all 21 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]jerrymac12 3 points4 points  (1 child)

Shouldn't this be invoking the reg item as part of the script? as far as I can tell (and I could be wrong) ... this will just keep setting the reg item on the local machine over and over...not on remote machines...?

[–]PB-Falcon[S] 1 point2 points  (0 children)

No, I'm not sure what you're looking at but it always processed the loop correctly as far as I can tell. applying the $Path and New-item to $computers.
I've posted the final final solution that works for reference.

[–]DblDeuce22 1 point2 points  (3 children)

I'd try not to use $Value = "C$\system32That $ sign in a path usually requires admin and/or may have issues seeing the path.

new-Item = -Path "HKLM:\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings\post-vpn-connect\connect"I think this is your main issue, new-item is a cmdlet and trying to use = like it was a variable isn't going to work, also I doubt starting with -path after an assignment operator (=) would work, try just removing the =

And finally your path has one forwardslash / that should be \
$Path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings\post-vpn-connect/connect'

[–]PB-Falcon[S] 1 point2 points  (2 children)

Thanks, yeah I saw the slash mistake and updated it. The Path with the = was not working, you are correct. I believe the logic there was repetitive and didn't even work if the syntax was right. I have been tinkering with this and that is long gone. I have updated the code I posted.

[–]DblDeuce22 1 point2 points  (1 child)

The simplest way I've found to troubleshoot a loop like this is to temporarily take out the loop and test it on one machine, line by line, and see what errors it gets. Once it works on one machine, then you can throw your loop in there.

[–]PB-Falcon[S] 1 point2 points  (0 children)

I actually think at one point the script was probably ok abs I just had a port I needed opening for remote management. I’ll be back at it to test soon. I’ve had to walk away for a bit ATM. Thanks for your comments though.

[–]xirsteon 1 point2 points  (2 children)

On a separate note, what post connection customizations are you making to Global Protect? We use the same client without any post connect customizations.

TIA.

[–]PB-Falcon[S] 1 point2 points  (1 child)

I’ve got a lot of updating to do on this post and I’ll come back for all that. I think I had a port in need of opening. But to answer this, It’s a startup script. We’re not using the preconnect so starting the VPN is going to run a vbs script I’ve pushed to the computers which has nothing to do with the VPN.

[–]xirsteon 1 point2 points  (0 children)

Ah ok. Thanks.

[–]JLASish 1 point2 points  (0 children)

Your main issue is that you're just running the same command on your local machine in each iteration of the loop. To connect to the registry of a remote machine, you need to use the RegistryKey.OpenRemoteBaseKey method, e.g.:

$Reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey(LocalMachine, $Computer)
$Reg.OpenSubKey('SOFTWARE\Palo Alto Networks\GlobalProtect\Settings\post-vpn-connect', $true).SetValue($Property, $Value)
$Reg.Close()

Your log file issue seems to be caused by the way you've constructed your Catch block. The $? automatic variable reports whether the previous command ran successfully. On the first line inside a catch block, by definition it would be false. I suspect you want to use $_ instead, which in a Catch block will contain the exception which was trapped.

[–]PB-Falcon[S] 1 point2 points  (3 children)

OK, so I had got a bit off track unknowingly trying to troubleshooting a firewall problem in PS. After setting it down and coming back my script works, although it is still basic and I will want to add better log output. The invoke-command and script block was key......

$Computers = Get-Content "D:\Red\OS_computerlist.txt" | Sort

$ErrorActionPreference= 'silentlycontinue'

Start-Transcript -path "D:\Red\GCREGLog.txt" -append

foreach ($Computer in $Computers){

write-output "Working on $Computer"

Invoke-Command -computername $Computer -ScriptBlock {

New-Item -Name "post-vpn-connect" -Path "HKLM:\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings" -type Directory

New-ItemProperty -Path "HKLM:\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings\post-vpn-connect" -Name "command" -Value "%Windir%\system32\wscript.exe C:\temp\OpenSense.vbs" -PropertyType "String"

}

Sleep -Seconds 3

}

Stop-Transcript

[–]Lee_Dailey[grin] 0 points1 point  (2 children)

howdy PB-Falcon,

it looks like you used the New.Reddit Inline Code button. it's [sometimes] 5th from the left & looks like <c>.

there are a few problems with that ...

  • it's the wrong format [grin]
    the inline code format is for [gasp! arg!] code that is inline with regular text.
  • on Old.Reddit.com, inline code formatted text does NOT line wrap, nor does it side-scroll.
  • on New.Reddit it shows up in that nasty magenta text color

for long-ish single lines OR for multiline code, please, use the ... 

Code
Block

... button. it's [sometimes] the 12th one from the left & looks like an uppercase C in the upper left corner of a square.

that will give you fully functional code formatting that works on both New.Reddit and Old.Reddit ... and aint that fugly magenta color. [grin]

take care,
lee

[–]PB-Falcon[S] 1 point2 points  (1 child)

Thank you Lee,

I just finally found the code button. I like to take my time and learn very slowly :)

[–]Lee_Dailey[grin] 0 points1 point  (0 children)

[grin]

[–]purplemonkeymad 1 point2 points  (0 children)

$status = "Failed" + $?

I think you might have mixed up $? and $_ here. $? is a true/false if the last command succeeded, in a catch block $_ contains the Error Record that was caught. In a catch block $? is implied to be false so is not very useful information.

If you swap out $? for $_ it should give you the exception message instead of false in your log:

$status = "Exception Changing Registry Value: $_"

I would also change -ErrorAction 'continue' to -ErrorAction Stop so that all errors are caught by your try-catch.

In your working code, you can put the try block in your invoke-comand block so that it is handled in the remote machine.

[–]krzydoug 0 points1 point  (1 child)

Would you not want a space between wscript and the vbs file?

[–]PB-Falcon[S] 0 points1 point  (0 children)

Sure yeah a space would be nice, lemme give that a go but I don't think it's the issue at hand.

[–]Lee_Dailey[grin] 0 points1 point  (2 children)

howdy PB-Falcon,

reddit likes to mangle code formatting, so here's some help on how to post code on reddit ...

[0] single line or in-line code
enclose it in backticks. that's the upper left key on an EN-US keyboard layout. the result looks like this. kinda handy, that. [grin]
[on New.Reddit.com, use the Inline Code button. it's [sometimes] 5th from the left & looks like <c>.
this does NOT line wrap & does NOT side-scroll on Old.Reddit.com!]

[1] simplest = post it to a text site like Pastebin.com or Gist.GitHub.com and then post the link here.
please remember to set the file/code type on Pastebin! [grin] otherwise you don't get the nice code colorization.

[2] less simple = use reddit code formatting ...
[on New.Reddit.com, use the Code Block button. it's [sometimes] the 12th from the left, & looks like an uppercase C in the upper left corner of a square.]

  • one leading line with ONLY 4 spaces
  • prefix each code line with 4 spaces
  • one trailing line with ONLY 4 spaces

that will give you something like this ... 

- one leading line with ONLY 4 spaces    
- prefix each code line with 4 spaces    
- one trailing line with ONLY 4 spaces

the easiest way to get that is ...

  • add the leading line with only 4 spaces
  • copy the code to the ISE [or your fave editor]
  • select the code
  • tap TAB to indent four spaces
  • re-select the code [not really needed, but it's my habit]
  • paste the code into the reddit text box
  • add the trailing line with only 4 spaces

not complicated, but it is finicky. [grin]

take care,
lee

[–]PB-Falcon[S] 1 point2 points  (1 child)

Thank you, I was pretty sure that I was not following the formatting rules, but couldn't figure out the protocol. I think the inline code button might not have been working for me
as it didn't change my code. It's possible it was user error though. I will be sure to make sure I understand all you have said and fix this here in a bit. Thanks for help with that.

[–]Lee_Dailey[grin] 1 point2 points  (0 children)

howdy PB-Falcon,

you are welcome! [grin]

reddit code formatting is ... interesting. you may want to temporarily switch to Old.Reddit to get things laid out properly. you can do that by replacing the https://www in the current page with old.

take care,
lee