Fog Snapin - Google Chrome ADM Group Policy



  • Hi All

    I am trying to manage Google Chrome ADM gpo via Powershell via Snapin pack to 20+ standalone computers. I tried copying the file manually and it worked (meaning it updated the Google Chrome ADM with latest policy after restart)

    I have trouble coping the files from F:\fog\tmp\GroupPolicyUsers\ to C:\Windows\System32\GroupPolicyUsers\

    Here’s my powershell script

    Start-Sleep -Seconds 10
    Copy-Item -Path F:\fog\tmp\ILC-Student-ChromePolicy-UpdatePS\GroupPolicyUsers\S-1-5-21-2027881915-267544310-2063179327-1017 C:\Windows\System32\GroupPolicyUsers -Recurse -Force
    

    I added Start-Sleep -Seconds 10 to ensure the files have fully transferred before fogclient auto clean it.
    Then tells it to copy the folders to C:\windows\system32\GroupPolicyUsers

    Fog server successfully deploy the snapin and I can see the folder created in tmp folder, but It doesnt work!

    However, if I changed the script destination outside system32, lets say C:\temp. It worked!

    Is it permission issue? I believe fog client should have the right permission to do it right?

    Hope that make sense.

    Thanks



  • @Wayne-Workman absolutely weird.
    I used the same technique with snap in pack on different folder and it worked without issue in the past. Only this time around with system32 folder.

    I even tried with xcopy!

    Anyway, thanks for your help, appreciate it and I will check further to see if AV is a culprit here.

    Cheers


  • Moderator

    @kwetiaw That’s weird. It must be something about that directory. Maybe permissions, but not necessarily. It could be AV that’s blocking it, for example. An AV program ought to keep an eye on the system32 folder, I think.

    So, looking at the permissions on a Server 2012 R2 box here at home, I see that SYSTEM has permission to create folders inside of system32, and has full control of subfolders and files. These are the only permissions you would need.

    @kwetiaw said in Fog Snapin - Google Chrome ADM Group Policy:

    When I execute the powershell script locally and manually on the destination computer, it worked without any issue.

    That tells me it has something to do with the user accounts trying to get access. On my test server, the Administrators group has the same permissions as the SYSTEM user for the system32 folder.



  • @Wayne-Workman Hi Wayne
    i did the additional command to enable log file.
    It created the log file but it’s blank, im not sure why!

    Here’s the fog.log

    ------------------------------------------------------------------------------
    ---------------------------------SnapinClient---------------------------------
    ------------------------------------------------------------------------------
     26/09/2016 11:47 AM Client-Info Client Version: 0.11.5
     26/09/2016 11:47 AM Client-Info Client OS:      Windows
     26/09/2016 11:47 AM Client-Info Server Version: 1.3.0-RC-8
     26/09/2016 11:47 AM Middleware::Response Success
     26/09/2016 11:47 AM SnapinClient Snapin Found:
     26/09/2016 11:47 AM SnapinClient     ID: 157
     26/09/2016 11:47 AM SnapinClient     Name: ILC-Student-ChromePolicy-UpdatePS
     26/09/2016 11:47 AM SnapinClient     Created: 2016-09-26 11:46:12
     26/09/2016 11:47 AM SnapinClient     Action: 
     26/09/2016 11:47 AM SnapinClient     Pack: True
     26/09/2016 11:47 AM SnapinClient     Hide: False
     26/09/2016 11:47 AM SnapinClient     Server: REDACTED
     26/09/2016 11:47 AM SnapinClient     TimeOut: 0
     26/09/2016 11:47 AM SnapinClient     SnapinPack File: powershell.exe
     26/09/2016 11:47 AM SnapinClient     SnapinPack Args: -ExecutionPolicy Bypass -File "[FOG_SNAPIN_PATH]\chromepolicyupdate.ps1"
     26/09/2016 11:47 AM SnapinClient     File: ilcstudentchromepolicyPS.zip
     26/09/2016 11:47 AM Middleware::Communication Download: http://REDACTED
     26/09/2016 11:47 AM SnapinClient F:\fog\tmp\ilcstudentchromepolicyPS.zip
     26/09/2016 11:47 AM SnapinClient Processing SnapinPack ilcstudentchromepolicyPS.zip
     26/09/2016 11:47 AM SnapinClient Extracting SnapinPack
     26/09/2016 11:47 AM SnapinClient Processing SnapinPack settings
     26/09/2016 11:47 AM SnapinClient New SnapinPack File: powershell.exe
     26/09/2016 11:47 AM SnapinClient New SnapinPack Args: -ExecutionPolicy Bypass -File "F:\fog\tmp\ILC-Student-ChromePolicy-UpdatePS\chromepolicyupdate.ps1"
     26/09/2016 11:47 AM Bus {
      "self": true,
      "channel": "Notification",
      "data": "{\r\n  \"title\": \"Installing ILC-Student-ChromePolicy-UpdatePS\",\r\n  \"message\": \"Please do not shutdown until this is completed\"\r\n}"
    }
     26/09/2016 11:47 AM Bus Emmiting message on channel: Notification
     26/09/2016 11:47 AM SnapinClient Starting snapin...
     26/09/2016 11:47 AM SnapinClient Snapin finished
     26/09/2016 11:47 AM SnapinClient Return Code: 0
     26/09/2016 11:47 AM Bus {
      "self": true,
      "channel": "Notification",
      "data": "{\r\n  \"title\": \"ILC-Student-ChromePolicy-UpdatePS Installed\",\r\n  \"message\": \"Installation has finished and is now ready for use\"\r\n}"
    }
     26/09/2016 11:47 AM Bus Emmiting message on channel: Notification
    

    But still no good. im puzzled!



  • @Joe-Schmitt Hi Joe

    It is not the only file, it has a GPO folder in it. Otherwise it will be nice and easy :)


  • Senior Developer

    @kwetiaw if your entire snapin pack is that single powershell script why not just make it a normal snapin?


  • Moderator

    @kwetiaw Ok then.



  • @Wayne-Workman Hi Wayne

    I had the fog client installed on a separate partition with drive letter F:/ this is also the same with the rest 20 machines. So the path on the zip file is correct. I have deployed a single config file for another program and they worked brilliantly.

    Thats why it is F:\fog\tmp\XXXXX instead of the program default c:\programfiles (x86)

    I will try again with the addition of log file recording and will post back the result.

    Thanks


  • Moderator

    wiki worthy


  • Senior Developer

    @Wayne-Workman for batch you just use %~dp0 to get the full directory path of the script.


  • Moderator

    @Joe-Schmitt Very nice. I tried doing something like that for .bat files… just didn’t ever work right.


  • Senior Developer

    @Wayne-Workman one thing. I always recommend resolving where the snapin pack is at runtime instead of hard coding. For Powershell the command would be:

    $scriptDir = split-path -parent $MyInvocation.MyCommand.Definition on powershell 2 and above or just $PSScriptRoot on powershell 3 and above.


  • Moderator

    @kwetiaw I think your pathing is what’s making it not work. Have you reviewed this article?
    https://wiki.fogproject.org/wiki/index.php?title=SnapinPacks

    Why were you using the path F:\fog\tmp\ ? This isn’t standard. Unless you changed where the FOG Client installs to on every host in your environment, this is not right. Your files are contained within your snapin pack, so you wouldn’t need to pre-place anything at all.

    The new fog client unpacks the .zip file to a folder named with the name of the SnapinPack itself. Yours is ILC-Student-ChromePolicy-UpdatePS. You’d take the full Snapin Pack name and add it to the directory where FOG puts snapins, just like the article above shows.
    C:\Program Files (x86)\FOG\tmp\ILC-Student-ChromePolicy-UpdatePS

    So, knowing this, the folders you’re trying to copy in the powershell file, they aren’t working because they have the wrong paths. That copy command should actually be:
    Copy-Item -Path "C:\Program Files (x86)\FOG\tmp\ILC-Student-ChromePolicy-UpdatePS\GroupPolicyUsers\S-1-5-21-2027881915-267544310-2063179327-1017" "C:\Windows\System32\GroupPolicyUsers" -Recurse -Force

    To add logging, it would be:
    Copy-Item -Path "C:\Program Files (x86)\FOG\tmp\ILC-Student-ChromePolicy-UpdatePS\GroupPolicyUsers\S-1-5-21-2027881915-267544310-2063179327-1017" "C:\Windows\System32\GroupPolicyUsers" -Recurse -Force >> "c:\temp\log.txt"

    So, I think you need to change your powershell file and remake the .zip file, and upload the new .zip file to the snapin via the web interface.



  • @Wayne-Workman Hi Wayne
    Sorry for not explicitly mentioning a snapin pack (i did mention in on my first post, should’ve done the same with the post title). my apology

    Here’s the whole zip - https://drive.google.com/open?id=0B8LqOYqjfRvrNThaUW0tZG9pZzg

    Appreciate for helping out


  • Moderator

    @kwetiaw I didn’t know this was a SnapinPack, that is a pretty major detail. Please upload the zip file instead.




  • Moderator

    @kwetiaw Can you give us a screenshot of your snapin, from Snapin Management in the Web GUI please, and then post the entire powershell file?



  • @Wayne-Workman Hi Wayne

    I tried to export the log file with this command

    powershell.exe -ExecutionPolicy Bypass -File "[FOG_SNAPIN_PATH]\chromepolicy.ps1" >> c:\temp\log.txt chromepolicyPS.zip 
    

    It doesnt even create a log file, Snapin downloaded and vanished in an instant.

    I noticed the GroupPolicyUsers folder is hidden and read only (not sure if that makes any difference)

    When I execute the powershell script locally and manually on the destination computer, it worked without any issue.


  • Moderator

    Snapins run as SYSTEM so it’s probably not permissions related.

    Send all output for the copy line to a text file. Then check the output file to see what it says. There should be some sort of message which will lead you to a correction.


Log in to reply
 

Looks like your connection to FOG Project was lost, please wait while we try to reconnect.