デバイス(ドメイン)にログインしているIDが、ジョーシスに登録しているメールアドレスのローカルパート(@の左側)と同じ
スクリプトの概要
システム権限で実行します。デバイス上のユーザープロファイルリストから、ユーザーのSIDを取得し各ユーザーのHKUの指定したChromeとEdge用のレジストリに、ジョーシスの組織IDとUSERNAME+@メールドメインを書き込みます。
エラーがあった場合のみ、$logFilePath 変数で指定している場所(サンプル内では、 C:\Windows\Temp\Set-BrowserExtensionPolicy_UserEmail_Error.log)にログが出力されます。
利用にあたって変更が必要な箇所
$organizationKey = "YOUR_ORGANIZATION_KEY_HERE" の YOUR_ORGANIZATION_KEY_HERE をお客様の組織IDに変更してください。
$emailDomain = "YOUR_DOMAIN.COM"の YOUR_DOMAIN.COM をお客様のメールアドレスドメインに変更してください。(@は入れないでください。@の右側だけ。)
$logFilePath = "C:\Windows\Temp\Set-Policy_FullDebug.log"ログが出力されるフォルダパスを必要に応じて変更して下さい。
利用方法
以下のスクリプトをコピーし、メモ帳などに貼り付け「名前を付けて保存」してください。ファイルの拡張子は、.ps1 とし、文字コードはUTF-8(BOM付)を選択してください。
その後 SKYSEA Client View でのソフトウェア配布の方法 をご参照の上設定を続けてください。
<#
.SYNOPSIS
Writes Chrome/Edge policies to ALL users (Logged on OR Logged off).
Forcefully loads NTUSER.DAT if the user is not logged in.
#>
# --- Configuration Settings ---
$organizationKey = "YOUR_ORGANIZATION_KEY_HERE"
$emailDomain = "YOUR_DOMAIN.COM"
# Relative registry key paths (Chrome / Edge)
$chromeRelativePath = "SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\moaklgcgokbgplldonjkoochhlefkbjf\policy"
$edgeRelativePath = "SOFTWARE\Policies\Microsoft\Edge\3rdparty\extensions\hjifncajikcdkhlofdjjlhcjoennmdfc\policy"
# Log File (Always write to this file)
$logFilePath = "C:\Windows\Temp\Set-Policy_FullDebug.log"
# ------------------------------
# --- Helper Functions ---
function Write-Log {
param ([string]$Message, [string]$Type = "INFO")
$timestamp = Get-Date -Format "yyyy/MM/dd HH:mm:ss"
$logEntry = "[$timestamp] [$Type] $Message"
# Write to console and append to file immediately
Write-Output $logEntry
$logEntry | Out-File -FilePath $logFilePath -Encoding UTF8 -Append -ErrorAction SilentlyContinue
}
function Set-RegistryValues {
param (
[string]$BasePath, # e.g. "Registry::HKEY_USERS\S-1-5-21-..." or "Registry::HKEY_USERS\Temp_Loaded_..."
[string]$UserEmail,
[string]$OrgKey
)
# --- Chrome ---
$fullChromePath = "$BasePath\$chromeRelativePath"
try {
if (-not (Test-Path $fullChromePath)) {
New-Item -Path $fullChromePath -Force -ErrorAction Stop | Out-Null
Write-Log " Created Chrome Key: $fullChromePath"
}
New-ItemProperty -Path $fullChromePath -Name "UserEmail" -Value $UserEmail -PropertyType String -Force -ErrorAction Stop | Out-Null
New-ItemProperty -Path $fullChromePath -Name "OrganizationKey" -Value $OrgKey -PropertyType String -Force -ErrorAction Stop | Out-Null
Write-Log " [SUCCESS] Chrome policies set."
} catch {
Write-Log " [ERROR] Failed to set Chrome policies: $($_.Exception.Message)" "ERROR"
}
# --- Edge ---
$fullEdgePath = "$BasePath\$edgeRelativePath"
try {
if (-not (Test-Path $fullEdgePath)) {
New-Item -Path $fullEdgePath -Force -ErrorAction Stop | Out-Null
Write-Log " Created Edge Key: $fullEdgePath"
}
New-ItemProperty -Path $fullEdgePath -Name "UserEmail" -Value $UserEmail -PropertyType String -Force -ErrorAction Stop | Out-Null
New-ItemProperty -Path $fullEdgePath -Name "OrganizationKey" -Value $OrgKey -PropertyType String -Force -ErrorAction Stop | Out-Null
Write-Log " [SUCCESS] Edge policies set."
} catch {
Write-Log " [ERROR] Failed to set Edge policies: $($_.Exception.Message)" "ERROR"
}
}
# --- Main Script ---
# Clear old log
"Script Started: $(Get-Date)" | Out-File -FilePath $logFilePath -Encoding UTF8 -Force
# Get User Profiles
$profileListPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"
$profiles = Get-ChildItem -Path $profileListPath | Where-Object { $_.PSChildName -match "^S-1-5-21|^S-1-12-1" }
if (-not $profiles) { Write-Log "No user profiles found." "WARNING"; exit }
foreach ($profile in $profiles) {
$sid = $profile.PSChildName
$profilePath = (Get-ItemProperty -Path $profile.PSPath -Name ProfileImagePath).ProfileImagePath
Write-Log "--------------------------------------------------"
Write-Log "Processing SID: $sid"
Write-Log "Profile Path: $profilePath"
# Resolve Username
try {
$objSID = New-Object System.Security.Principal.SecurityIdentifier($sid)
$objUser = $objSID.Translate([System.Security.Principal.NTAccount])
$fullUserName = $objUser.Value # DOMAIN\User
$userName = if ($fullUserName -like "*\*") { $fullUserName.Split('\')[1] } else { $fullUserName }
$userEmail = "$userName@$emailDomain"
Write-Log "Target User: $userName / Email: $userEmail"
} catch {
Write-Log "Could not resolve username from SID. Skipping." "WARNING"
continue
}
# Check if Hive is currently loaded (User is Logged On)
if (Test-Path "Registry::HKEY_USERS\$sid") {
Write-Log "State: User is LOGGED ON (Hive already loaded)."
# Write directly to HKEY_USERS\<SID>
Set-RegistryValues -BasePath "Registry::HKEY_USERS\$sid" -UserEmail $userEmail -OrgKey $organizationKey
} else {
Write-Log "State: User is LOGGED OFF (Hive NOT loaded)."
# Prepare to Load Hive
$ntUserDat = "$profilePath\NTUSER.DAT"
if (-not (Test-Path $ntUserDat)) {
Write-Log "Critical: NTUSER.DAT not found at $ntUserDat. Skipping." "ERROR"
continue
}
$tempHiveName = "Temp_Load_$sid"
# Load Hive
Write-Log "Attempting to load hive to HKEY_USERS\$tempHiveName..."
$regLoadArgs = "load", "HKU\$tempHiveName", "`"$ntUserDat`""
$p = Start-Process -FilePath "reg.exe" -ArgumentList $regLoadArgs -Wait -NoNewWindow -PassThru
if ($p.ExitCode -eq 0) {
Write-Log "Hive loaded successfully."
# Write to the temporary location
Set-RegistryValues -BasePath "Registry::HKEY_USERS\$tempHiveName" -UserEmail $userEmail -OrgKey $organizationKey
# Important: Garbage Collect to release file handles before unloading
[System.GC]::Collect()
[System.GC]::WaitForPendingFinalizers()
# Unload Hive
Write-Log "Unloading hive..."
$regUnloadArgs = "unload", "HKU\$tempHiveName"
Start-Process -FilePath "reg.exe" -ArgumentList $regUnloadArgs -Wait -NoNewWindow | Out-Null
} else {
Write-Log "Failed to load hive. Exit Code: $($p.ExitCode). EDR might be blocking 'reg load'." "ERROR"
}
}
}
Write-Log "Script Finished."