Fog Snapin - Google Chrome ADM Group Policy

kwetiaw

Hi All

I am trying to manage Google Chrome ADM gpo via Powershell via Snapin pack to 20+ standalone computers. I tried copying the file manually and it worked (meaning it updated the Google Chrome ADM with latest policy after restart)

I have trouble coping the files from F:\fog\tmp\GroupPolicyUsers\ to C:\Windows\System32\GroupPolicyUsers\

Here’s my powershell script

Start-Sleep -Seconds 10
Copy-Item -Path F:\fog\tmp\ILC-Student-ChromePolicy-UpdatePS\GroupPolicyUsers\S-1-5-21-2027881915-267544310-2063179327-1017 C:\Windows\System32\GroupPolicyUsers -Recurse -Force

I added Start-Sleep -Seconds 10 to ensure the files have fully transferred before fogclient auto clean it.
Then tells it to copy the folders to C:\windows\system32\GroupPolicyUsers

Fog server successfully deploy the snapin and I can see the folder created in tmp folder, but It doesnt work!

However, if I changed the script destination outside system32, lets say C:\temp. It worked!

Is it permission issue? I believe fog client should have the right permission to do it right?

Hope that make sense.

Thanks

Wayne Workman

Snapins run as SYSTEM so it’s probably not permissions related.

Send all output for the copy line to a text file. Then check the output file to see what it says. There should be some sort of message which will lead you to a correction.

kwetiaw

@Wayne-Workman Hi Wayne

I tried to export the log file with this command

powershell.exe -ExecutionPolicy Bypass -File "[FOG_SNAPIN_PATH]\chromepolicy.ps1" >> c:\temp\log.txt chromepolicyPS.zip 

It doesnt even create a log file, Snapin downloaded and vanished in an instant.

I noticed the GroupPolicyUsers folder is hidden and read only (not sure if that makes any difference)

When I execute the powershell script locally and manually on the destination computer, it worked without any issue.

Wayne Workman

@kwetiaw Can you give us a screenshot of your snapin, from Snapin Management in the Web GUI please, and then post the entire powershell file?

kwetiaw

@Wayne-Workman

Here’s the powershell file - https://drive.google.com/open?id=0B8LqOYqjfRvrb3pvU2phUjBwS1k

Thanks

Wayne Workman

@kwetiaw I didn’t know this was a SnapinPack, that is a pretty major detail. Please upload the zip file instead.

kwetiaw

@Wayne-Workman Hi Wayne
Sorry for not explicitly mentioning a snapin pack (i did mention in on my first post, should’ve done the same with the post title). my apology

Here’s the whole zip - https://drive.google.com/open?id=0B8LqOYqjfRvrNThaUW0tZG9pZzg

Appreciate for helping out

Wayne Workman

@kwetiaw I think your pathing is what’s making it not work. Have you reviewed this article?
https://wiki.fogproject.org/wiki/index.php?title=SnapinPacks

Why were you using the path F:\fog\tmp\ ? This isn’t standard. Unless you changed where the FOG Client installs to on every host in your environment, this is not right. Your files are contained within your snapin pack, so you wouldn’t need to pre-place anything at all.

The new fog client unpacks the .zip file to a folder named with the name of the SnapinPack itself. Yours is ILC-Student-ChromePolicy-UpdatePS. You’d take the full Snapin Pack name and add it to the directory where FOG puts snapins, just like the article above shows.
C:\Program Files (x86)\FOG\tmp\ILC-Student-ChromePolicy-UpdatePS

So, knowing this, the folders you’re trying to copy in the powershell file, they aren’t working because they have the wrong paths. That copy command should actually be:
Copy-Item -Path "C:\Program Files (x86)\FOG\tmp\ILC-Student-ChromePolicy-UpdatePS\GroupPolicyUsers\S-1-5-21-2027881915-267544310-2063179327-1017" "C:\Windows\System32\GroupPolicyUsers" -Recurse -Force

To add logging, it would be:
Copy-Item -Path "C:\Program Files (x86)\FOG\tmp\ILC-Student-ChromePolicy-UpdatePS\GroupPolicyUsers\S-1-5-21-2027881915-267544310-2063179327-1017" "C:\Windows\System32\GroupPolicyUsers" -Recurse -Force >> "c:\temp\log.txt"

So, I think you need to change your powershell file and remake the .zip file, and upload the new .zip file to the snapin via the web interface.

Joe Schmitt

@Wayne-Workman one thing. I always recommend resolving where the snapin pack is at runtime instead of hard coding. For Powershell the command would be:

$scriptDir = split-path -parent $MyInvocation.MyCommand.Definition on powershell 2 and above or just $PSScriptRoot on powershell 3 and above.

Wayne Workman

@Joe-Schmitt Very nice. I tried doing something like that for .bat files… just didn’t ever work right.

Joe Schmitt

@Wayne-Workman for batch you just use %~dp0 to get the full directory path of the script.

Wayne Workman

wiki worthy

kwetiaw

@Wayne-Workman Hi Wayne

I had the fog client installed on a separate partition with drive letter F:/ this is also the same with the rest 20 machines. So the path on the zip file is correct. I have deployed a single config file for another program and they worked brilliantly.

Thats why it is F:\fog\tmp\XXXXX instead of the program default c:\programfiles (x86)

I will try again with the addition of log file recording and will post back the result.

Thanks

Wayne Workman

@kwetiaw Ok then.

kwetiaw

@Joe-Schmitt Hi Joe

It is not the only file, it has a GPO folder in it. Otherwise it will be nice and easy

kwetiaw

@Wayne-Workman Hi Wayne
i did the additional command to enable log file.
It created the log file but it’s blank, im not sure why!

Here’s the fog.log

------------------------------------------------------------------------------
---------------------------------SnapinClient---------------------------------
------------------------------------------------------------------------------
 26/09/2016 11:47 AM Client-Info Client Version: 0.11.5
 26/09/2016 11:47 AM Client-Info Client OS:      Windows
 26/09/2016 11:47 AM Client-Info Server Version: 1.3.0-RC-8
 26/09/2016 11:47 AM Middleware::Response Success
 26/09/2016 11:47 AM SnapinClient Snapin Found:
 26/09/2016 11:47 AM SnapinClient     ID: 157
 26/09/2016 11:47 AM SnapinClient     Name: ILC-Student-ChromePolicy-UpdatePS
 26/09/2016 11:47 AM SnapinClient     Created: 2016-09-26 11:46:12
 26/09/2016 11:47 AM SnapinClient     Action: 
 26/09/2016 11:47 AM SnapinClient     Pack: True
 26/09/2016 11:47 AM SnapinClient     Hide: False
 26/09/2016 11:47 AM SnapinClient     Server: REDACTED
 26/09/2016 11:47 AM SnapinClient     TimeOut: 0
 26/09/2016 11:47 AM SnapinClient     SnapinPack File: powershell.exe
 26/09/2016 11:47 AM SnapinClient     SnapinPack Args: -ExecutionPolicy Bypass -File "[FOG_SNAPIN_PATH]\chromepolicyupdate.ps1"
 26/09/2016 11:47 AM SnapinClient     File: ilcstudentchromepolicyPS.zip
 26/09/2016 11:47 AM Middleware::Communication Download: http://REDACTED
 26/09/2016 11:47 AM SnapinClient F:\fog\tmp\ilcstudentchromepolicyPS.zip
 26/09/2016 11:47 AM SnapinClient Processing SnapinPack ilcstudentchromepolicyPS.zip
 26/09/2016 11:47 AM SnapinClient Extracting SnapinPack
 26/09/2016 11:47 AM SnapinClient Processing SnapinPack settings
 26/09/2016 11:47 AM SnapinClient New SnapinPack File: powershell.exe
 26/09/2016 11:47 AM SnapinClient New SnapinPack Args: -ExecutionPolicy Bypass -File "F:\fog\tmp\ILC-Student-ChromePolicy-UpdatePS\chromepolicyupdate.ps1"
 26/09/2016 11:47 AM Bus {
  "self": true,
  "channel": "Notification",
  "data": "{\r\n  \"title\": \"Installing ILC-Student-ChromePolicy-UpdatePS\",\r\n  \"message\": \"Please do not shutdown until this is completed\"\r\n}"
}
 26/09/2016 11:47 AM Bus Emmiting message on channel: Notification
 26/09/2016 11:47 AM SnapinClient Starting snapin...
 26/09/2016 11:47 AM SnapinClient Snapin finished
 26/09/2016 11:47 AM SnapinClient Return Code: 0
 26/09/2016 11:47 AM Bus {
  "self": true,
  "channel": "Notification",
  "data": "{\r\n  \"title\": \"ILC-Student-ChromePolicy-UpdatePS Installed\",\r\n  \"message\": \"Installation has finished and is now ready for use\"\r\n}"
}
 26/09/2016 11:47 AM Bus Emmiting message on channel: Notification

But still no good. im puzzled!

Wayne Workman

@kwetiaw That’s weird. It must be something about that directory. Maybe permissions, but not necessarily. It could be AV that’s blocking it, for example. An AV program ought to keep an eye on the system32 folder, I think.

So, looking at the permissions on a Server 2012 R2 box here at home, I see that SYSTEM has permission to create folders inside of system32, and has full control of subfolders and files. These are the only permissions you would need.

@kwetiaw said in Fog Snapin - Google Chrome ADM Group Policy:

When I execute the powershell script locally and manually on the destination computer, it worked without any issue.

That tells me it has something to do with the user accounts trying to get access. On my test server, the Administrators group has the same permissions as the SYSTEM user for the system32 folder.

kwetiaw

@Wayne-Workman absolutely weird.
I used the same technique with snap in pack on different folder and it worked without issue in the past. Only this time around with system32 folder.

I even tried with xcopy!

Anyway, thanks for your help, appreciate it and I will check further to see if AV is a culprit here.

Cheers