So I wrote a series of PowerShell scripts that are run after a new PC is imaged.
Part1
Determines if VDI or Physical PC and adds to domain if PC (VDI's are already on domain)
Prompts for user the PC being built is for and adds to Administrators group and Remote Desktop Users group using ADSI commands
If the user name is our ConferenceRoom login ID I have the script do the following:
If ($PCUser -eq "ConferenceRoom")
{
Write-Verbose "ConferenceRoom ID Recognized" -Verbose
# Setup Windows to login as SETUP
$domain = "BLAIRNET"
$Key = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
# add if statements to remove red everytime
Set-ItemProperty -Path $Key -Name "AutoAdminLogon" -Value "1"
New-ItemProperty -Path $Key -Name "DefaultDomainName" -Type String -Value $domain
New-ItemProperty -Path $Key -Name "DefaultUserName" -Type String -Value "setup"
New-ItemProperty -Path $Key -Name "DefaultPassword" -Type String -Value "password"
# Add REGISTRY KEY TO RUN NEXT STEP AFTER LOGIN
$RunOnceKey = "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce"
$RegValue = "C:\blair\Run2a.cmd"
New-ItemProperty -Path $RunOnceKey -Name Part2a -Value $RegValue
}(This is where I am having the issues, so I will continue my explanation as if I am entered "ConferenceRoom" )
I then force a reboot and the PC reboots, logs in as setup and Runs a batch script that kicks off Part2a.ps1 as expected, which runs the following script:
## Append PC to ConferenceRoom ID Logon Allowed Logon Workstations $domain = "BLAIRNET" $Key = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" Set-ItemProperty -Path $Key -Name "AutoAdminLogon" -Value "1" Set-ItemProperty -Path $Key -Name "DefaultDomainName" -Type String -Value $domain Set-ItemProperty -Path $Key -Name "DefaultUserName" -Type String -Value "setup" Set-ItemProperty -Path $Key -Name "DefaultPassword" -Type String -Value "password" # Add REGISTRY KEY TO RUN NEXT STEP AFTER LOGIN $RunOnceKey = "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce" $RegValue = "C:\blair\Run2b.cmd" New-ItemProperty -Path $RunOnceKey -Name Part2b -Value $RegValue Restart-Computer -Force
This basically adds the registry entry to autologin as setup again, and run a batch script at the next login (probably makes no sense , but it seems to be the only way I get the next script to run)
The PC reboots, logs in as setup, and kicks off a batch file to kick off Part2b.ps1 which is the following:
Write-Verbose "Adding this PC to ConferenceRoom Allowed logins" -Verbose
$PCUser = "ConferenceRoom"
$LOsearcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]'')
$LOsearcher.Filter = "(&(objectClass=User)(samAccountName=$PCUser))"
Write-Verbose "Action" -Verbose
$LOresult = $LOsearcher.FindOne()
$LOuser = [ADSI] $LOresult.path
$Names = ($LOuser.psbase.invokeGet("userworkstations"))
$Names = $Names + ","+$env:COMPUTERNAME
$LOuser.psbase.invokeSet("userWorkstations",$Names)
Write-Verbose "Action" -Verbose
$LOuser.setinfo()
pause
Write-Verbose "Remove Auto Login settings in the registry" -Verbose
# Remove Auto Login settings in the registry
$Key2 = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
pause
Set-ItemProperty -Path $Key2 -Name "AutoAdminLogon" -Value "0" -ErrorAction Inquire
regedit.exe
pause
New-ItemProperty -Path $Key2 -Name "AutoLogonCount" -Value "0" -ErrorAction Inquire
pause
Set-ItemProperty -Path $Key2 -Name "DefaultDomainName" -Value " " -ErrorAction Inquire
pause
Set-ItemProperty -Path $Key2 -Name "DefaultUserName" -Value " " -ErrorAction Inquire
pause
Set-ItemProperty -Path $Key2 -Name "DefaultPassword" -Value " " -ErrorAction Inquire
# CHANGE DEFAULT LOGIN TO ConferenceRoom ID
Write-Verbose "CHANGE DEFAULT LOGIN TO ConferenceRoom ID" -Verbose
$PCUser = "ConferenceRoom"
$domain = "BLAIRNET"
$Key1 = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI"
$NewKeyValue = $domain + "\" + $PCUser
Set-ItemProperty -path $Key1 -name LastLoggedOnSamUser $NewKeyValue
Set-ItemProperty -path $Key1 -name LastLoggedOnUser $NewKeyValue
pause
Write-Verbose "Add REGISTRY KEY TO RUN NEXT STEP AFTER LOGIN" -Verbose
# Add REGISTRY KEY TO RUN NEXT STEP AFTER LOGIN
$RunOnceKey = "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce"
$RegValue = "C:\blair\Run2.cmd"
New-ItemProperty -Path $RunOnceKey -Name Part2 -Value $RegValue
pause
Restart-Computer -ForceThis script will append the name of the PC to the UserWorkstations attribute of the ConferenceRoom ID successfully
(Side note - We need to lock down the ConferenceRoom ID to the workstations we specify. I have it login assetup to run this script specifically as it has proper AD rights which is the whole point of these 2a,2b scripts as Part2 will not work because the PC will not letConferenceRoom login until the PC Name is added.)
Then the goal is to remove the AutoLogin as setup and force ConferenceRoom as the LastLoggedinUser (This the same code I use in the Part1.ps1 if ConferenceRoom is not the user name and it works great when I use the code above.
Unfortunately what I see happening, after adding some debugging code, is this:
1. ADSI commands work great and the PC is appended to the ConferenceRoom UserWorkstations attribute.
2. I have regedit open and I watch the changes being made one by one successfully for the autologin settings without error and even watch the AutoLogon Count get added to the registry.
3. I watch the code to list the last logged in user as the ConferenceRoom ID.
4. I watch the code change the registry setting to run part2 after logging in.
*** Finally - the issue!!
5. The PC restarts and I expect it to show me ConferenceRoom. However it actually logs in as setup again and kicks off Part2. I stop the script and open the registry only to see all the changes I made in the last script not there and the key that was created is not there.
I am at a complete loss on why this is. Anyone have any ideas? it is almost like the registry settings for each user are different.
Matt
Matt Dillon