is happening http://appsensebigot.blogspot.co.uk/2014/03/a-handy-hint-for-troubleshooting.html?m=1
0
 

Author Comment

by:meirionwyllt
Comment Utility
McKnife - I tried your test, but these a mandatory profiles (with redirected desktops), so the local user profile gets deleted on logoff.  So rather than creating a folder in %USERPROFILE% i got the batch file to create one in \\domain.local\Proffil\%USERNAME%\Desktop.

The folder got created fine.  So that is further proof that the permissions are OK.

James - the problem with this is that I'm not able to see the interactive powershell window when running as a logoff script.  When running the script manually inside an user session the scripts works anyway.

Thanks.
0
 
LVL 8

Expert Comment

by:James Rankin
Comment Utility
Are you still an AppSense shop?
0
 
LVL 8

Accepted Solution

by:
James Rankin earned 400 total points
Comment Utility
If you are you can create a logoff action and get it to run interactive powershell
0
 

Author Comment

by:meirionwyllt
Comment Utility
Indeed we are.  OK great I'll give that a go and report back.  Thanks.
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
So we'll need the transcripts. Create a local folder c:\logs and have it log there into .
0
 

Author Comment

by:meirionwyllt
Comment Utility
I've tried creating a Custom Logoff Action with the same code plus a Write-Host at the end.  I've also unticked 'Prevent from running interactively'.  I've also tried Start-Transcript at the beggining and Stop-Transcript at the end, trying both the redirected desktop and a local folder as destination.  But I can't get anything to work here.  Files are not being cleared from the Recycle Bin and no transcripts are being created.  Also there is no interactive screen because presumably that gets forced to close during logoff.
0
 
LVL 8

Expert Comment

by:James Rankin
Comment Utility
It should wait...whenever I take this route it pops up a window at logoff.

There was a bug in Windows 10 recently where PowerShell logoff scripts wouldn't run. I wonder if this has manifested itself somewhere else? Does ANY powershell run as a logon script? Can you try writing to a text file or creating a folder in PS?
0
 

Author Comment

by:meirionwyllt
Comment Utility
OK, a slight improvement.  I created another script like you said, with just this in there...

$Path = '\\domain.local\Proffil\' + $env:USERNAME + '\Desktop\prawf2'
New-Item $Path -ItemType Directory

And the folder is created on logoff.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 8

Expert Comment

by:James Rankin
Comment Utility
Ok, so it's working...must be a problem with the command. I had a similar thing, export-startlayout doesn't work in a logoff script but does in session. Could you try a batch command, or maybe use a powershell script as a scheduled task that triggers when a logoff event is written?
0
 
LVL 8

Assisted Solution

by:James Rankin
James Rankin earned 400 total points
Comment Utility
This link tells you how to trigger a scheduled task powershell at logoff http://www.citrixirc.com/?p=603
0
 

Author Comment

by:meirionwyllt
Comment Utility
Hi James, although the scheduled task option was always a workaround that I'd be willing to use as a last resort, I think it's time to go down that road, because you speak of Windows 10 problems with Logoff Powershell scripts - plus I've actually had a call open with Microsoft for about 2 months now where they've been trying to find out why some commands won't run inside a PowerShell Logon script with Windows 10 although works fine on Windows 7, or when ran manually.  They haven't yet admitted that this is a bug, despite my insistence, so it's interesting to hear that there is a reported bug with Powershell Logoff scripts.

Anyway, I had a look at Scheduled Tasks, and was dismayed to find that you can't do it natively for Logoff triggers, only for Logon Triggers.  So I've followed the article you posted, and for some reason I can't get the task to run at all.  Says "Last Run Time:  Never"

The trigger has been checked and double checked and is correctly configured.  I can also see the 4647 event in the logs that should have kicked off the task.

I've ticked 'Run with highest privileges'.  I'm not sure what user/group I should have this task run under.  I've tried SYSTEM, Administrator and Domain Users, but nothing works.  What should I put here to ensure that the task runs for all AD users?  The script wouldn't be relevant to local users because of the redirected desktop.

And what about the 'Run only when user is logged on' - does Windows consider the user to be 'logged' if they've just pressed a button o log themselves off?

Thanks.
0
 
LVL 8

Expert Comment

by:James Rankin
Comment Utility
have you got logon and logoff auditing turned on in Local Security Policy/GPO? if you run the task manually does it succeed?

I wouldn't run it under an admin user context - if you want it to clear the Recycle Bin you need to run in the user context.

if you can wait a bit I may get a chance to test this in the lab, although I have to record a video now and at 3pm I need to have a long meeting with some guys in New York. If I can slot in a minute to check some of the questions you've asked I will. It is 2008 R2 you are running this on, yes?
0
 

Author Comment

by:meirionwyllt
Comment Utility
Yes I have Success and Failure ticked in my local policy for 'Audit logon events', which I gather includes logoff events as well.

I've set the task to run with 'Domain Users', although putting a group name here feels wrong somehow.

I've then tried to manually run the task when logged in as my test (non-admin) user, and I get "The user account does not have permission to run this task".  So then I found the related XML file in C:\Windows\System32\Tasks, and changed the Domain Users permissions from Read to Read&Execute.  Anyway, now I can run it manually, and it runs fine.

Now before I go on, is this the correct way to allow non-admins to execute Scheduled Tasks?  Does this need to be set to allow execution during logoff as well, or only for running manually?

Yes it's 2008 R2.  Thanks for your help on this.
0
 
LVL 8

Expert Comment

by:James Rankin
Comment Utility
A bit odd that you had to change the perms manually, but Scheduled Tasks can be a bit fiddly. I didn't need to do that on Windows 10, but it may well be an issue that occurred on earlier versions.

See if that gets any better and if it doesn't I can have a look see when I get finished up :-)
0
 

Author Comment

by:meirionwyllt
Comment Utility
That works OK now as a scheduled task, and I've put into the PVS image for next time.  One thing I notice is that it runs under all users, even local ones.  I thought that running the Task under Domain Users would prevent that.

This isn't an important thing, but it's just for me to understand why it happens really.  D'you know how to make the task run only for domain users (without editing the script itself of course)?

Thanks.
0
 
LVL 8

Expert Comment

by:James Rankin
Comment Utility
What if you restrict the permissions on the XML file to Domain Users only?
0
 

Author Comment

by:meirionwyllt
Comment Utility
Strange.  After I opened up my PVS image to do create the scheduled task in private mode, the resulting XML file had correct permission, i.e. the local 'Users' group didn't have any permissions on the file, only Domain Users with Read and Read&execute, and the task doesn't run for local users.  Which is what I need of course.

However, now that I've baked it into my gold image and deployed, I'm not getting the task triggered by anything.  Last Run Time - Never, although looking at the event log on that machine there are 4 occasions of Event 4647 being logged.  Furthermore, these 4 users that logged off still have old stuff in their Recycle Bin.

Annoying.  OK, unless you can think of something obvious I'll give AppSense a go with this.  I'll unleash a new version of the EM config to one or two of the live servers on the sly.  I've run out of users with old stuff in their recycle bins now!

What would be best way of getting some kind of auditing logs from that EM Logoff Action to see what happens?

Thanks.
0
 
LVL 8

Expert Comment

by:James Rankin
Comment Utility
That's really odd. Scheduled Tasks tend to be a bit of a black art, in my experience. Do you need to run it manually before sealing the gold image or something? Seems very strange.

With regards to doing it via EM, you can set up the EM logging and get it to write to a file to see what's going on - if you're on 8.6 it is now much easier - http://appsensebigot.blogspot.co.uk/2015/06/quickpost-debugging-appsense.html
0
 

Author Comment

by:meirionwyllt
Comment Utility
Thanks for your guide on setting up and analysing the EM logs.  Very insightful.

Luckily I didn't need it, because I'm checking the file server that holds all of the redirected Desktop folders (and therefore also the $RECYCLE.BIN folders contained within), and can see that I now have 9GB more than I had this morning, so the Logoff Action has definitely worked!

Yet again AppSense have proven that they can get parts of Windows to work better than Microsoft themselves can.

Thanks for your help.
0
 
LVL 8

Expert Comment

by:James Rankin
Comment Utility
Excellent...might be worth a blog post if I can find the time. Glad it is sorted.
0
 

Author Comment

by:meirionwyllt
Comment Utility
The number of GBs reclaimed due to this script has now risen to 37GB.  Excellent stuff!
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This article will help you understand what HashTables are and how to use them in PowerShell.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now