So, one of the things I’ve been working on is using SCCM and the Desired Configuration Management (DCM) functionality to test ‘compliance’ on desired configuration items (CIs) at one of the client sites I’m assigned. As you can likely guess based on several of my other postings, most of these configuration settings are related to Outlook 2010. If you’ve ever worked with SCCM DCM CIs that use PowerShell to check the contents of registry keys that exist in HKEY_CURRENT_USER, you’ve likely dealt with a few interesting issues:
- SCCM runs PowerShell deployed through the DCM interface via the SYSTEM account, therefore HKEY_CURRENT_USER is useless — you must instead loop through HKEY_USERS. Your SYSTEM account does not have a users registry hive, and even if it did, I’m pretty sure that’s not the registry you want to be checking! 🙂
- HKEY_USERS is fine, so long as you strip out unimportant profiles for your script — e.g., existing profiles that are part of the imaging process, local administrator profiles, etc.
- HKEY_USERS is fine, even if a machine has more than one user — so long as it can be reasonably assumed that the last logged in user is the person whose compliance you are interested in.
- HKEY_USERS is not accessible to normal users programmatically via PowerShell, so to test your scripts you must invoke PowerShell as the SYSTEM account, interactively. I use PsExec for this, but I’m sure there’s other ways of doing such.
This creates a few interesting issues that require some thought in order to ensure that the code runs perfectly against all, say, 1,600 client computers — AND returns legitimate compliance results.
Thankfully, someone (Brian Wilhite) has done the legwork of putting together a solid PowerShell cmdlet that determines the last logged in user and whether that user is still logged in. If you need something like this, take a look at Script – Get-LastLogon
I’ve now incorporated that into several of my CI scripts in order to do checks against data in the HKEY_USERS key while confirming that the user account whose registry I’m targeting corresponds to the user that has most recently logged in to the machine, and it’s done wonders to help sanitize the compliance results.
I always like uncovering someone else’s hard work, especially when it is precisely something I was thinking of writing myself. I get the feeling Brian’s script is better than what I would have come up with!
Anyway, hope this helps anyone else who has found themselves in a similar situation. I had such good results using this script I couldn’t help but post about how useful it had become for me.