powershell 是否可以使用脚本自动检查“将所有子对象权限项替换为该对象的可继承权限项”?

gblwokeq  于 2023-06-06  发布在  Shell
关注(0)|答案(1)|浏览(172)

首先,我知道有软件创建了这一点,但我试图提出这一点的企业是一种严格的让任何旧的应用程序进入环境。我有一个Powershell脚本,它完全可以做我需要它做的事情。几乎。我正试图从系统中完全删除用户配置文件,但删除每一个最后的文件夹,子文件夹和文件,以及整个用户文件夹本身失败。
这个脚本将删除我选择的任何用户,并排除我选择的任何用户。效果很好!它从设置中删除配置文件,从注册表编辑器中删除密钥,从“查看高级系统设置”中删除用户

$usersToDelete = "userb"
$excludedUserNames = "Administrator", "DefaultAccount", "Guest", "vboxuser"

foreach ($user in $usersToDelete) {
    Get-LocalUser $user | Remove-LocalUser
}

Get-WmiObject -Class Win32_UserProfile | Where-Object { $_.LocalPath -match "^C:\\Users\\($([string]::Join('|', $usersToDelete)))$" -and $_.SID -notmatch "^S-1-5-18$" -and $_.SID -notmatch "^S-1-5-19$" -and $_.SID -notmatch "^S-1-5-20$" } | ForEach-Object {
    $sid = $_.SID
    $username = $_.LocalPath -replace "^C:\\Users\\"
    if ($username -notin $excludedUserNames) {
        Remove-WmiObject -Class Win32_UserProfile -Filter "SID='$sid'" -ErrorAction SilentlyContinue
        $userPath = "C:\Users\$username"
        if (Test-Path $userPath) { Remove-Item $userPath -Recurse -Force }
        Remove-Item "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\$sid" -Recurse -Force -ErrorAction SilentlyContinue
        Remove-Item -Path "C:\Users\$username" -Recurse -Force -ErrorAction SilentlyContinue
        
        foreach ($user in $usersToDelete) {
            Get-LocalUser $user | Remove-LocalUser
        }
    
    }
    
}
$usersToDelete = "userb"

foreach ($user in $usersToDelete) {
    $userPath = "C:\Users\$user"
    if (Test-Path $userPath) {
        Remove-Item $userPath -Recurse -Force
    }
}

不幸的是,它会在Windows资源管理器中的文件夹中被卡住。它被阻止的主要文件夹是“C:\Users\USERNAME\AppData\Local\Application Data”我找到了一个修复程序,可以让我运行此脚本并删除整个用户文件夹。检查“替换所有子对象权限条目与此对象的可继承权限条目”通过右键单击我要删除的文件夹->属性->安全->高级的用户定位。一旦我选中该框并重新运行脚本,就我所知,用户将完全从PC中删除。有没有一种方法可以将其自动化到批处理文件中,或者(更好的方法)将其放入我的脚本中?我需要的能力,这样做的多个用户以及我选择的用户。谢谢你!
这是一对夫妇的批处理文件,我试图授予自己的权限,但总是有一些文件或文件夹,返回一个“访问拒绝”错误。

set folder="C:\Users\userb\appdata"
takeown /F %folder% /R /D Y
icacls %folder% /reset /T
icacls %folder% /inheritance:r /grant:r "Authenticated Users":(OI)(CI)F /T
icacls %folder% /setowner "NT AUTHORITY\SYSTEM" /T
icacls %folder% /grant:r "SYSTEM":(OI)(CI)F /T
pause
set folder="C:\Users\userb\appdata"
takeown /F %folder% /R /D Y
icacls %folder% /reset /T
icacls %folder% /inheritance:r /grant:r "Authenticated Users":(OI)(CI)F /T
icacls %folder% /setowner "NT AUTHORITY\SYSTEM" /T
icacls %folder% /grant:r "SYSTEM":(OI)(CI)F /T
pause

这是ChatGPT抛给我的一些解决方案。但都不管用。

``$FolderPath = "C:\Users\usera\AppData\Local\Application Data"

# Get the folder object
$FolderACL = Get-Acl -Path $FolderPath

# Enable inheritance for all child objects
$FolderACL.SetAccessRuleProtection($false, $true)

# Apply the changes to the folder
Set-Acl -Path $FolderPath -AclObject $FolderACL

Other script that may grant access
icacls C:\Users\vboxuser\AppData\Local /grant USERNAME:(OI)(CI)F /T`

也许这也是

`# Remove the user profile
Get-WmiObject -Class Win32_UserProfile | Where-Object { $_.SID -eq $UserSID } | ForEach-Object {
    $ProfilePath = $_.LocalPath
    Remove-WmiObject -InputObject $_
    Remove-Item -Path $ProfilePath -Recurse -Force
}

就是这个

# Specify the username whose profile you want to remove
`$Username = "UserA"`

# Get the SID of the user
`$UserSID = (Get-LocalUser -Name $Username).SID.Value`

# Remove the user profile
`Get-WmiObject -Class Win32_UserProfile | Where-Object { $_.SID -eq $UserSID } | ForEach-Object {
    $ProfilePath = $_.LocalPath
    Remove-WmiObject -InputObject $_
    Remove-Item -Path $ProfilePath -Recurse -Force
}`

# Remove the user's registry key
`Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\$UserSID" -Recurse -Force`

# Remove the user account
`Remove-LocalUser -Name $Username -Force``
$profilePath = "C:\Users\vboxuser"

$shell = New-Object -ComObject Shell.Application
$folder = $shell.NameSpace($profilePath)
$item = $folder.Self

$security = $item.GetAccessControl(1)
$securityDialog = $folder.ParentFolder.ParseName($item.Name).InvokeVerb("properties")

Start-Sleep -Milliseconds 1000

[System.Windows.Forms.SendKeys]::SendWait("{TAB}{TAB}{TAB}{TAB}{TAB}{SPACE}")

Start-Sleep -Milliseconds 500

[System.Windows.Forms.SendKeys]::SendWait("{TAB}{DOWN}{TAB}{TAB}{SPACE}")

Start-Sleep -Milliseconds 500

[System.Windows.Forms.SendKeys]::SendWait("{TAB}{SPACE}")

Start-Sleep -Milliseconds 500

[System.Windows.Forms.SendKeys]::SendWait("{TAB}{ENTER}")

Start-Sleep -Milliseconds 500

$securityDialog.Close()

我也尝试过,但仍然没有效果。https://stackoverflow.com/questions/71876626/how-to-replace-all-child-object-permission-entries-with-inheritable-permission`

vltsax25

vltsax251#

我想你已经用takeown和icacls完成了大部分工作,因为你确实需要首先更新所有权和权限,因为默认情况下你没有访问权限。以下内容对我来说很有用

Write-Output "`nTaking ownership of the folder"
TAKEOWN /F $userPath /A /R /D "Y" 1>$null

# Apply full access permissions for administrators with ICACLS
write-output "`nUpdating permissions"
ICACLS $userPath /grant Administrators:F /T 1>$null

Write-Output "`nDeleting user folder"
Remove-Item -Recurse -Force $userPath 2>&1

这在很大程度上就是上面的内容,但是在TAKEOWN的代码中,您缺少了/a开关,该开关将所有权赋予Administrators组。加上我的显然不费心试图通过ICACLS改变事情的所有权方面…但既然我知道这对我的设置有效,我想这可能会有所不同。
另外,这个代码块和上面的代码块在格式/语法上的细微差异是因为那是批处理脚本代码,而这个代码块运行在我的主PowerShell代码中。

相关问题