Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 527
  • Last Modified:

GP PowerShell Logoff script only runs for admins - same script as GP PowerShell Logon script runs for all users

In a Windows Server 2008 R2 terminal services scenario with Citrix XenApp shared server desktops, I have this simple PowerShell script to delete items from the recycle bin once they're over 30 days old:

$Path = '\\domain.local\Proffil\' + $env:USERNAME + '\Desktop\$Recycle.Bin'
Get-ChildItem $Path -Force -Recurse -ErrorAction SilentlyContinue |
Where-Object { $_.LastWriteTime -lt (Get-Date).AddDays(-18) } |
Remove-Item -Recurse -Force

This works fine when I put it as a Logon script (Group Policy PowerShell scripts tab).  However when I have it as Logoff script (Group Policy PowerShell scripts tab) it only runs for admin users.  I've tried switching on transcripts to see what's going on but I think there's probably a permissions issue that prevents the transcript files from being written.

Before going down the road of troubleshooting why my transcripts aren't being written, can you suggest why my script isn't running on logoff?

ExecutionPolicy is fine because it runs when logging off as an admin.
Permission of the user at the $Recycle.Bin folder is also fine, because it works as PowerShell logon script.

Thanks.
0
meirionwyllt
Asked:
meirionwyllt
  • 12
  • 12
  • 2
3 Solutions
 
James RankinCommented:
Firstly, is the gpo actually applying to the non Admin users?  When they are logged in, run gpresult /r and see if the GPO is applied to them.
0
 
meirionwylltAuthor Commented:
Hi James.  Yes the GPO is applying for the non-admins.  The logon and logoff scripts were actually in the same GPO (only enabling one at a time!), so it must be applying otherwise it wouldn't have run on logon for them.  Thanks.
0
 
meirionwylltAuthor Commented:
By the way, the above script should say AddDays(-30)  rather than AddDays(-18) - that was just me testing different things.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
McKnifeCommented:
Simple tests rule.
Create a logoff script test.bat
Contents:
md %userprofile%\test

Does that folder get created?
0
 
James RankinCommented:
On my blog there is an article about putting a stop in a powershell script...give that a try and see what is happening http://appsensebigot.blogspot.co.uk/2014/03/a-handy-hint-for-troubleshooting.html?m=1
0
 
meirionwylltAuthor Commented:
McKnife - I tried your test, but these a mandatory profiles (with redirected desktops), so the local user profile gets deleted on logoff.  So rather than creating a folder in %USERPROFILE% i got the batch file to create one in \\domain.local\Proffil\%USERNAME%\Desktop.

The folder got created fine.  So that is further proof that the permissions are OK.

James - the problem with this is that I'm not able to see the interactive powershell window when running as a logoff script.  When running the script manually inside an user session the scripts works anyway.

Thanks.
0
 
James RankinCommented:
Are you still an AppSense shop?
0
 
James RankinCommented:
If you are you can create a logoff action and get it to run interactive powershell
0
 
meirionwylltAuthor Commented:
Indeed we are.  OK great I'll give that a go and report back.  Thanks.
0
 
McKnifeCommented:
So we'll need the transcripts. Create a local folder c:\logs and have it log there into .
0
 
meirionwylltAuthor Commented:
I've tried creating a Custom Logoff Action with the same code plus a Write-Host at the end.  I've also unticked 'Prevent from running interactively'.  I've also tried Start-Transcript at the beggining and Stop-Transcript at the end, trying both the redirected desktop and a local folder as destination.  But I can't get anything to work here.  Files are not being cleared from the Recycle Bin and no transcripts are being created.  Also there is no interactive screen because presumably that gets forced to close during logoff.
0
 
James RankinCommented:
It should wait...whenever I take this route it pops up a window at logoff.

There was a bug in Windows 10 recently where PowerShell logoff scripts wouldn't run. I wonder if this has manifested itself somewhere else? Does ANY powershell run as a logon script? Can you try writing to a text file or creating a folder in PS?
0
 
meirionwylltAuthor Commented:
OK, a slight improvement.  I created another script like you said, with just this in there...

$Path = '\\domain.local\Proffil\' + $env:USERNAME + '\Desktop\prawf2'
New-Item $Path -ItemType Directory

And the folder is created on logoff.
0
 
James RankinCommented:
Ok, so it's working...must be a problem with the command. I had a similar thing, export-startlayout doesn't work in a logoff script but does in session. Could you try a batch command, or maybe use a powershell script as a scheduled task that triggers when a logoff event is written?
0
 
James RankinCommented:
This link tells you how to trigger a scheduled task powershell at logoff http://www.citrixirc.com/?p=603
0
 
meirionwylltAuthor Commented:
Hi James, although the scheduled task option was always a workaround that I'd be willing to use as a last resort, I think it's time to go down that road, because you speak of Windows 10 problems with Logoff Powershell scripts - plus I've actually had a call open with Microsoft for about 2 months now where they've been trying to find out why some commands won't run inside a PowerShell Logon script with Windows 10 although works fine on Windows 7, or when ran manually.  They haven't yet admitted that this is a bug, despite my insistence, so it's interesting to hear that there is a reported bug with Powershell Logoff scripts.

Anyway, I had a look at Scheduled Tasks, and was dismayed to find that you can't do it natively for Logoff triggers, only for Logon Triggers.  So I've followed the article you posted, and for some reason I can't get the task to run at all.  Says "Last Run Time:  Never"

The trigger has been checked and double checked and is correctly configured.  I can also see the 4647 event in the logs that should have kicked off the task.

I've ticked 'Run with highest privileges'.  I'm not sure what user/group I should have this task run under.  I've tried SYSTEM, Administrator and Domain Users, but nothing works.  What should I put here to ensure that the task runs for all AD users?  The script wouldn't be relevant to local users because of the redirected desktop.

And what about the 'Run only when user is logged on' - does Windows consider the user to be 'logged' if they've just pressed a button o log themselves off?

Thanks.
0
 
James RankinCommented:
have you got logon and logoff auditing turned on in Local Security Policy/GPO? if you run the task manually does it succeed?

I wouldn't run it under an admin user context - if you want it to clear the Recycle Bin you need to run in the user context.

if you can wait a bit I may get a chance to test this in the lab, although I have to record a video now and at 3pm I need to have a long meeting with some guys in New York. If I can slot in a minute to check some of the questions you've asked I will. It is 2008 R2 you are running this on, yes?
0
 
meirionwylltAuthor Commented:
Yes I have Success and Failure ticked in my local policy for 'Audit logon events', which I gather includes logoff events as well.

I've set the task to run with 'Domain Users', although putting a group name here feels wrong somehow.

I've then tried to manually run the task when logged in as my test (non-admin) user, and I get "The user account does not have permission to run this task".  So then I found the related XML file in C:\Windows\System32\Tasks, and changed the Domain Users permissions from Read to Read&Execute.  Anyway, now I can run it manually, and it runs fine.

Now before I go on, is this the correct way to allow non-admins to execute Scheduled Tasks?  Does this need to be set to allow execution during logoff as well, or only for running manually?

Yes it's 2008 R2.  Thanks for your help on this.
0
 
James RankinCommented:
A bit odd that you had to change the perms manually, but Scheduled Tasks can be a bit fiddly. I didn't need to do that on Windows 10, but it may well be an issue that occurred on earlier versions.

See if that gets any better and if it doesn't I can have a look see when I get finished up :-)
0
 
meirionwylltAuthor Commented:
That works OK now as a scheduled task, and I've put into the PVS image for next time.  One thing I notice is that it runs under all users, even local ones.  I thought that running the Task under Domain Users would prevent that.

This isn't an important thing, but it's just for me to understand why it happens really.  D'you know how to make the task run only for domain users (without editing the script itself of course)?

Thanks.
0
 
James RankinCommented:
What if you restrict the permissions on the XML file to Domain Users only?
0
 
meirionwylltAuthor Commented:
Strange.  After I opened up my PVS image to do create the scheduled task in private mode, the resulting XML file had correct permission, i.e. the local 'Users' group didn't have any permissions on the file, only Domain Users with Read and Read&execute, and the task doesn't run for local users.  Which is what I need of course.

However, now that I've baked it into my gold image and deployed, I'm not getting the task triggered by anything.  Last Run Time - Never, although looking at the event log on that machine there are 4 occasions of Event 4647 being logged.  Furthermore, these 4 users that logged off still have old stuff in their Recycle Bin.

Annoying.  OK, unless you can think of something obvious I'll give AppSense a go with this.  I'll unleash a new version of the EM config to one or two of the live servers on the sly.  I've run out of users with old stuff in their recycle bins now!

What would be best way of getting some kind of auditing logs from that EM Logoff Action to see what happens?

Thanks.
0
 
James RankinCommented:
That's really odd. Scheduled Tasks tend to be a bit of a black art, in my experience. Do you need to run it manually before sealing the gold image or something? Seems very strange.

With regards to doing it via EM, you can set up the EM logging and get it to write to a file to see what's going on - if you're on 8.6 it is now much easier - http://appsensebigot.blogspot.co.uk/2015/06/quickpost-debugging-appsense.html
0
 
meirionwylltAuthor Commented:
Thanks for your guide on setting up and analysing the EM logs.  Very insightful.

Luckily I didn't need it, because I'm checking the file server that holds all of the redirected Desktop folders (and therefore also the $RECYCLE.BIN folders contained within), and can see that I now have 9GB more than I had this morning, so the Logoff Action has definitely worked!

Yet again AppSense have proven that they can get parts of Windows to work better than Microsoft themselves can.

Thanks for your help.
0
 
James RankinCommented:
Excellent...might be worth a blog post if I can find the time. Glad it is sorted.
0
 
meirionwylltAuthor Commented:
The number of GBs reclaimed due to this script has now risen to 37GB.  Excellent stuff!
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 12
  • 12
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now