Windows – Why is the logon script not mapping any drives

group-policylogon-scriptspowershellwindows

I've written a logon script in PowerShell. The Script is embedded in GPO and runs when a user is logging into the domain.

My Problem is, that the drives I deploy in the Script don't get deployed. I'm sure the logon script runs because in the end of the script i send an email to myself and I always receive it. So running the script should not be the problem. I'm also logging the whole $Error Variable each time the script runs and there is no indication to why this error occurs.

I'm almost certain that the error is not in the script itself – it has to be a permission error i think.

I think that this could be solved when I specify the -NoProfile Parameter when running the script, but I don't know where to put this in the GPO. I don't want a batch file calling the script because of beauty reasons :-).

Edit: specifying -noprofile didn't solve the issue

Edit: Since there was a comment saying there is not enough information about how the drives are mapped, I pasted the whole mapping part below:

# UserOU as a parameter, value set in GPO
Param([string]$UserOU)

# preparing some stuff...
Import-Module .\SecureStringFunctions.psm1
[Byte[]]$key = (1..16)
$pw = Get-Content .\LocalAdminCred.txt | ConvertTo-SecureString -key $key

# Tried this to elevate the Script IF it's needed. Didn't solve my problem. works only on PS 4.0 but didn't solve the issue on my 5.0 machine
if (!([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) 
{ Start-Process powershell.exe "-NoProfile -ExecutionPolicy Bypass -File `"$PSCommandPath`"" -Verb RunAs; exit }

# Import CSV with drive information based on username and userOU to get every maps that the current user needs
# also replacing a string inside the CSV for current session to map the homedrive of each user
$Drives = (Get-Content .\NetworkDrives.csv) -replace "userhome",$env:username | ConvertFrom-CSV -Delimiter ';' | ? {
    (($_.Group.split(',') -contains $UserOU) -or ($_.Group.split(',') -contains $env:username)) -and (!(Test-Path $_.Letter))
} 

# When I export the $Drives Variable at this point, all drives were read correctly, so the failure must occur in the mapping

# map all drives for current user. Drives to DMZ with password in plain text because ".mapnetworkdrive" only accepts plain text.
$Drives | % {
    if (![system.string]::IsNullOrEmpty($_.Username)) {
        if (($UserOU -like 'admin*') -and (($_.Server -ne $env:computername) -or ([system.string]::IsNullOrEmpty($_.Server)))) { 
            Continue
        }
        [string]$pwplain = ConvertFrom-SecureString $pw -AsPlainText -Force
        $Map = New-Object -comobject Wscript.Network
        $Map.MapNetworkDrive($_.letter,$_.path,$false,$_.username,$pwplain)
        $pwplain = ""
    } else { 
        $Map = New-Object -comobject Wscript.Network
        $Map.MapNetworkDrive($_.letter,$_.path,$false)    
    }
}

Best Answer

I've got a solution now.

What creates this behaviour of your logon script not wanting to map drives?

If you have Windows 10, you want to use Edge, Calculator and PDF App. Microsoft says you need UAC enabled for that, otherwise it won't work. So you enable UAC by GPO (Reg. Key EnableLua). https://technet.microsoft.com/en-us/library/dd835564%28v=ws.10%29.aspx

BUT: if you're deploying a logon script inside the GPO and your User is a local Admin on the Computer on which he's logging on - which in my case is on every computer because I'm a Domain Admin - UAC will drop your account to a non privileged user, and as we know, if they're not running in the same context, you won't get your drives deployed in your admin account.

This is in fact by design, and it’s caused by the way UAC works. When you’re a member of the Administrators group and you log in, your account is busted down to a non-privileged user by UAC. This running context is completely separate from the context you get when you right-click Command Prompt and launch as an administrator. As you’ll probably have noticed, network drives connected in one context are not visible in the other. The problem is that GPO-based login scripts are being executed in the Administrator context – not the ordinary user context.

Quote from http://pcloadletter.co.uk/2010/05/15/missing-network-drives/

So you're disabling UAC and your GPO-Logon-Script will work. You're happy for a moment but then you realize you can't use edge anymore.

So how can we enable UAC and have our Logon Script working?

I did it with this by Microsoft not supported Registry Hack. I guess it's a vulnerability to your system security, keep that in mind if you're doing this the same way as I do:

HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System
New Entry: Type: DWORD Name: "EnableLinkedConnections" Value: 1

And BAM! you can use logon scripts, UAC, edge, whatsoever.

Other things you could try - I didn't try any of those yet:

  • Call your PS File in a batch script which is stored in GPO
  • Set up your PS Script as a scheduled Task inside GPO

So hopefully this will be useful for other Administrators that have problems with their logon script.

Cheers!

Related Topic