Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

GP PowerShell Logoff script only runs for admins - same script as GP PowerShell Logon script runs for all users

Posted on 2016-10-06
26
Medium Priority
?
426 Views
Last Modified: 2016-10-12
In a Windows Server 2008 R2 terminal services scenario with Citrix XenApp shared server desktops, I have this simple PowerShell script to delete items from the recycle bin once they're over 30 days old:

$Path = '\\domain.local\Proffil\' + $env:USERNAME + '\Desktop\$Recycle.Bin'
Get-ChildItem $Path -Force -Recurse -ErrorAction SilentlyContinue |
Where-Object { $_.LastWriteTime -lt (Get-Date).AddDays(-18) } |
Remove-Item -Recurse -Force

This works fine when I put it as a Logon script (Group Policy PowerShell scripts tab).  However when I have it as Logoff script (Group Policy PowerShell scripts tab) it only runs for admin users.  I've tried switching on transcripts to see what's going on but I think there's probably a permissions issue that prevents the transcript files from being written.

Before going down the road of troubleshooting why my transcripts aren't being written, can you suggest why my script isn't running on logoff?

ExecutionPolicy is fine because it runs when logging off as an admin.
Permission of the user at the $Recycle.Bin folder is also fine, because it works as PowerShell logon script.

Thanks.
0
Comment
Question by:meirionwyllt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 12
  • 2
26 Comments
 
LVL 9

Expert Comment

by:James Rankin
ID: 41831491
Firstly, is the gpo actually applying to the non Admin users?  When they are logged in, run gpresult /r and see if the GPO is applied to them.
0
 

Author Comment

by:meirionwyllt
ID: 41831502
Hi James.  Yes the GPO is applying for the non-admins.  The logon and logoff scripts were actually in the same GPO (only enabling one at a time!), so it must be applying otherwise it wouldn't have run on logon for them.  Thanks.
0
 

Author Comment

by:meirionwyllt
ID: 41831505
By the way, the above script should say AddDays(-30)  rather than AddDays(-18) - that was just me testing different things.
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 
LVL 56

Assisted Solution

by:McKnife
McKnife earned 400 total points
ID: 41831518
Simple tests rule.
Create a logoff script test.bat
Contents:
md %userprofile%\test

Does that folder get created?
0
 
LVL 9

Expert Comment

by:James Rankin
ID: 41831534
On my blog there is an article about putting a stop in a powershell script...give that a try and see what is happening http://appsensebigot.blogspot.co.uk/2014/03/a-handy-hint-for-troubleshooting.html?m=1
0
 

Author Comment

by:meirionwyllt
ID: 41831797
McKnife - I tried your test, but these a mandatory profiles (with redirected desktops), so the local user profile gets deleted on logoff.  So rather than creating a folder in %USERPROFILE% i got the batch file to create one in \\domain.local\Proffil\%USERNAME%\Desktop.

The folder got created fine.  So that is further proof that the permissions are OK.

James - the problem with this is that I'm not able to see the interactive powershell window when running as a logoff script.  When running the script manually inside an user session the scripts works anyway.

Thanks.
0
 
LVL 9

Expert Comment

by:James Rankin
ID: 41831814
Are you still an AppSense shop?
0
 
LVL 9

Accepted Solution

by:
James Rankin earned 1600 total points
ID: 41831819
If you are you can create a logoff action and get it to run interactive powershell
0
 

Author Comment

by:meirionwyllt
ID: 41831830
Indeed we are.  OK great I'll give that a go and report back.  Thanks.
0
 
LVL 56

Expert Comment

by:McKnife
ID: 41831882
So we'll need the transcripts. Create a local folder c:\logs and have it log there into .
0
 

Author Comment

by:meirionwyllt
ID: 41831954
I've tried creating a Custom Logoff Action with the same code plus a Write-Host at the end.  I've also unticked 'Prevent from running interactively'.  I've also tried Start-Transcript at the beggining and Stop-Transcript at the end, trying both the redirected desktop and a local folder as destination.  But I can't get anything to work here.  Files are not being cleared from the Recycle Bin and no transcripts are being created.  Also there is no interactive screen because presumably that gets forced to close during logoff.
0
 
LVL 9

Expert Comment

by:James Rankin
ID: 41831958
It should wait...whenever I take this route it pops up a window at logoff.

There was a bug in Windows 10 recently where PowerShell logoff scripts wouldn't run. I wonder if this has manifested itself somewhere else? Does ANY powershell run as a logon script? Can you try writing to a text file or creating a folder in PS?
0
 

Author Comment

by:meirionwyllt
ID: 41831989
OK, a slight improvement.  I created another script like you said, with just this in there...

$Path = '\\domain.local\Proffil\' + $env:USERNAME + '\Desktop\prawf2'
New-Item $Path -ItemType Directory

And the folder is created on logoff.
0
 
LVL 9

Expert Comment

by:James Rankin
ID: 41832003
Ok, so it's working...must be a problem with the command. I had a similar thing, export-startlayout doesn't work in a logoff script but does in session. Could you try a batch command, or maybe use a powershell script as a scheduled task that triggers when a logoff event is written?
0
 
LVL 9

Assisted Solution

by:James Rankin
James Rankin earned 1600 total points
ID: 41832010
This link tells you how to trigger a scheduled task powershell at logoff http://www.citrixirc.com/?p=603
0
 

Author Comment

by:meirionwyllt
ID: 41833404
Hi James, although the scheduled task option was always a workaround that I'd be willing to use as a last resort, I think it's time to go down that road, because you speak of Windows 10 problems with Logoff Powershell scripts - plus I've actually had a call open with Microsoft for about 2 months now where they've been trying to find out why some commands won't run inside a PowerShell Logon script with Windows 10 although works fine on Windows 7, or when ran manually.  They haven't yet admitted that this is a bug, despite my insistence, so it's interesting to hear that there is a reported bug with Powershell Logoff scripts.

Anyway, I had a look at Scheduled Tasks, and was dismayed to find that you can't do it natively for Logoff triggers, only for Logon Triggers.  So I've followed the article you posted, and for some reason I can't get the task to run at all.  Says "Last Run Time:  Never"

The trigger has been checked and double checked and is correctly configured.  I can also see the 4647 event in the logs that should have kicked off the task.

I've ticked 'Run with highest privileges'.  I'm not sure what user/group I should have this task run under.  I've tried SYSTEM, Administrator and Domain Users, but nothing works.  What should I put here to ensure that the task runs for all AD users?  The script wouldn't be relevant to local users because of the redirected desktop.

And what about the 'Run only when user is logged on' - does Windows consider the user to be 'logged' if they've just pressed a button o log themselves off?

Thanks.
0
 
LVL 9

Expert Comment

by:James Rankin
ID: 41833407
have you got logon and logoff auditing turned on in Local Security Policy/GPO? if you run the task manually does it succeed?

I wouldn't run it under an admin user context - if you want it to clear the Recycle Bin you need to run in the user context.

if you can wait a bit I may get a chance to test this in the lab, although I have to record a video now and at 3pm I need to have a long meeting with some guys in New York. If I can slot in a minute to check some of the questions you've asked I will. It is 2008 R2 you are running this on, yes?
0
 

Author Comment

by:meirionwyllt
ID: 41833631
Yes I have Success and Failure ticked in my local policy for 'Audit logon events', which I gather includes logoff events as well.

I've set the task to run with 'Domain Users', although putting a group name here feels wrong somehow.

I've then tried to manually run the task when logged in as my test (non-admin) user, and I get "The user account does not have permission to run this task".  So then I found the related XML file in C:\Windows\System32\Tasks, and changed the Domain Users permissions from Read to Read&Execute.  Anyway, now I can run it manually, and it runs fine.

Now before I go on, is this the correct way to allow non-admins to execute Scheduled Tasks?  Does this need to be set to allow execution during logoff as well, or only for running manually?

Yes it's 2008 R2.  Thanks for your help on this.
0
 
LVL 9

Expert Comment

by:James Rankin
ID: 41833654
A bit odd that you had to change the perms manually, but Scheduled Tasks can be a bit fiddly. I didn't need to do that on Windows 10, but it may well be an issue that occurred on earlier versions.

See if that gets any better and if it doesn't I can have a look see when I get finished up :-)
0
 

Author Comment

by:meirionwyllt
ID: 41833897
That works OK now as a scheduled task, and I've put into the PVS image for next time.  One thing I notice is that it runs under all users, even local ones.  I thought that running the Task under Domain Users would prevent that.

This isn't an important thing, but it's just for me to understand why it happens really.  D'you know how to make the task run only for domain users (without editing the script itself of course)?

Thanks.
0
 
LVL 9

Expert Comment

by:James Rankin
ID: 41833948
What if you restrict the permissions on the XML file to Domain Users only?
0
 

Author Comment

by:meirionwyllt
ID: 41837160
Strange.  After I opened up my PVS image to do create the scheduled task in private mode, the resulting XML file had correct permission, i.e. the local 'Users' group didn't have any permissions on the file, only Domain Users with Read and Read&execute, and the task doesn't run for local users.  Which is what I need of course.

However, now that I've baked it into my gold image and deployed, I'm not getting the task triggered by anything.  Last Run Time - Never, although looking at the event log on that machine there are 4 occasions of Event 4647 being logged.  Furthermore, these 4 users that logged off still have old stuff in their Recycle Bin.

Annoying.  OK, unless you can think of something obvious I'll give AppSense a go with this.  I'll unleash a new version of the EM config to one or two of the live servers on the sly.  I've run out of users with old stuff in their recycle bins now!

What would be best way of getting some kind of auditing logs from that EM Logoff Action to see what happens?

Thanks.
0
 
LVL 9

Expert Comment

by:James Rankin
ID: 41837174
That's really odd. Scheduled Tasks tend to be a bit of a black art, in my experience. Do you need to run it manually before sealing the gold image or something? Seems very strange.

With regards to doing it via EM, you can set up the EM logging and get it to write to a file to see what's going on - if you're on 8.6 it is now much easier - http://appsensebigot.blogspot.co.uk/2015/06/quickpost-debugging-appsense.html
0
 

Author Comment

by:meirionwyllt
ID: 41838684
Thanks for your guide on setting up and analysing the EM logs.  Very insightful.

Luckily I didn't need it, because I'm checking the file server that holds all of the redirected Desktop folders (and therefore also the $RECYCLE.BIN folders contained within), and can see that I now have 9GB more than I had this morning, so the Logoff Action has definitely worked!

Yet again AppSense have proven that they can get parts of Windows to work better than Microsoft themselves can.

Thanks for your help.
0
 
LVL 9

Expert Comment

by:James Rankin
ID: 41838743
Excellent...might be worth a blog post if I can find the time. Glad it is sorted.
0
 

Author Comment

by:meirionwyllt
ID: 41840210
The number of GBs reclaimed due to this script has now risen to 37GB.  Excellent stuff!
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question