Cut 4427 disallow main folders path redirection (#150) (#151)

kmaranionjc · web-flow · commit 3bb70f44941c · 2025-01-03T12:11:41.000-08:00
* Cut 4427 disallow main folders path redirection (#150) * folder redirect validation * default path fix * functions test * docs * ver * test * test fix * test * tests * fix * redirect
diff --git a/ModuleChangelog.md b/ModuleChangelog.md
@@ -1,3 +1,15 @@
+## 2.7.10
+
+Release Date: January 3, 2025
+
+#### RELEASE NOTES
+```
+* This release prevents ADMU from migrating if one of the main user folders (Desktop, Downloads, Documents, Pictures, Music, Videos, Favorites) are redirected to network shared path
+```
+#### Bug Fixes:
+```
+* Fix issue when migrating a user with one of their main user folders are redirected to a network path. ADMU will now throw an error and prevent migration if any of the primary user folders (Desktop, Downloads, Documents, Pictures, Music, Videos, Favorites) are redirected to network shared path
+```
 ## 2.7.9
 
 Release Date: November 21, 2024
diff --git a/jumpcloud-ADMU/Docs/Start-Migration.md b/jumpcloud-ADMU/Docs/Start-Migration.md
@@ -14,16 +14,19 @@ Starts the JumpCloud Active Directory Migration process.
 ## SYNTAX
 
 ### cmd
+
 ```
 Start-Migration -JumpCloudUserName <String> -SelectedUserName <String> -TempPassword <String>
  [-LeaveDomain <Boolean>] [-ForceReboot <Boolean>] [-UpdateHomePath <Boolean>] [-InstallJCAgent <Boolean>]
  [-AutobindJCUser <Boolean>] [-BindAsAdmin <Boolean>] [-SetDefaultWindowsUser <Boolean>]
- [-JumpCloudConnectKey <String>] [-JumpCloudAPIKey <String>] [-JumpCloudOrgID <String>] [<CommonParameters>]
+ [-AdminDebug <Boolean>] [-JumpCloudConnectKey <String>] [-JumpCloudAPIKey <String>] [-JumpCloudOrgID <String>]
+ [-ValidateUserShellFolder <Boolean>] [-ProgressAction <ActionPreference>] [<CommonParameters>]
 ```
 
 ### form
+
 ```
-Start-Migration [-inputObject <Object>] [<CommonParameters>]
+Start-Migration [-inputObject <Object>] [-ProgressAction <ActionPreference>] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -259,7 +262,40 @@ Accept wildcard characters: False
 ```
 
 ### -SetDefaultWindowsUser
-Option to set the windows default login user to the migrated user post-migration. This parameter is not required and will default to $true (the next login window user will be the migrated user). Set to $false if you'd like to disable this functionality during migration. 
+
+Option to set the windows default login user to the migrated user post-migration. This parameter is not required and will default to $true (the next login window user will be the migrated user). Set to $false if you'd like to disable this functionality during migration.
+
+```yaml
+Type: System.Boolean
+Parameter Sets: cmd
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -AdminDebug
+
+Option to display detailed messages during migration. This parameter is optional, but if set to $true, the CLI will show verbose output during the migration process
+
+```yaml
+Type: System.Boolean
+Parameter Sets: cmd
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ValidateUserShellFolder
+
+Option to bypass User Shell Folder validation. When set to `$false`, the migration will not verify whether folders (Desktop, Downloads, Documents, Videos, Pictures, Music, Favorites) are redirected to another location, such as a network shared folder (e.g., `\\192.168.50.78\SharedFolder\USERNAME\Desktop`). Use this parameter with caution. After migration, the user may encounter a shared folder error and will need to provide account credentials to restore their shared folders
 
 ```yaml
 Type: System.Boolean
@@ -274,14 +310,17 @@ Accept wildcard characters: False
 ```
 
 ### CommonParameters
+
 This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
 
 ## INPUTS
 
 ### None
+
 ## OUTPUTS
 
 ### System.Object
+
 ## NOTES
 
 ## RELATED LINKS
diff --git a/jumpcloud-ADMU/JumpCloud.ADMU.psd1 b/jumpcloud-ADMU/JumpCloud.ADMU.psd1
@@ -13,7 +13,7 @@
 
     # Version number of this module.
 
-    ModuleVersion     = '2.7.9'
+    ModuleVersion     = '2.7.10'
 
     # Supported PSEditions
     # CompatiblePSEditions = @()
diff --git a/jumpcloud-ADMU/Powershell/Form.ps1 b/jumpcloud-ADMU/Powershell/Form.ps1
@@ -153,7 +153,7 @@ function show-mtpSelection {
 <Window
         xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
         xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
-        Title="JumpCloud ADMU 2.7.9"
+        Title="JumpCloud ADMU 2.7.10"
         WindowStyle="SingleBorderWindow"
         ResizeMode="NoResize"
         Background="White" ScrollViewer.VerticalScrollBarVisibility="Visible" ScrollViewer.HorizontalScrollBarVisibility="Visible" Width="1020" Height="590">
diff --git a/jumpcloud-ADMU/Powershell/ProgressForm.ps1 b/jumpcloud-ADMU/Powershell/ProgressForm.ps1
@@ -37,7 +37,7 @@ function New-ProgressForm {
     <Window
     xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
     xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
-    Name="Window" Title="JumpCloud ADMU 2.7.9"
+    Name="Window" Title="JumpCloud ADMU 2.7.10"
     WindowStyle="SingleBorderWindow"
     ResizeMode="NoResize"
     Background="White" Width="720" Height="550  ">
diff --git a/jumpcloud-ADMU/Powershell/Start-Migration.ps1 b/jumpcloud-ADMU/Powershell/Start-Migration.ps1
@@ -750,7 +750,9 @@ Function Test-UserRegistryLoadState {
         # User Security Identifier
         [Parameter(Mandatory = $true)]
         [ValidatePattern("^S-\d-\d+-(\d+-){1,14}\d+$")]
-        [System.String]$UserSid
+        [System.String]$UserSid,
+        [Parameter(Mandatory = $false)]
+        [bool]$ValidateDirectory
     )
     begin {
         $results = REG QUERY HKU *>&1
@@ -767,16 +769,19 @@ Function Test-UserRegistryLoadState {
         }
     }
     process {
-        # Load New User Profile Registry Keys
         try {
             Set-UserRegistryLoadState -op "Load" -ProfilePath $ProfilePath -UserSid $UserSid -hive root
             Set-UserRegistryLoadState -op "Load" -ProfilePath $ProfilePath -UserSid $UserSid -hive classes
+            if ($ValidateDirectory) {
+                # return boolean for redirected user directories
+                $isFolderRedirect = Test-UserFolderRedirect -UserSid $UserSid
+            } else {
+                Write-ToLog "Skipping User Shell Folder Validation..."
+            }
         } catch {
             Write-AdmuErrorMessage -Error:("load_unload_error")
             Throw "Could Not Load User Registry During Test-UserRegistryLoadState Load Process"
         }
-        # Load Selected User Profile Keys
-        # Unload "Selected" and "NewUser"
         try {
             Set-UserRegistryLoadState -op "Unload" -ProfilePath $ProfilePath -UserSid $UserSid -hive root
             Set-UserRegistryLoadState -op "Unload" -ProfilePath $ProfilePath -UserSid $UserSid -hive classes
@@ -799,6 +804,15 @@ Function Test-UserRegistryLoadState {
                 throw "Registry Keys are still loaded after Test-UserRegistryLoadState Testing Exiting..."
             }
         }
+        # If isFolderRedirect is false throw error
+        if ($isFolderRedirect -and $ValidateDirectory) {
+            Write-AdmuErrorMessage -Error:("user_folder_redirection_error")
+            throw "Main user folders are redirected, exiting..."
+        } elseif ($ValidateDirectory -eq $false) {
+            Write-ToLog "Skipping User Shell Folder Validation..."
+        } else {
+            Write-ToLog "Main user folders are default for Usersid: $($UserSid), continuing..."
+        }
     }
 }
 
@@ -1745,6 +1759,10 @@ function Write-AdmuErrorMessage {
 
             $Script:ErrorMessage = "User Creation Error. Click the link below for troubleshooting information."
         }
+        "user_folder_redirection_error" {
+            Write-ToLog -Message:("User Folder Redirection Error: One of the user's main folder (Desktop, Downloads, Documents, Favorites, Pictures, Videos, Music) path is redirected. Verify that the user's main folders path are set to default and not redirected to another path (ie. Network Drive). Please refer to this link for more information: https://github.com/TheJumpCloud/jumpcloud-ADMU/wiki/troubleshooting-errors") -Level Error
+            $Script:ErrorMessage = "User Folder Redirection Error. Click the link below for troubleshooting information."
+        }
         Default {
             Write-ToLog -Message:("Error occured, please refer to this link for more information: https://github.com/TheJumpCloud/jumpcloud-ADMU/wiki/troubleshooting-errors") -Level Error
 
@@ -1847,6 +1865,74 @@ function Get-DomainStatus {
     # Return both statuses
     return $AzureADStatus, $LocalDomainStatus
 }
+
+# Function to validate that the user main folders are default and not redirected
+function Test-UserFolderRedirect {
+    param (
+        [Parameter(Mandatory = $true)]
+        [System.String]
+        $UserSid
+    )
+    begin {
+        if ("HKEY_USERS" -notin (Get-psdrive | select-object name).Name) {
+            Write-ToLog "Mounting HKEY_USERS"
+            New-PSDrive -Name:("HKEY_USERS") -PSProvider:("Registry") -Root:("HKEY_USERS") | Out-Null
+        }
+        $UserFolders = @( "Desktop", "Documents", "Downloads", "Favorites", "Music", "Pictures", "Videos" )
+        # Support doc for personal folders: https://support.microsoft.com/en-us/topic/operation-to-change-a-personal-folder-location-fails-in-windows-ffb95139-6dbb-821d-27ec-62c9aaccd720
+        $regFoldersPath = "HKEY_USERS:\$($UserSid)_admu\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
+        Write-ToLog -Message:("Checking User Shell Folders for USERSID: $($UserSid)")
+    }
+    process {
+
+        if (Test-Path -Path $regFoldersPath) {
+            $redirectedDirectory = $false
+            # Save all the boolean to a hash table
+            foreach ($userFolder in $UserFolders) {
+                switch ($userFolder) {
+                    "Desktop" {
+                        $folderRegKey = "Desktop"
+                    }
+                    "Documents" {
+                        $folderRegKey  = "Personal"
+                    }
+                    "Downloads" {
+                        $folderRegKey  = "{374DE290-123F-4565-9164-39C4925E467B}"
+                    }
+                    "Favorites" {
+                        $folderRegKey  = "Favorites"
+                    }
+                    "Music" {
+                        $folderRegKey  = "My Music"
+                    }
+                    "Pictures" {
+                        $folderRegKey  = "My Pictures"
+                    }
+                    "Videos" {
+                        $folderRegKey  = "My Video"
+                    }
+                }
+                # Get the registry value for the user folder
+                $folderRegKeyValue = (Get-Item -path $regFoldersPath ).GetValue($folderRegKey , '', 'DoNotExpandEnvironmentNames')
+                $defaultRegFolder = "%USERPROFILE%\$userFolder"
+                # If the registry value does not match the default path, set redirectedDirectory to true and log the error
+                if ($folderRegKeyValue -ne $defaultRegFolder) {
+                    Write-ToLog -Message:("$($userFolder) path value: $($folderRegKeyValue) does not match default path  - $($defaultRegFolder)") -Level Error
+                    $redirectedDirectory = $true
+                } else {
+                    Write-ToLog -Message:("User Shell Folder: $($userFolder) is default")
+                }
+            }
+        } else {
+            # If the registry path does not exist, set redirectedDirectory to true and log the error
+            Write-ToLog -Message:("User Shell registry folders not found in registry") -Level Error
+            $redirectedDirectory = $true
+        }
+    }
+    end {
+        return $redirectedDirectory
+    }
+}
 Function Start-Migration {
     [CmdletBinding(HelpURI = "https://github.com/TheJumpCloud/jumpcloud-ADMU/wiki/Start-Migration")]
     Param (
@@ -1864,6 +1950,7 @@ Function Start-Migration {
         [Parameter(ParameterSetName = 'cmd', Mandatory = $false)][ValidateLength(40, 40)][string]$JumpCloudConnectKey,
         [Parameter(ParameterSetName = 'cmd', Mandatory = $false)][string]$JumpCloudAPIKey,
         [Parameter(ParameterSetName = 'cmd', Mandatory = $false)][ValidateLength(24, 24)][string]$JumpCloudOrgID,
+        [Parameter(ParameterSetName = 'cmd', Mandatory = $false)][bool]$ValidateUserShellFolder = $true,
         [Parameter(ParameterSetName = "form")][Object]$inputObject)
 
     Begin {
@@ -1883,8 +1970,7 @@ Function Start-Migration {
         $AGENT_INSTALLER_URL = "https://cdn02.jumpcloud.com/production/jcagent-msi-signed.msi"
         $AGENT_INSTALLER_PATH = "$windowsDrive\windows\Temp\JCADMU\jcagent-msi-signed.msi"
         $AGENT_CONF_PATH = "$($AGENT_PATH)\Plugins\Contrib\jcagent.conf"
-        $admuVersion = '2.7.9'
-
+        $admuVersion = '2.7.10'
         # Log Windows System Version Information
         Write-ToLog -Message:("OSName: $($systemVersion.OSName), OSVersion: $($systemVersion.OSVersion), OSBuildNumber: $($systemVersion.OsBuildNumber), OSEdition: $($systemVersion.WindowsEditionId)")
 
@@ -1899,10 +1985,6 @@ Function Start-Migration {
             $profileSize = Get-ProfileSize -profilePath $oldUserProfileImagePath
 
             $JumpCloudUserName = $inputObject.JumpCloudUserName
-
-
-
-
             if (($inputObject.JumpCloudConnectKey).Length -eq 40) {
                 $JumpCloudConnectKey = $inputObject.JumpCloudConnectKey
             }
@@ -1932,7 +2014,6 @@ Function Start-Migration {
             $UpdateHomePath = $inputObject.UpdateHomePath
         } else {
             $useragent = "JumpCloud_ADMU.Powershell/$($admuVersion)"
-            Write-ToLog -Message:("UserAgent: $useragent")
             $SelectedUserSid = Test-UsernameOrSID $SelectedUserName
         }
 
@@ -2180,8 +2261,8 @@ Function Start-Migration {
 
             Write-ToLog -Message:('Verifying registry files can be loaded and unloaded')
             try {
-                Test-UserRegistryLoadState -ProfilePath $newUserProfileImagePath -UserSid $newUserSid
-                Test-UserRegistryLoadState -ProfilePath $oldUserProfileImagePath -UserSid $SelectedUserSID
+                Test-UserRegistryLoadState -ProfilePath $newUserProfileImagePath -UserSid $newUserSid -ValidateDirectory $ValidateUserShellFolder
+                Test-UserRegistryLoadState -ProfilePath $oldUserProfileImagePath -UserSid $SelectedUserSID -ValidateDirectory $ValidateUserShellFolder
             } catch {
                 Write-ToLog -Message:('Could not load and unload registry of migration user during Test-UserRegistryLoadState, exiting') -level Warn
                 $admuTracker.testRegLoadUnload.fail = $true
diff --git a/jumpcloud-ADMU/Powershell/Tests/Functions.Tests.ps1 b/jumpcloud-ADMU/Powershell/Tests/Functions.Tests.ps1
@@ -709,4 +709,40 @@ Describe 'Functions' {
             }
         }
     }
+
+    # Test for Test-UserFolderRedirect
+    Context 'Validates that the User shell folder for default values' {
+        BeforeAll {
+            if ((Get-psdrive | select-object name) -notmatch "HKEY_USERS") {
+                New-PSDrive -Name:("HKEY_USERS") -PSProvider:("Registry") -Root:("HKEY_USERS")
+            }
+            #$currentSID = ([System.Security.Principal.WindowsIdentity]::GetCurrent()).User.Value
+            $newUser = "ADMU_User" + -join ((65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object { [char]$_ })
+            $password = '$T#st1234'
+            InitUser -UserName $newUser -Password $Password
+
+            $userSid = Test-UsernameOrSID -usernameOrSid $newUser
+            # Load the registry hive for the user and add _admu after the sid
+            REG LOAD HKU\$($userSid)_admu "C:\Users\$newUser\NTUSER.DAT" *>&1
+        }
+        # Test for Test-UserFolderRedirect should be default values
+        It 'Test-UserFolderRedirect - Default values' {
+            $folderRedirect = Test-UserFolderRedirect -UserSid $userSid
+            $folderRedirect | Should -Be $false
+        }
+        # Test for Test-UserFolderRedirect with one of the folder redirect values changed
+        It 'Test-UserFolderRedirect - One value changed' {
+            # Change the value of the folder Desktop to a different value
+            $folderPath = "HKEY_USERS:\$($userSid)_admu\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
+            Set-ItemProperty -Path $folderpath -Name Desktop -Value "\\server\share\desktop"
+            {Test-UserFolderRedirect -UserSid $userSid} | Should -Throw
+            # Change the value of the folder Desktop back to the default value
+            Set-ItemProperty -Path $folderpath -Name Desktop -Value "%USERPROFILE%\Desktop"
+
+        }
+        # Test for Invalid SID or Invalid User Shell Folder
+        It 'Test-UserFolderRedirect - Invalid SID or Invalid User Shell Folder' {
+            {Test-UserFolderRedirect -UserSid "Invalid-3361044348-30300820-1001"} | Should -Throw
+        }
+    }
 }
diff --git a/jumpcloud-ADMU/en-US/JumpCloud.ADMU-help.xml b/jumpcloud-ADMU/en-US/JumpCloud.ADMU-help.xml
