I am writing a powershell script to delete user profiles and I understand the method I am using is not the best. I was wondering what would be a better way to do it? I am still very much new to powershell but I am willing to learn
The code I already have:
$ErrorActionPreference= 'silentlycontinue'
$Users = Get-WmiObject -Class Win32_UserProfile
$IgnoreList = "helpdesk", "administrator", "Default"
:OuterLoop
foreach ($User in $Users) {
foreach ($name in $IgnoreList) {
if ($User.localpath -like "*\$name") {
continue OuterLoop
}
}
$User.Delete()
}
WHy script this when the enterprise approach is GPO.
How to Delete Old User Profiles Using GPO and PowerShell?
No reason to do this from scratch, leverage what others have provided...
Use PowerShell to remove local profiles
How to delete user profiles older than a specified number of days in Windows
...as well as the modules from the MS powershellgallery.com, as you look at whatever approach you decide use.
Find-Module -Name '*user*profile*' | Format-Table -AutoSize
<#
# Results
Version Name Repository Description
------- ---- ---------- -----------
1.0 UserProfile PSGallery This module manages user profiles on local and remote computers
0.1.1 Microsoft.Graph.Users.ProfilePhoto PSGallery Microsoft Graph PowerShell Cmdlets
1.0.6 Get-UserProfile PSGallery The Get-UserProfile module list or remove User Profiles from local
#>
Find-Module -Name '*userprofile*' | Format-List -Force
Update
Yet, you specifically said...
'I understand the method I am using is not the best. I was wondering
what would be a better way to do it?
... and what we all have suggested, using GPO is the best way, the normal industry-accepted enterprise way to do this. Don't script, unless you have no other choice. Windows AD will do this for you.
Don't reinvent the wheel unless you know it's really a better wheel. In learning, of course, there is study, trial, and error, but learn and use from sources that have already done this. There are tons of examples all over the web for this use case. Just search for it. No reason to do this from scratch.
'powershell remove user profiles'
Which are showing what you are already doing... Example(s) - pre-built scripts for this use case via the Ms powershellgallery.com.
Use PowerShell delete a user profile (step-by-step guide)
Get-CimInstance -ComputerName SRV1,SRV2,SRV3 -Class Win32_UserProfile |
Where-Object { $_.LocalPath.split('\')[-1] -eq 'UserA' } |
Remove-CimInstance
Remove-UserProfile - Remove Local User Profiles and Clean C:\Users Directory
This script contains a function (Remove-UserProfile) which is used to
remove user profiles, and additional contents of the C:\Users
directory (if specified) on a local computer.
Download: Remove-UserProfile.ps1
Delete Unused user Profiles on local machine (PowerShell)
Script Delete user profiles over multiple servers v2
ANd using the modules that you see from the above commands, is not something to do later in life. Those are in / available from MS and in PowerShell directly for a reason. Everything you are using in PowerShell is coming from modules hosted on your machine and the ones you download and install from MS and other resources.
Again, use the built-in enterprise tools in Windows or other chosen OS as designed, and if they don't provide what you need, then look to other options, like scripting to an object-level that the enterprise tool is not exposing in its GUI.
I do a similar thing. With a lot of profiles, I've found I've had to wait for the cpu to calm down because of the appxsvc service spawning threads without limit. I used to delete per-user firewall rules, but that doesn't seem necessary anymore.
$excludedprofilelist = 'C:\Users\admin1','C:\users\admin2'
$myprofiles = $profiles | where { !$_.Special -and
$excludedprofilelist -notcontains $_.LocalPath }
$sleepseconds = 1
$numcores = 4
foreach ($profile in $myprofiles) {
$msg = "deleting profile " + $profile.LocalPath
$profile | remove-wmiobject
$msg = $msg + " $?"
echo $msg # the result
# recycle bin
if (test-path c:\`$recycle.bin\$($profile.sid)) {
rm -r c:\`$recycle.bin\$($profile.sid) -force
}
# wait for appx cleanup, what if profile delete error?
#while ( (get-appxpackage -user $profile.sid).count ) {
# sleep 1
#}
do {
# make sure it's running
$id = Get-WmiObject -Class Win32_Service -Filter "Name = 'appxsvc'" |
Select-Object -ExpandProperty ProcessId
# $proc = get-process -id $id
# access is denied
# 4proc.priorityclass = 'belownormal'
$cpu1 = (get-process -Id $id).cpu
sleep $sleepseconds
$cpu2 = (get-process -Id $id).cpu
$cpu = [int](($cpu2 - $cpu1)/($numcores*$sleepseconds) * 100)
} while ($cpu)
}
Related
I'm brand new to PS scripting, so bear with me :)
I'm trying to create a PS script that will write the Win10 activation code to a file then copy that file to a central repo to then manually activate.
I'm creating a PS script and trying to run
cscript.exe c:\windows\system32\slmgr.vbs -dti >
$SourceDir\$env:computername.txt
$SourceDir = \\computer01\c$\temp
I need to run it from one computer, remotely connecting to every computer on the network, creating the computername.txt file then copying that file back to a central repository for all the files.
What I have so far:
$s1=New-PSSession -ComputerName computer01 -Credential $AdminCred
Test-Connection -ComputerName computer01
$id='\\computer01\windows\system32'
$SourceDir='\\computer01\c$\temp'
md $SourceDir
$GetActID=cscript.exe $id\slmgr.vbs -dti >
$SourceDir\$env:computername.txt
Invoke-Command -Session $s1 -ScriptBlock { $Using:GetActID }
Then I call a batch file that copies the computername.txt file from the computer01 over to a repository where they are going to sit.
I FINALLY got it working correctly except for the name of the file isn't naming it to the computer01, it's naming it with the hostname of the computer I'm running it from, therefore the filenames are identical. I had the naming piece working, but I had to change the way I was remoting into the computer and now it's not naming correctly.
Any idea on how I could get it to name the file to be related to the remote computer?
**I'm still working on the whole piece of the puzzle where it goes back to an excel sheet pulled from AD and pulls the host names from that sheet to connect to each machine, I believe I'll be adding a ForEach syntax in there somehow for that.
Although not sure how you are getting the list of "every computer on the network", chances are you are doing this using
# get a list of all AD computers (their names only)
$computers = (Get-ADComputer -Filter *).Name
Then I think you don't need to have every computer save the file on its own disk and later copy these files to a central share.
Instead, just capture the info in a variable and after the loop write the file to the central share as structured CSV file combining all computernames and install id's so you can open in Excel.
Using the array of computernames from above, iterate through them
$result = $computers | ForEach-Object {
# test if the computer can be reached
if (Test-Connection -ComputerName $_ -Count 1 -Quiet) {
$installId = Invoke-Command -ComputerName $_ -ScriptBlock {
cscript.exe //nologo "$env:SystemRoot\System32\slmgr.vbs" -dti
}
# $installId is returned as array !
# output an object with two properties
[PsCustomObject]#{
Computer = $_
InstallId = $installId[0] -replace '\D' # remove everything non-numeric
}
}
else {
Write-Warning "Computer $_ is not responding"
}
}
# now you can display the result on screen
$result | Format-Table -AutoSize
# or by means of the GridView if you prefer
$result | Out-GridView -Title 'Computer InstallIds'
# and save the results in your central share as structured CSV file
$result | Export-Csv -Path '\\server\share\restofpath\ComputerInstallIds.csv' -NoTypeInformation
You may have to append -Credential $adminCreds to the Invoke-Command call to make sure you have permissions to have each machine run that piece of code in the scriptblock. The easiest way of obtaining that credential is to start off with $adminCreds = Get-Credential -Message "Please enter administrator credentials"
I need to compare multiple computers, finding out which ones have a specific program and which ones do not using PowerShell.
I am very new to this (about a week of PowerShell experience) so any help will be appreciated.
Yes, you can remotely check whether software is installed or not:
# We need to check for both 64-bit and 32-bit software
$regPaths = "HKLM:\SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall",
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
# Get the name of all installed software registered in the registry with Office in the name
# (you can search for exact strings if you know them for specific versions)
$regPaths | Foreach-Object {
( Get-ItemProperty "${_}\*" DisplayName -EA SilentlyContinue ).DisplayName | Where-Object {
$_ -match 'ADD_REMOVE_PROGRAMS_NAME'
}
}
How this works is it checks both the 32 and 64 bit registries for the installed software. Under the line $_ -match 'ADD_REMOVE_PROGRAMS_NAME', the ADD_REMOVE_PROGRAMS_NAME should be replaced with whatever the software name is in "Add/Remove Programs". Note that this technique does not work with some programs that get installed via EXE based installers.
You can run this remotely on multiple computers as well using Invoke-Command:
$computers = Get-Content "C:\Path\To\File\With\Computer_Names.txt"
$results = Invoke-Command -ComputerName $computers {
# We need to check for both 64-bit and 32-bit software
$regPaths = "HKLM:\SOFTWARE\Wow6432node\Microsoft\Windows\CurrentVersion\Uninstall",
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
# Get the name of all installed software registered in the registry with Office in the name
# (you can search for exact strings if you know them for specific versions)
$regPaths | Foreach-Object {
( Get-ItemProperty "${_}\*" DisplayName -EA SilentlyContinue ).DisplayName | Where-Object {
$_ -match 'ADD_REMOVE_PROGRAMS_NAME'
}
}
}
Invoke-Command can run the embedded ScriptBlock on many computers at once. When all computers in the list have run the command, you can check the result per computer (it returns as an array so you can check the PSCOMPUTERNAME Property on each $result to see which computers don't have the software. The way the code above works, it should return an object on the computers that have it, and nothing on the computers that don't.
I am writing a powershell script to be deployed by SCCM via a package. The aim of this is to remove an account with a specific name then write to a file stating if the account exists or not. The code is below:
$Computer = hostname
foreach ($C in $Computer) {
if (Test-Connection $C -Quiet) {
Write-Verbose "$C > Online"
$Users = Get-WMIObject Win32_UserAccount -Filter "LocalAccount=True" -ComputerName $C
if ($Users.Name -contains 'test') {
Add-Content \\SERVERNAME\SHARENAME.$\$computer-found_$(get-date -Format yyyymmdd_hhmmtt).txt "User 'test' found, Disable 'test' found"
net user test /active:no }
else {
Add-Content \\SERVERNAME\SHARENAME.$\$computer-notfound_$(get-date -Format yyyymmdd_hhmmtt).txt "User 'test' not found"
}
}
else {
Write-Verbose "$C > Offline"
}
}
I have also tried replace Write-Verbose with Write-Host and Add-Content with Out-File but the problem I having is that no content / file is created when I use the full network path or share e.g. \\SERVERNAME\SHARENAME.$ the path identified has all the correct permissions and is being ran locally using the System account.
I wanted to see if the issue occured when writing the file locatlly consequently this does not happen when written to C:\Temp\
Does anyone have any ideas on to solve this.
I don't think that local system account has access to a network resource. I'm not sure if you have ever configured it or not. And what the command you used to run the command
Here I post a working way of doing this using Configuration Manager deployment after testing in my lab.
Basically I created a package with source files
and created a task sequence with single "Run Command Line" step.
The reason I use a task sequence is because I want to use an account to access the txt file on the network, which I can configure within a task sequence. I don't think Local System Account have such permission.
The script (DeactivateTest.ps1) I use as below just like what you provided and changed a little on the logic:
$Computer = hostname
foreach ($C in $Computer) {
if (Test-Connection $C -Quiet) {
Write-host "$C > Online"
$Users = Get-WMIObject Win32_UserAccount -Filter "LocalAccount=True" -ComputerName $C
$result=0
Foreach($user in $Users){
if ($User.Name -like '*test*') {
$username = $user.Name
"`n$(get-date -Format yyyymmdd_hhmmtt) User $username found ON $C, Disable 'test'" | Add-Content \\cas\resource\Result.txt
net user $username /active:no
$result+=1
}}
if($result =0){
"`n$(get-date -Format yyyymmdd_hhmmtt) User 'test' not found ON $C" | Add-Content \\cas\resource\Result.txt}
}
else {
"`n$C is Offline" | Add-Content \\cas\resource\Result.txt
}
}
The script query local account and disable accounts which have words "Test" in the name. If you don't like this logic, you can change :).
\\cas\resource\Result.txt is a txt file on the network share. Clients will write result to this txt file.
The command in the task sequence is (it's a x64 machine):
PowerShell.exe -ExecutionPolicy Bypass -File ".\DeactiveTest.ps1"
The output is like:
I may get downvoted for this as my answer isn't technically directly answering your question, it is, however, intended to try and point you in what may be a more logical direction. All apologies if I offend anyone, but here it is:
Why not just disable the user using Group Policy? If you really want to know where the user is/isn't disabled then you could just use hardware inventory for that, but GP really is the best way to enforce this kind of setting.
I want to remove all of the permissions on an MSMQ queue before we set the new permissions, this will be deployed via Octopus.
This is so that we can be sure that no legacy permissions can exist and be sure that the permissions will be the same.
$QueueName = "MyQueue"
$QueuePermissions = Get-MsmqQueue -Name $QueueName | Get-MsmqQueueACL
$QueueUsers = $QueuePermissions.AccountName | Get-Unique
foreach ($User in $QueueUsers)
if ($User -like 'MyDomain*'){
#Something like
$QueueName | Set-MsmqQueueACL -UserName $User -Remove
}
Unfortunately I need to create a CSV list of permissions for Set-MsmqQueueACL to be removed.
How can I get this?
I'm fairly new to PowerShell so anyhelp would be appreciated.
Thanks!
First of all, delete queues and recreate is the more reliable approach.
I assume you have a reason that requires you to not delete them. Here is an approach I think suit you best.
Using MessageQueue.ResetPermissions Method from System.Messing.MessageQueue
Code example for powershell:
$QueueName = ".\private$\MyQueue"
Add-Type -AssemblyName System.Messaging
$Q = [System.Messaging.MessageQueue]($QueueName)
$Q.ResetPermissions()
Note: This method put queue permission back to default where only creator has full access to the queue. My powershell is using an automation account that created these queues thus it would take away fine from this point. However, in my past experience if all the queue permissions are messed, and you don't have an account that have full control of the queue, you might end up have to remove the physical queue file from storage and restart MSMQ service to clean it up. Thus I'd urge you to maintain consistence of the permission so your later operations on the queue can be performed without problem.
I have created a solution that appears to work, as mentioned above I am no PowerShell expert but it may help someone else in the future:
$Queue= "MyQueueName"
#remove old permissions
$QueuePermissions = Get-MsmqQueue -Name $Queue | Get-MsmqQueueACL
$QueueUsers = $QueuePermissions.AccountName | Get-Unique
foreach ($User in $QueueUsers)
{
Write-Output "Permissions found for user: $User"
$tst = $QueuePermissions | where {$_.AccountName -eq $User}
$tst = $tst | Select -ExpandProperty Right
foreach ($Permission in $tst)
{
Write-Output "Removing permissions: $Permission"
$thisQueue | Set-MsmqQueueAcl -UserName $User -Remove $Permission | Out-Null
}
}
I need to generate a script that will help me in getting a list of compressed files/folders (not zip files, but Windows compressed files) on a range of Windows 2003 servers. I have a client pc connected to the target servers and have access on a administrator role basis. My thoughts was to create a Powershell script to handle this problem using WMI or something else? But I'm kind of lost on the possibilities in the WMI world. Any hints/tips are appreciated.
Cheers
I'm not sure if you can do that with WMI, then again I'm no WMI guru. If you can use PowerShell 2.0 this is pretty simple using the new remoting feature e.g.
$computers = 'server1', 'server2', 'server3'
$compressed = Invoke-Command $computers {Get-ChildItem C:\ -r -force -ea 0 |
Where {$_.Attributes -band [IO.FileAttributes]::Compressed}}
Note that each file and dir object stored in $compressed will have an additional property PSComputerName that identifies which computer the deserialized object came from.
Alternatively, if you don't have PowerShell 2.0 you could access the servers via a share e.g.:
$sharePaths = '\\server1\C$', '\\server2\C$', '\\server3\C$'
Get-ChildItem $sharePaths -r -force -ea 0 |
Where {$_.Attributes -band [IO.FileAttributes]::Compressed}
This approach is likely to be slow.