GPO vs Toolkit – unable to make the toolkit replace the GPO

//GPO vs Toolkit – unable to make the toolkit replace the GPO
GPO vs Toolkit – unable to make the toolkit replace the GPO2016-05-24T20:48:25+00:00

The Toolkit Forums General GPO vs Toolkit – unable to make the toolkit replace the GPO

  • Author
    Posts
  • Sid
    Participant
    Post count: 1

    I am setting up Winext.scr on our network. I setup a GPO to enable everything and it works except for setting ACL on two registry keys. (this is not part of the problem)

    I thought I would instead deploy the screensaver as an application and use the toolkit to create and populate the registry entries needed for WinExt, but even though I have the correct entries setup the entries get set but the screen saver does not work.

    My question is “Is there something related to security or something else that using a GPO to set the values vs a Powershell script would somehow be different?”

    I can remove the GPO and run the SCCM Deployment and the same registry keys seem to get updated but the screen saver does not work .

    When I use toolkit the Windows Screensaver options don;t show but the registry entries are there. When I use the script the Screensaver properties show in the screen saver page.

    Hope this is enough info to spur some ideas.

    Here is my script:

    ##*===============================================
    ##* INSTALLATION
    ##*===============================================

    ## <Perform Installation tasks here>
    [string]$installPhase = ‘Installation’

    write-host Setting ACL Keys …

    $OSa = $ENV:PROCESSOR_ARCHITECTURE
    $OSv = (Get-WmiObject -class Win32_OperatingSystem).Caption

    if (($OSa -eq “x86”))
    {

    ##Set registry ACL rights # Set 32 bit Key
    $objWinExitAcl = $null
    $objWinExitAcl = Get-Acl “HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\control.ini”
    $objAccessRule = New-Object System.Security.AccessControl.RegistryAccessRule(“Authenticated Users”,”SetValue, CreateSubKey”,”ContainerInherit, ObjectInherit”,”None”,”Allow”)

    $objWinExitAcl.AddAccessRule($objAccessRule)

    Set-Acl “HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\control.ini” $objWinExitAcl

    }
    else
    {

    ##Set registry ACL rights # Set 64 bit Key
    $objWinExitAcl = Get-Acl “HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\IniFileMapping\control.ini”

    $objAccessRule = New-Object System.Security.AccessControl.RegistryAccessRule(“Authenticated Users”,”SetValue, CreateSubKey”,”ContainerInherit, ObjectInherit”,”None”,”Allow”)

    $objWinExitAcl.AddAccessRule($objAccessRule)

    Set-Acl “HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\IniFileMapping\control.ini” $objWinExitAcl
    }

    write-host Copying all Content …

    if(($OSv -eq “Microsoft Windows 10 Enterprise”))
    {

    Copy-File -Path $dirFiles\control.ini -Recurse -Destination $Win10Control
    }
    else
    {
    Copy-File -Path $dirFiles\control.ini -Recurse -Destination $Win7Control
    }

    Copy-File -Path $dirFiles\winexit.* -Recurse -Destination $WinFiles

    write-host Setting ScreeSaver Registry Key…
    $regkeypath1 = “HKU\.DEFAULT\Control Panel\Desktop”
    $regkeypath2 = “HKCU\Control Panel\Desktop”
    $regkeypath3 = “HKLM\SOFTWARE\Policies\Microsoft\Windows\System”

    $HKCURegistrySettings =
    {
    Set-RegistryKey -Key $regkeypath2 -Name “ScreenSaveActive” -Value 1 -type String -SID $UserProfile.SID
    Set-RegistryKey -Key $regkeypath2 -Name “ScreenSaverIsSecure” -Value 1 -type String $UserProfile.SID
    Set-RegistryKey -Key $regkeypath2 -Name “ScreenSaverIsSecure” -Value 1 -type String $UserProfile.SID
    Set-RegistryKey -Key $regkeypath2 -Name “SCRNSAVE.EXE” -Value winexit.scr -type String $UserProfile.SID
    Set-RegistryKey -Key $regkeypath2 -Name “ScreenSaveTimeout” -Value 3600 -type String $UserProfile.SID
    }
    Invoke-HKCURegistrySettingsForAllUsers -RegistrySettings $HKCURegistrySettings

    Set-RegistryKey -Key $regkeypath1 -Name “ScreenSaveActive” -Value 1 -type String
    Set-RegistryKey -Key $regkeypath1 -Name “ScreenSaverIsSecure” -Value 1 -type String
    Set-RegistryKey -Key $regkeypath1 -Name “SCRNSAVE.EXE” -Value winexit.scr -type String
    Set-RegistryKey -Key $regkeypath1 -Name “SCRNSAVE.EXE” -Value winexit.scr -type String

    #Set Standard Desktop -Logon Screen Saver Timeout Time – in seconds
    Set-RegistryKey -Key $regkeypath1 -Name “ScreenSaveTimeout” -Value 3600 -type String
    Set-RegistryKey -Key $regkeypath3 -Name “UserPolicyMode” -Value 1 -type DWord

  • Pierrick
    Participant
    Post count: 15

    Hello Sid !

    Your script works but the toolkit not. I think you’re having an issue with your HKCU settings. When you deploy with SCCM, the SYSTEM account is used and have to be set to work with.
    I made a script to deploy the OneDrive sync tool. I have described a way to manage the current user scenario.

    In this kind of deployment, I could suggest you to use Powershell DSC (Desired State Configuration). You will have more flexibility to manage configurations and nodes.

You must be logged in to reply to this topic.