@Dashrender said in Remove-Item cannot remove crap in Documents folder:
@Obsolesce said in Remove-Item cannot remove crap in Documents folder:
@Dashrender said in Remove-Item cannot remove crap in Documents folder:
@Obsolesce said in Remove-Item cannot remove crap in Documents folder:
@JaredBusch
I had a little bit of fun... whether useful to you or not.
You can run this script as a regular user that has permissions to create and run scheduled tasks and create a file in specified directory.
This will create a powershell script, and a scheduled tasks to run the script as the SYSTEM account. Then it will delete the script and the scheduled task.
I could test most of it, but not some of it for obvious reasons.
<#---- CHANGE THESE VARS: ----#>
# Users to exclude from profile manipulation script, separated by pipe:
$excludedKnownUsers = "Administrator|SpecialUser1"
# New Script:
$newLocalScriptPath = "$ENV:SystemDrive\scripts"
$newLocalScriptFile = "testScript.ps1"
# SID ending: (likely 21 if domain users)
$sidEnd = 21
# Scheduled Task Name:
$TaskName = "_Test Task 1"
# Scheduled Task Description:
$Description = "This is a test scheduled task that runs as the SYSTEM account and will be ran and then deleted at the end of this script."
<#-------- END CHANGE --------#>
# New Script:
$newLocalScript = "$newLocalScriptPath\$newLocalScriptFile"
# Gethers list of user profile paths:
$userPaths = Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*" -ErrorAction SilentlyContinue | Where-Object {($_.PSChildName -split '-')[3] -eq $sidEnd -and ($_.ProfileImagePath -split "\\")[2] -notmatch $excludedKnownUsers}
# Creates a 'script in memory':
$testScript = $null
foreach ($userPath in $userPaths.ProfileImagePath) {
$testScript += "Remove-Item -Path "$userPath\Documents" -Force -Recurse`n"
$testScript += "New-Item -ItemType Junction -Path $userPath -Name 'Documents' -Target '$userPath\Nextcloud\Documents' -Force`n"
}
# Create a PowerShell script and save it as specified in vars:
if (-not(Test-Path $newLocalScript)) {New-Item -Force $newLocalScript}
$testScript | Out-File $newLocalScript -NoNewline -Force
# Task Action:
$Action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-ExecutionPolicy Bypass -File $newLocalScript"
# Task Trigger: (task will be manually run immediately and then deleted, so keep 1 year out)
$Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date).AddYears(1)
# Task Compatibility:
$Compatibility = "Win8" # 'Win8' is 'Windows 10' in the GUI
# Task Settings:
$Settings = New-ScheduledTaskSettingsSet -Compatibility $Compatibility -StartWhenAvailable -AllowStartIfOnBatteries
# Run task as local SYSTEM account with highest privileges:
$Principal = New-ScheduledTaskPrincipal -UserId 'S-1-5-18' -RunLevel Highest
# Create the scheduled task:
Register-ScheduledTask -TaskName $TaskName -Description $Description -Action $Action -Trigger $Trigger -Settings $Settings -Principal $Principal -Force
<#--------------------------#>
# Run the scheduled task:
Get-ScheduledTask -TaskName $TaskName | Start-ScheduledTask
# Remove the created script:
Remove-Item $newLocalScript -Force
# Delete the scheduled task:
Get-ScheduledTask -TaskName $TaskName | Unregister-ScheduledTask -Confirm:$false
This seems like a HUGE security problem - normal users can schedule a task to run as SYSTEM? Then any virus could do the same thing. So what am I missing?
I assume regular user would need elevated privileges at least... But I didn't test as a non-local admin, which is different than elevated privileges. But either way, that script can be automated and run as a user in the local admin group too with successful results.
I think your script affects every user on the machine - assuming that's Ok for the envivronment - yep, have the local admin run it - and done.
Yeah I designed it like that on purpose, because if users are using the device, whether it's one or 10 (unlikely), IMO they should all be redirected. But that can be changed no problem. But at least if it's one main person using it, it'll hit that one. If others do, they can be excluded. But you can always get the current signed on user and use that as in JB's original script, or in an automated way using other means I could add in if needed.
