Works locally but Doesn't run on logon "Kinda"

This topic contains 2 replies, has 2 voices, and was last updated by  Rob Simmers 2 weeks ago.

  • Author
    Posts
  • #85165

    Cody Everingham
    Participant

    So this script runs great with no issues when I run it from the users account. However when I turned this into a logon script it doesn't map the drive or set the permissions... but it does create the folder. I was hoping to get another set of eyes on my script to get opinions on whether or not this was a scripting or administration issue.

    It is not failing at (!(test-path "$FolderPath")), as it does recreate the folder.

    $FolderPath = "\\server\users\$env:username"
    if (!(test-path "$FolderPath")) {
        $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit
        $PropagationFlag = [System.Security.AccessControl.PropagationFlags]::InheritOnly
        New-Item -ItemType directory -Path $FolderPath
        $acl = Get-Acl $FolderPath
        $acl.SetAccessRuleProtection($True, $False)
        $acl.Access | % { $acl.RemoveAccessRule($_) }
        $acl.SetOwner([System.Security.Principal.NTAccount] $env:USERNAME)
        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$env:username", 'modify', 'Allow')
        $acl.AddAccessRule($rule)
        (Get-Item $FolderPath).SetAccessControl($acl)
        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("LTPC-DOM\Domain Admins", "FullControl", "ContainerInherit, ObjectInherit", "None", "Allow") 
        $acl.AddAccessRule($rule)
        (Get-Item $FolderPath).SetAccessControl($acl)
        (New-Object -ComObject "Wscript.Network").MapNetworkDrive("V:", "$FolderPath")
    }
    
  • #85166

    Cody Everingham
    Participant

    Never Mind! It was an administration problem. In case your interested...

    In that same GPO I forgot I setup a setting to add that folder, so when it ran the script it in fact did fail at:

    if (!(test-path "$FolderPath")) {
    
  • #85169

    Rob Simmers
    Participant

    Is the logon script running as a computer or user policy? Basically, it's a question of the context the script is being executed as during logon. You may want to just add some code that creates a log on the computer that indicates the context the script is executing as (see the first couple lines of this script: https://blogs.msdn.microsoft.com/virtual_pc_guy/2010/09/23/a-self-elevating-powershell-script/) to validate it's executed in the correct context. If that is correct, what are the permission on the root Users share? Do users have FULL control to create a folder and set permissions?

    [edit] Just saw you figured it out. Happy Holidays!

You must be logged in to reply to this topic.