Using Logon Scrips to show Message

ChosenLattice 1 Reputation point
2022-11-14T23:12:20.557+00:00

I have a power shell script on my AD, and I am going through GP to create a message when the user logs into their account. I create a GP -> Edit that GP -> Under User Config & Policies -> Windows Settings -> scripts

I then add my powershell script to the logon properties in the powershell tab.

Once that is done I add Domain Users to Security Filtering.

But when I go to log on to a users account the message does not show up. Are there more steps I need to take to resolve this?

I have tried changing some settings i.e the syncing of the messages but it still does not show up.

Here is the code aswell for the message:

    Import-Module activedirectory  

    $group = Get-ADUser -Filter * -Properties OU | Select Name, DistinguishedName, @{n='OU';e=   
   {$_.DistinguishedName -replace '^.*?,(?=[A-Z]{2}=)'}}  

   $wshell = New-Object -ComObject Wscript.Shell  
   $Output = $wshell.Popup("Welcome", 0, "$group", 0x1)   
Windows for business | Windows Server | User experience | PowerShell
Windows for business | Windows Server | User experience | Other
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Rich Matheisen 47,901 Reputation points
    2022-11-15T03:08:54.747+00:00

    There is more than one problem in that short bit of code.

    First, the $group variable will hold an array with as many members as there are users (enabled and disabled) in the AD. I don't think that's what you want.

    Second, the regex won't work if any of your distinguished names include an escaped comma (e.g., "\," in "CN=Surname\, GivenName,OU=...").

    Third, the positive lookahead ("?=") in the regex is just looking for any two letters followed by an equal sign. It doesn't matter if they're "OU" or "abcdefgh".

    If you just want to remove the CN from a distinguishedName, use this:

    $regex = 'CN=.*?(?<!\\),(.*)'  
    $DnMinusTheCN = $obj.distinguishedname -replace $regex,'$1' # remove the CN from the DN  
    

  2. Rich Matheisen 47,901 Reputation points
    2022-11-15T19:58:37.13+00:00

    There's quite a bit more to consider in your code:
    What if you log on using a local account?
    What if you log on as a user that's not a member of any OrganizationalUnit? Remember, the AD also has "containers", like the "Users" container.

    $group = "No defined group for "  
      
    $x = whoami /upn 2>&1  
      
    if ($x[0] -like "*Unable to get User Prin*"){  
        $group += "local user accounts."  
      
        # You can use this if you need anything from that from the account (doubtful)  
        # Get-LocalUser (Get-ChildItem Env:\USERNAME).Value  
    }  
    else{  
        # A domain user  
        # users are NOT required to have a UPN value assigned  
        # and the value constructed by whoami cannot be used  
        # in a filter if the user has no UPN assigned!  
        # So, because the user is known to be a domain user, get  
        # the SID of the current user and use that  
        $OUregex = 'CN=.*?(?<!\\),OU=(.*?(?<!\\)),'  
        $CNregex = 'CN=.*?(?<!\\),CN=(.*?(?<!\\)),'  
        $s = [System.Security.Principal.WindowsIdentity]::GetCurrent().User.Value  
        $d = get-aduser $s -Properties Name, distinguishedName  
        if ($d.distinguishedName -match $OUregex){  
            $group = $matches[1]  
        }  
        elseif ($d.distinguishedName -match $CNregex){  
            $group += "users not in an OrganizationalUnit."  
        }  
    }  
    $wshell = New-Object -ComObject Wscript.Shell  
    $Output = $wshell.Popup($group, 0, "Welcome", 0x1)   
    

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.