Windows 2016 Group Policy (Computer Configuration) with PowerShell

Question

question

weisnh asked Oct 1, '20 FanFan-MSFT commented Oct 12, '20

Windows 2016 Group Policy (Computer Configuration) with PowerShell

When I deployed a Group Policy with PowerShell as shown below. I found out something wrong is when my computer logon to AD Domain, the GPO with PowerShell was applied to my client's computer. When I restarted my client's computer then I login to AD Domain once again, nothing was happened. There is a PowerShell : IF statement inside, it will determine whether or not the specific registry was produced when we setup our OneDrive APP. When user re-login to AD Domain, the action will be carried out. that mean when user login/ logout twice, the PowerShell will do 1 jobs separately. First time, user login to AD Domain, PowerShell will write registry data for configuring the OneDrive specific case. this part works well. Second time, user re-login to AD Domain, PowerShell will change some default settings in Registry (This part failed, because I use the following command: Start-Transcript -Path "$($env:windir)\Temp\PS_odConfiguration_Transcript.txt" -Force) . I am realized the PowerShell should be correct, because I carried out this command in the Windows Server 2016 and it works well. Does anyone know what happened and have any idea on it. Thanks.

First time: It is correct that the following code was carried out

New-ItemProperty -Path $_HKLM -Name SharePointOnPremFrontDoorUrl -Value $_SharePointOnPremFrontDoorUrl -PropertyType String -Force
New-ItemProperty -Path $_HKLM -Name SharePointOnPremPrioritization -Value 1 -PropertyType DWord -Force
New-ItemProperty -Path $_HKLM -Name SharePointOnPremTenantName -Value $_SharePointOnPremTenantName -PropertyType String -Force
New-ItemProperty -Path "HKCU:\Software\Classes\New Key #1" -Name SharePointOnPremTenantName -Value $_SharePointOnPremTenantName -PropertyType String -Force

Second time (When user re-login, the following code should be carried out, but nothing happened)

if((Test-Path $_DefaultOneDriveFromExplorerRegPath -ErrorAction SilentlyContinue) -eq $true)

...

My PowerShell

 Start-Transcript -Path "$($env:windir)\Temp\PS_odConfiguration_Transcript.txt" -Force
    
 $_Logfile = "$($env:windir)\Temp\PS_odConfiguration.txt"
 $_HKLMRoot = "HKLM:\Software\Policies\Microsoft"
 $_HKLM = "HKLM:\Software\Policies\Microsoft\OneDrive"
 # $_HKCRPath = "HKCR:\CLSID"
 $_HKCU = "HKCU:\HKEY_CURRENT_USER\Software\Classes\CLSID"
 $_SharePointOnPremFrontDoorUrl = "https://doclib.test.cmmp.gov.hk";
 $_SharePointOnPremTenantName = "Unclassified"
 $_OgcioOneDriveFolderName = "Doclib - Unclassified"
 $_DefaultOneDriveFromExplorerRegPath = "HKCU:\Software\Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" 
    
 if((Test-Path $_HKLM -ErrorAction SilentlyContinue) -eq $true)
 {
     if((Get-ItemProperty -LiteralPath $_HKLM -Name SharePointOnPremTenantName).SharePointOnPremTenantName -ne $_SharePointOnPremTenantName)
         {        
             Write-Host ($(Get-Date -Format "o"), " ", (Get-ItemProperty -LiteralPath $_HKLM).SharePointOnPremTenantName)
             ($(Get-Date -Format "o"), " ", (Get-ItemProperty -LiteralPath $_HKLM).SharePointOnPremTenantName) >> $_Logfile
    
             ($(Get-Date -Format "o"), " ", "Get started with SharePointOnPremTenantName") >> $_Logfile
    
             Set-ItemProperty -Path $_HKLM -Name SharePointOnPremTenantName -Value $_SharePointOnPremTenantName -Type String
    
             ($(Get-Date -Format "o"), " ", "Get started with SharePointOnPremTenantName # DONE") >> $_Logfile
         }
    
     if((Get-ItemProperty -LiteralPath $_HKLM -Name SharePointOnPremFrontDoorUrl).SharePointOnPremFrontDoorUrl -ne $_SharePointOnPremFrontDoorUrl)
         {
             Write-Host ($(Get-Date -Format "o"), " ", (Get-ItemProperty -LiteralPath $_HKLM).SharePointOnPremFrontDoorUrl)
             ($(Get-Date -Format "o"), " ", (Get-ItemProperty -LiteralPath $_HKLM).SharePointOnPremFrontDoorUrl) >> $_Logfile
    
             ($(Get-Date -Format "o"), " ", "Get started with SharePointOnPremFrontDoorUrl") >> $_Logfile
                
             Set-ItemProperty -Path $_HKLM -Name SharePointOnPremFrontDoorUrl -Value $_SharePointOnPremFrontDoorUrl -Type String
    
             ($(Get-Date -Format "o"), " ", "Get started with SharePointOnPremFrontDoorUrl # DONE") >> $_Logfile
         }
            
     if((Test-Path $_DefaultOneDriveFromExplorerRegPath -ErrorAction SilentlyContinue) -eq $true)
         {   
             Write-Host ($(Get-Date -Format "o"), " ", $_DefaultOneDriveFromExplorerRegPath)
             ($(Get-Date -Format "o"), " ", $_DefaultOneDriveFromExplorerRegPath) >> $_Logfile
                
             $_Acl = Get-Acl $_DefaultOneDriveFromExplorerRegPath
             ($(Get-Date -Format "o"), " ", $_acl) >> $_Logfile
                
             $_Rule = New-Object System.Security.AccessControl.RegistryAccessRule ("litwareinc\Administrator","FullControl","Allow")
             ($(Get-Date -Format "o"), " ", $_rule) >> $_Logfile
                
             $_Acl.SetAccessRule($rule)
             $_Acl |Set-Acl -Path $_DefaultOneDriveFromExplorerRegPath
                
             ($(Get-Date -Format "o"), " ", $_DefaultOneDriveFromExplorerRegPath) >> $_Logfile 
             Set-ItemProperty -LiteralPath $_DefaultOneDriveFromExplorerRegPath -Name System.IsPinnedToNameSpaceTree -Value 0
                
             Get-ChildItem $_HKCU -rec -ea SilentlyContinue | foreach {
                
             $_CurrentKey = (Get-ItemProperty -LiteralPath $_.PsPath)
             ($(Get-Date -Format "o"), " ", $_CurrentKey) >> $_Logfile
                
             # 04271989-C4D2
             if (($CurrentKey.PSChildName -like "*04271989-C4D2*") -eq $true) 
               {            
                     
                 Write-Host ($(Get-Date -Format "o"), " The Registry of OneDrive was found")
                 ($(Get-Date -Format "o"), " ", $CurrentKey.PSChildName) >> $_Logfile 
                
                 $_Acl = Get-Acl $CurrentKey.PSPath
                 ($(Get-Date -Format "o"), " ", $_Acl) >> $_Logfile
                
                 $_Rule = New-Object System.Security.AccessControl.RegistryAccessRule ("litwareinc\Administrator","FullControl","Allow")
                 ($(Get-Date -Format "o"), " ", $_Rule) >> $_Logfile
                
                 $acl.SetAccessRule($rule)
                 $acl |Set-Acl -Path $CurrentKey.PSPath
                    
                 # Write-Host ($(Get-Date -Format "o"), " ", $CurrentKey.PSParentPath)
                 # Write-Host ($(Get-Date -Format "o"), " ", $CurrentKey.PSChildName)            
                
                 $_regPath = $CurrentKey.PSPath
                 ($(Get-Date -Format "o"), " ", $_regPath) >> $_Logfile
                
                 $_Value = Get-ItemProperty -LiteralPath $_regPath
                 ($(Get-Date -Format "o"), " ", $_Value) >> $_Logfile
                
                 Write-Host ($(Get-Date -Format "o"), " ",  $_regPath)
                 Write-Host ($(Get-Date -Format "o"), " ",  $_value."(default)")
                
                 try
                     {
                             Write-Host $(Get-Date -Format "o")
                             Write-Host "Get started on updating new registry value $_OgcioOneDriveFolderName"
                             ($(Get-Date -Format "o"), " Get started on updating new registry value $_OgcioOneDriveFolderName") >> $_Logfile
                        
                             Set-ItemProperty -LiteralPath $_regPath -Name "(Default)" -Value $_OgcioOneDriveFolderName
                        
                             Write-Host "To UPDATE new registry value $_OgcioOneDriveFolderName # DONE"
                             ($(Get-Date -Format "o"), " To UPDATE new registry value $_OgcioOneDriveFolderName # DONE") >> $_Logfile
                        
                             break
                     }
                 Catch [System.UnauthorizedAccessException]
                     {   
                             Write-Host ($(Get-Date -Format "o"), " ",  $Error[0].Exception)
                             ($(Get-Date -Format "o"), " ", $Error[0].Exception) >> $_Logfile
                        
                             Write-Host ($(Get-Date -Format "o"), " ",  $Error[0].ErrorDetails)
                             ($(Get-Date -Format "o"), " ", $Error[0].ErrorDetails) >> $_Logfile
                        
                             Write-Host ($(Get-Date -Format "o"), " ",  $Error[0].ScriptStackTrace)
                             ($(Get-Date -Format "o"), " ", $Error[0].ScriptStackTrace) >> $_Logfile
                        
                             Write-Host ($(Get-Date -Format "o"), " ",  $Error[0].TargetObject)
                             ($(Get-Date -Format "o"), " ", $Error[0].TargetObject) >> $_Logfile
                        
                             Write-Host ($(Get-Date -Format "o"), " ",  $Error[0].PSMessageDetails)
                             ($(Get-Date -Format "o"), " ", $Error[0].PSMessageDetails) >> $_Logfile
                     }
                 Catch [System.IO.DirectoryNotFoundException]
                     {    
                             Write-Host ($(Get-Date -Format "o"), " ",  $Error[0].Exception)
                             ($(Get-Date -Format "o"), " ", $Error[0].Exception) >> $_Logfile
                                
                             Write-Host ($(Get-Date -Format "o"), " ",  $Error[0].ErrorDetails)
                             ($(Get-Date -Format "o"), " ", $Error[0].ErrorDetails) >> $_Logfile
                                
                             Write-Host ($(Get-Date -Format "o"), " ",  $Error[0].ScriptStackTrace)
                             ($(Get-Date -Format "o"), " ", $Error[0].ScriptStackTrace) >> $_Logfile
                                
                             Write-Host ($(Get-Date -Format "o"), " ",  $Error[0].TargetObject)
                             ($(Get-Date -Format "o"), " ", $Error[0].TargetObject) >> $_Logfile
                                
                             Write-Host ($(Get-Date -Format "o"), " ",  $Error[0].PSMessageDetails)
                             ($(Get-Date -Format "o"), " ", $Error[0].PSMessageDetails) >> $_Logfile
                     }
                 Catch
                     {    
                             Write-Host ($(Get-Date -Format "o"), " ",  $Error[0].Exception)
                             ($(Get-Date -Format "o"), " ", $Error[0].Exception) >> $_Logfile
                                
                             Write-Host ($(Get-Date -Format "o"), " ",  $Error[0].ErrorDetails)
                             ($(Get-Date -Format "o"), " ", $Error[0].ErrorDetails) >> $_Logfile
                                
                             Write-Host ($(Get-Date -Format "o"), " ",  $Error[0].ScriptStackTrace)
                             ($(Get-Date -Format "o"), " ", $Error[0].ScriptStackTrace) >> $_Logfile
                                
                             Write-Host ($(Get-Date -Format "o"), " ",  $Error[0].TargetObject)
                             ($(Get-Date -Format "o"), " ", $Error[0].TargetObject) >> $_Logfile
                
                             Write-Host ($(Get-Date -Format "o"), " ",  $Error[0].PSMessageDetails)
                             ($(Get-Date -Format "o"), " ", $Error[0].PSMessageDetails) >> $_Logfile
                     } 
               }    
             }
         }
 }
 else
 { 
     Write-Host ($(Get-Date -Format "o"), " Get started on OneDrive preset")
     ($(Get-Date -Format "o"), " ", "Get started with OneDrive preset") >> $_Logfile
    
     # Set the location to the registry
     Set-Location -Path $_HKLMRoot
     ($(Get-Date -Format "o"), " ", $_HKLMRoot) >> $_Logfile
    
     # Create a new Key
    
     Get-Item -Path $_HKLMRoot | New-Item -Name OneDrive -Force
    
     # Create new items with values
        
     New-ItemProperty -Path $_HKLM -Name SharePointOnPremFrontDoorUrl -Value $_SharePointOnPremFrontDoorUrl -PropertyType String -Force
     New-ItemProperty -Path $_HKLM -Name SharePointOnPremPrioritization -Value 1 -PropertyType DWord -Force    
     New-ItemProperty -Path $_HKLM -Name SharePointOnPremTenantName -Value $_SharePointOnPremTenantName -PropertyType String -Force
     New-ItemProperty -Path "HKCU:\Software\Classes\New Key #1" -Name SharePointOnPremTenantName -Value $_SharePointOnPremTenantName -PropertyType String -Force
        
     # Get out of the Registry
     Pop-Location
    
     Write-Host ($(Get-Date -Format "o"), " Get started with OneDrive preset # DONE")
     ($(Get-Date -Format "o"), " ", "Get started with OneDrive preset # DONE") >> $_Logfile
 }
    
 Stop-Transcript

windows-server-powershell windows-group-policy

gpo.png (297.3 KiB)

gpresult.txt (10.1 KiB)

· 4

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT · Oct 01, 2020 at 11:43 PM

Hi,
Thanks for posting here!
Would you please tell more about the configuration information for the GPOs?
The GPOs were based on the computer configuration or the user configuration?
What the scripts used to do?
If possible ,please share a screenshot of the gpresult, you can use the command :gpresult /h report.html to get the gpresult.
Best Regards,

0 ·

weisnh FanFan-MSFT · Oct 02, 2020 at 06:33 AM

Hi fan fan,

I rephrase the question more detailed once again. Does you have any idea on it?

Thanks

0 ·

weisnh FanFan-MSFT · Oct 02, 2020 at 06:49 AM

Hi Fan Fan,

I also upload gpresult.txt for you to look at. Thanks. the policy is called "Custom Group Policy"

0 ·

weisnh FanFan-MSFT · Oct 02, 2020 at 01:46 PM

Hi Fan Fan,

When we install the OneDrive, the default connection is for M365/ OneDrive. My client is to use SharePoint 2019 On Premise, we need to add the Registry to change the default OneDrive connection behavior towards to On Premise.
the sample script is like the following:

 New-ItemProperty -Path $_HKLM -Name SharePointOnPremPrioritization -Value 1 -PropertyType DWord -Force
 New-ItemProperty -Path $_HKLM -Name SharePointOnPremTenantName -Value $_SharePointOnPremTenantName -PropertyType String -Force
 New-ItemProperty -Path "HKCU:\Software\Classes\New Key #1" -Name SharePointOnPremTenantName -Value $_SharePointOnPremTenantName -PropertyType String -Force

As for changing OneDrive default folder name is as shown above, start from this line:

 if((Test-Path $_DefaultOneDriveFromExplorerRegPath -ErrorAction SilentlyContinue) -eq $true)

Thanks

0 ·

Answer 1 · 2020-10-01T15:52:24.36Z

LarryDesmond-9681 answered Oct 1, '20 FanFan-MSFT commented Oct 12, '20

Need more info, Local GP or AD GPO?
Do both GP's show being applied via gpresult /R?

· 6

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

weisnh · Oct 02, 2020 at 06:31 AM

Hi Larry,

It's a AD GPO. And I rephrase the question more detailed once again. Sure, I use gpresult command to see whether the GPO was applied. It turns out that it is applied. but the command: it show haven't been performed (Second time).

Thanks

0 ·

weisnh · Oct 02, 2020 at 06:50 AM

Hi Larry,

I uploaded GPRESULT as well. Thanks. My Policy called "Custom Group Policy"

0 ·

FanFan-MSFT weisnh · Oct 05, 2020 at 05:58 AM

Hi,
Sorry for not familiar with the scripts, and i can't give you advice for that .
For the GPO, based on my understanding , you want the scripts to run when user logon , we need to set the scripts through the logon scripts under user configuration instead of the startup scripts under the computer configuration.
Fan

0 ·

FanFan-MSFT FanFan-MSFT · Oct 08, 2020 at 06:52 AM

Hi,
Welcome to share your current situation if there are any updates.
Please feel free to let us know if you need further assistance.

Best Regards,

0 ·

weisnh FanFan-MSFT · Oct 10, 2020 at 04:47 PM

Hi FanFan,

If we set the scripts through the logon scripts under user configuration, cannot work. but anyway, I attempt to figure out what happened. Thanks

0 ·

Show more comments

question