Can I automate checking the "replace all child object permissions entries with inheritable permission entries from this object" with a script?

huangapple go评论71阅读模式
英文:

Can I automate checking the "replace all child object permissions entries with inheritable permission entries from this object" with a script?

问题

I understand that you're looking for a way to automate the process of granting permissions to delete user profiles completely. To address this, you can use PowerShell commands to take ownership of the user profile folder and reset permissions. Here's a modified version of your batch commands in PowerShell format:

$folderPath = "C:\Users\userb\AppData"
$folderAcl = Get-Acl -Path $folderPath

# Enable inheritance for all child objects
$folderAcl.SetAccessRuleProtection($false, $true)

# Add permissions for Authenticated Users
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Authenticated Users", "FullControl", "ObjectInherit,ContainerInherit", "None", "Allow")
$folderAcl.AddAccessRule($rule)

# Set ownership to SYSTEM
$system = New-Object System.Security.Principal.NTAccount("NT AUTHORITY\SYSTEM")
$folderAcl.SetOwner($system)

# Apply the changes to the folder
Set-Acl -Path $folderPath -AclObject $folderAcl

You can run this PowerShell script to automate the permission changes for user profile folders. Make sure to adjust the $folderPath variable to the appropriate user's profile folder. This script should help grant necessary permissions and allow you to delete user profiles more easily.

Please test this script in a safe environment to ensure it works as expected before using it in a production setting.

英文:

First off I am aware there is software created for this but I am attempting to present this to an entrprise that is kind of strict on letting any old app into the environment. I have a Powershell script that does exactly what I need it to do... almost. I am attempting to remove user profile completely from a system but am failing at removing every last folder,subfolder, and file, as well as, the entire user folder itself.

This is the script that will remove any user of my choosing as well as exclude any user of my choosing. It works great! It removes the profile from settings, the key from regedit, and the user from "view advanced system settings"

$usersToDelete = "userb"
$excludedUserNames = "Administrator", "DefaultAccount", "Guest", "vboxuser"

foreach ($user in $usersToDelete) {
    Get-LocalUser $user | Remove-LocalUser
}

Get-WmiObject -Class Win32_UserProfile | Where-Object { $_.LocalPath -match "^C:\\Users\\($([string]::Join('|', $usersToDelete)))$" -and $_.SID -notmatch "^S-1-5-18$" -and $_.SID -notmatch "^S-1-5-19$" -and $_.SID -notmatch "^S-1-5-20$" } | ForEach-Object {
    $sid = $_.SID
    $username = $_.LocalPath -replace "^C:\\Users\\"
    if ($username -notin $excludedUserNames) {
        Remove-WmiObject -Class Win32_UserProfile -Filter "SID='$sid'" -ErrorAction SilentlyContinue
        $userPath = "C:\Users$username"
        if (Test-Path $userPath) { Remove-Item $userPath -Recurse -Force }
        Remove-Item "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList$sid" -Recurse -Force -ErrorAction SilentlyContinue
        Remove-Item -Path "C:\Users$username" -Recurse -Force -ErrorAction SilentlyContinue
        
        foreach ($user in $usersToDelete) {
            Get-LocalUser $user | Remove-LocalUser
        }
    
    }
    
}
$usersToDelete = "userb"

foreach ($user in $usersToDelete) {
    $userPath = "C:\Users$user"
    if (Test-Path $userPath) {
        Remove-Item $userPath -Recurse -Force
    }
}


Unfortunately It gets held up at the folders in windows explorer. The main folder it gets held up on is "C:\Users\USERNAME\AppData\Local\Application Data"
I have found a fix that will allow me to run this script and delete the entire user folder.
Checking the "replace all child object permissions entries with inheritable permission entries from this object" Located by right click the USER that I want deleted folder -> Properties -> Security -> Advanced.
Once I check that box and re-run the script, the user is completely wiped from the PC as far as I can tell. Is there a way to automate this into a batch file or (even better) place it into my script? I would need the ability to do it for multiple users as well as the users of my choosing. Thank you!

These are a couple of batch files I have tried to grant myself permission but there is ALWAYS some file or folder that returns an "access denied" error.

set folder="C:\Users\userb\appdata"
takeown /F %folder% /R /D Y
icacls %folder% /reset /T
icacls %folder% /inheritance:r /grant:r "Authenticated Users":(OI)(CI)F /T
icacls %folder% /setowner "NT AUTHORITY\SYSTEM" /T
icacls %folder% /grant:r "SYSTEM":(OI)(CI)F /T
pause

set folder="C:\Users\userb\appdata"
takeown /F %folder% /R /D Y
icacls %folder% /reset /T
icacls %folder% /inheritance:r /grant:r "Authenticated Users":(OI)(CI)F /T
icacls %folder% /setowner "NT AUTHORITY\SYSTEM" /T
icacls %folder% /grant:r "SYSTEM":(OI)(CI)F /T
pause

And this is some of the solutions ChatGPT threw at me. None of which worked.

``$FolderPath = "C:\Users\usera\AppData\Local\Application Data"

# Get the folder object
$FolderACL = Get-Acl -Path $FolderPath

# Enable inheritance for all child objects
$FolderACL.SetAccessRuleProtection($false, $true)

# Apply the changes to the folder
Set-Acl -Path $FolderPath -AclObject $FolderACL


Other script that may grant access
icacls C:\Users\vboxuser\AppData\Local /grant USERNAME:(OI)(CI)F /T`

maybe this too\

`# Remove the user profile
Get-WmiObject -Class Win32_UserProfile | Where-Object { $_.SID -eq $UserSID } | ForEach-Object {
    $ProfilePath = $_.LocalPath
    Remove-WmiObject -InputObject $_
    Remove-Item -Path $ProfilePath -Recurse -Force
}

that is from this

# Specify the username whose profile you want to remove
`$Username = "UserA"`

# Get the SID of the user
`$UserSID = (Get-LocalUser -Name $Username).SID.Value`

# Remove the user profile
`Get-WmiObject -Class Win32_UserProfile | Where-Object { $_.SID -eq $UserSID } | ForEach-Object {
    $ProfilePath = $_.LocalPath
    Remove-WmiObject -InputObject $_
    Remove-Item -Path $ProfilePath -Recurse -Force
}`

# Remove the user's registry key
`Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList$UserSID" -Recurse -Force`

# Remove the user account
`Remove-LocalUser -Name $Username -Force``


$profilePath = "C:\Users\vboxuser"

$shell = New-Object -ComObject Shell.Application
$folder = $shell.NameSpace($profilePath)
$item = $folder.Self

$security = $item.GetAccessControl(1)
$securityDialog = $folder.ParentFolder.ParseName($item.Name).InvokeVerb("properties")

Start-Sleep -Milliseconds 1000

[System.Windows.Forms.SendKeys]::SendWait("{TAB}{TAB}{TAB}{TAB}{TAB}{SPACE}")

Start-Sleep -Milliseconds 500

[System.Windows.Forms.SendKeys]::SendWait("{TAB}{DOWN}{TAB}{TAB}{SPACE}")

Start-Sleep -Milliseconds 500

[System.Windows.Forms.SendKeys]::SendWait("{TAB}{SPACE}")

Start-Sleep -Milliseconds 500

[System.Windows.Forms.SendKeys]::SendWait("{TAB}{ENTER}")

Start-Sleep -Milliseconds 500

$securityDialog.Close()

I also attempted this and it still did not work. https://stackoverflow.com/questions/71876626/how-to-replace-all-child-object-permission-entries-with-inheritable-permission`

答案1

得分: 1

以下是您要翻译的内容:

我认为你在使用takeown和icacls时已经做得差不多了,因为你确实需要先更新所有权和权限,因为默认情况下你没有访问权限。以下是我用来解决这个问题的方法:

Write-Output "`nTaking ownership of the folder"
TAKEOWN /F $userPath /A /R /D "Y" 1>$null

# Apply full access permissions for administrators with ICACLS
write-output "`nUpdating permissions"
ICACLS $userPath /grant Administrators:F /T 1>$null

Write-Output "`nDeleting user folder"
Remove-Item -Recurse -Force $userPath 2>&1

这基本上与您上面的代码类似,但在您的TAKEOWN代码中,您缺少了/a开关,该开关将所有权交给了Administrators组。此外,我显然不打算通过ICACLS尝试更改所有权方面的内容...但由于我知道这在我的设置中起作用,我猜这可能会有所不同。

此外,这段代码与上面的代码块之间的略微差异是因为那是批处理脚本代码,而这个在我的主要PowerShell代码中运行。

英文:

I think you're most of the way there with the takeown and icacls, as you do indeed need to update the ownership and permissions first, as by default you won't have access. The following does the trick for me

Write-Output "`nTaking ownership of the folder"
TAKEOWN /F $userPath /A /R /D "Y" 1>$null

# Apply full access permissions for administrators with ICACLS
write-output "`nUpdating permissions"
ICACLS $userPath /grant Administrators:F /T 1>$null

Write-Output "`nDeleting user folder"
Remove-Item -Recurse -Force $userPath 2>&1

which is largely what you have above, but within the bit of code you have with TAKEOWN you're missing the /a switch which gives ownership to the Administrators group. Plus mine obviously doesn't bother trying to change the ownership side of things via ICACLS... but since I know this works on my setup I'd guess that may make a difference.

Also the slight difference in formatting/syntax between this and the code block above is because that's batchscript code, whereas this runs in my main Powershell code.

huangapple
  • 本文由 发表于 2023年5月7日 12:01:26
  • 转载请务必保留本文链接:https://go.coder-hub.com/76192149.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定