FOG/Powershell not copying to Win32/GroupPolicy/Adm

VictorKrazan6267

Below is my script. Everything works except the Copy-Item line. I’ve tested copying the files to other locations and it works then. When it comes to copying the file to that location it just doesn’t want to do it. Other things I’ve tried, -path, move-item, took out all environmental variables.

#Powershell %~dp0
$scriptPath = split-path -parent $MyInvocation.MyCommand.Definition

#installs Chrome
Start-Process $scriptPath\ChromeInstall.msi /q -wait -WindowStyle hidden

#imports registry!
Reg import $scriptPath\chrome_settings.reg

#copies over .adm files                                                            
copy-Item -LiteralPath 'C:\Program Files (x86)\FOG\tmp\ChromePowerShell\chrome.adm' -Destination 'C:\Windows\System32\GroupPolicy\Adm' -Force -Verbose -Recurse
copy_item -LiteralPath 'C:\Program Files (x86)\FOG\tmp\ChromePowerShell\GoogleUpdate.adm' -Destination 'C:\Windows\System32\GroupPolicy\Adm' -Force -Verbose -Recurse

#force GroupPolicy update
Start-Process gpupdate /force  -WindowStyle hidden
#Remove-Item -path 'C:\Program Files (x86)\FOG\tmp\ChromePowerShell'

** mod edit to distinguish code **

Tom Elliott

@victorkrazan6267 I see 2 copy items and the second is written copy_item while the first one seems proper syntax of copy-item

Are both failing?

george1421

@victorkrazan6267 So I have to ask the question, what permissions are on that directory [C:\Windows\System32\GroupPolicy\Adm] is it owned by the trusted installer? The FOG service runs as the SYSTEM account. Any rights that SYSTEM has, can do the FOG service should do.

But on a lower level I have to ask why are you doing this? Typically the ADM files are only used on the domain controller or any system that needs to configure the GPO policies. The workstations that consume the policies don’t need the ADM files locally.

The other comment I would have is to not use the full path to the FOG TMP directory. Use %~dp0 to identify the local path. If for some reason the FOG client is installed in a different directory your script will break.

Finally I assume you are creating a snapin pack and deploying it that way, that way all of your files are copied over to the target computer.

VictorKrazan6267

@george1421 SYSTEM has full permissions. The files are going onto a laptop that will be going out to the field and techs don’t come into the offices often. I did try using $scriptPath, but It still wasn’t copying the files. Yes its in a powershell snapin pack.

VictorKrazan6267

@tom-elliott Whoops typo. Yes both are failing.

Tom Elliott

@victorkrazan6267 and you’re sure ChromePowersShell files exist in the fog\tmp folder?

VictorKrazan6267

@tom-elliott Yep, went to FOG/tmp to make sure that they were being extracted to ChromePowerShell. If i change -Destination to C:\Users<User>\Desktop the files will be copied to the desktop.

Quazz

Does the destination folder actually exist already?

VictorKrazan6267

@quazz Yes they do.

JJ Fullmer

So this is an idea unrelated to your script syntax
Do you have access to your active directory central store and are all the computers involved in AD?
Based on what you have written you’re using the adm policy templates for applying chrome policies via group policy that you had set at the AD level.

If you copy the admx files to the central store they’ll get copied down to each AD joined computer automatically. Is that an option for you?

I believe that the folder you’re copying to has some extra security built into it or something. I remember reading that once upon a time. You can use the chrome.admx file and the googleUpdate.admx files from where you got the adm files and copy them to c:\windows\policyDefinitions and that will work fine. I used to do it that way before I started just including them in the domain central store which can be accessed (read\write) remotely via \\domainControllerHostname\C$\Windows\SYSVOL\sysvol\domainFqdn\Policies\PolicyDefinitions You may have to login to the domain controller and find the local folder of that share.
I think you can copy adm files to either the central store or local store too, but I’ve read that admx files are the better option. I can’t remember why but I recall it being convincing.

I hope that helps.

JJ Fullmer

@victorkrazan6267 I just read this part after making my domain central store reccomendations.
We have some non-domain computers and I utilized copying the admx files to C:\Windows\PolicyDefinitions for setting the policies in local group policies. You could theoretically embed them in your image as well.

You can also use the policyfileeditor module https://www.powershellgallery.com/packages/PolicyFileEditor/3.0.1
to edit the local group policy as part of that script.

i.e. to set chrome to always open pdfs externally you could do

$machinePol = "C:\WINDOWS\system32\grouppolicy\machine\Registry.pol";
$chromeKey= "Software\policies\google\chrome";

Set-PolicyFileEntry $machinePol -key $chromeKey -ValueName "AlwaysOpenPdfExernally" -Data 1 -Type DWord;

It takes a little time to learn that module. But it’s pretty useful to have a way to script changes to local group policies.

VictorKrazan6267

@Tom-Elliott Tried running the script w/ psexec w/ all files in appropriate locations and it ran w/o an issue doing everything it was supposed to. Unfortunately FOG still doesn’t seem to want to copy those 2 files. GroupPolicy is a hidden folder, could that be causing an issue?