新实例中的PowerShell启动脚本
我有一个主脚本,它有几个选项。当您在菜单中选择1时,将执行操作1,然后返回菜单。这很好,但我希望能够选择示例8,它在新的PowerShell窗口中启动权限脚本的代码块。我希望所有代码都在一个脚本中,而不是调用另一个脚本 我知道这可以通过几个威胁中的“启动进程powershell”实现。这会打开一个新的PowerShell窗口,但不会正确执行权限脚本的代码块。任何帮助都将不胜感激 主脚本:新实例中的PowerShell启动脚本,powershell,Powershell,我有一个主脚本,它有几个选项。当您在菜单中选择1时,将执行操作1,然后返回菜单。这很好,但我希望能够选择示例8,它在新的PowerShell窗口中启动权限脚本的代码块。我希望所有代码都在一个脚本中,而不是调用另一个脚本 我知道这可以通过几个威胁中的“启动进程powershell”实现。这会打开一个新的PowerShell窗口,但不会正确执行权限脚本的代码块。任何帮助都将不胜感激 主脚本: <# Author: Me #> # Variables $User = [Environmen
<# Author: Me #>
# Variables
$User = [Environment]::UserName
$OutputPath = "C:\Users\$User\Downloads\"
# Functions
Function Manager ($u) {
$m = Get-ADObject -Identity $u.managedBy -Properties displayName,cn
if($m.ObjectClass -eq "user") { $m.displayName } Else{ $m.cn } }
# Hit play
do {
[int]$userMenuChoice = 0
cls
while ( $userMenuChoice -lt 1 -or $userMenuChoice -gt 7) {
Write-Host "PowerShell for dummies"
Write-Host "__________________________________________________"
Write-Host "1. Groups created in the last 3 weeks"
Write-Host "2. Users created in the last 3 weeks"
Write-Host "3. All BEL Users"
Write-Host "4. Users with an incorrect display name or city"
Write-Host "5. Users de-provisioned within 3 weeks"
Write-Host "6. Files/Folders: Activate inheritance & set owner to admin"
Write-Host "7. Quit"
[int]$userMenuChoice = Read-Host "Please choose an option"
switch ($userMenuChoice) {
1{# Groups created in the last 3 weeks
$When = ((Get-Date).AddDays(-21)).Date
Get-ADGroup -SearchBase "OU=Groups,OU=BEL,OU=EU,DC=domain,DC=net" -Filter {whenCreated -ge $When} -Properties * |
Select whenCreated, cn, displayName, GroupScope, GroupCategory, description, info, @{Label="Managed By"; expression= { Manager $_ } } | Export-Csv $OutputPath"New groups.csv" -NoTypeInformation -Delimiter ";" -Encoding utf8; start $OutputPath"New groups.csv"}
2{# Users created in the last 3 weeks
$When = ((Get-Date).AddDays(-21)).Date
Get-ADUser -SearchBase "OU=BEL,OU=EU,DC=domain,DC=net" -Filter {whenCreated -ge $When} -Properties * | Select whenCreated, Name,displayName, sn, givenName, sAMAccountName, title, description, employeeType, info, department, company, homeDirectory, scriptPath, physicalDeliveryOfficeName, @{Label="Managed By"; expression= { Manager $_ } } | Export-Csv $OutputPath"New users.csv" -NoTypeInformation -Delimiter ";" -Encoding utf8; start $OutputPath"New users.csv"}
3{# All BEL users
Get-ADUser -SearchBase "OU=Users,OU=BEL,OU=EU,DC=domain,DC=net" -Filter * -Properties * | Select whenCreated, @{Name="Lastlogon"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp)}}, Name,displayName, sn, givenName, sAMAccountName, title, description, employeeType, info, department, company, homeDirectory, scriptPath, physicalDeliveryOfficeName, @{Label="Managed By"; expression= { Manager $_ } } | Export-Csv $OutputPath"BEL Service Accounts.csv" -NoTypeInformation -Delimiter ";" -Encoding utf8; start $OutputPath"BEL Service Accounts.csv"}
4{# Users with an incorrect display name or city
Get-ADUser -SearchBase "OU=BEL,OU=EU,DC=domain,DC=net" -Filter * -Properties * | where {$_.cn -NotLike "*$($_.l)*" -and $_.distinguishedname -notmatch 'OU=Terminated Users,OU=BEL,OU=EU,DC=grouphc,DC=net' -and $_.cn -ne "BNL Service Desk"} | Select whenCreated, Name,displayName, sn, givenName, sAMAccountName, title, description, employeeType, info, department, company, homeDirectory, scriptPath, physicalDeliveryOfficeName, @{Label="Managed By"; expression= { Manager $_ } } | Export-Csv $OutputPath"Incorrect users.csv" -NoTypeInformation -Delimiter ";" -Encoding utf8; start $OutputPath"Incorrect users.csv"}
5{# Users de-provisioned within 3 weeks
$LogonDate = ((Get-Date).AddDays(-80)).Date # GIT 104 days KB-3872
$CreaDate = ((Get-Date).AddDays(-60)).Date # GIT 60 days
$PwdDate = ((Get-Date).AddDays(-90)).Date # GIT 90 days
Get-ADUser -SearchBase "OU=Users,OU=BEL,OU=EU,DC=grouphc,DC=net" -Filter {(lastLogonDate -le $LogonDate) -and (WhenCreated -lt $CreaDate) -and (PwdLastSet -le $PwdDate)} -Properties * | Select LastLogonDate, WhenCreated, PasswordLastSet, Name, title, description, employeeType, info, department, company, homeDirectory, scriptPath, physicalDeliveryOfficeName, @{Label="Managed By"; expression= { Manager $_ } } | Export-Csv $OutputPath"To be deprovisioned.csv" -NoTypeInformation -Delimiter ";" -Encoding utf8; start $OutputPath"To be deprovisioned.csv"}
6{# Files/Folders: Activate inheritance & set owner to admin
Get-ADUser -SearchBase "OU=BEL,OU=EU,DC=domain,DC=net" -Filter * -Properties * | where {$_.cn -NotLike "*$($_.l)*" -and $_.distinguishedname -notmatch 'OU=Terminated Users,OU=BEL,OU=EU,DC=grouphc,DC=net' -and $_.cn -ne "BNL Service Desk"} | Select whenCreated, Name,displayName, sn, givenName, sAMAccountName, title, description, employeeType, info, department, company, homeDirectory, scriptPath, physicalDeliveryOfficeName, @{Label="Managed By"; expression= { Manager $_ } } | Export-Csv $OutputPath"Incorrect users.csv" -NoTypeInformation -Delimiter ";" -Encoding utf8; start $OutputPath"Incorrect users.csv"}
}
}
} while ( $userMenuChoice -ne 7 )
cls
Write-Host "We left here because there's nothing else to do.."
####### TO DO #######
$Target = "\\domain.net\SHARE\Target"
# Change FOLDER owners to Admin
If (Test-Path C:\PTemp) { Remove-Item C:\PTemp }
New-Item -type directory -Path C:\PTemp > $null
Write-Output "`nStart setting folder permissions on:"
$Folders = @(Get-ChildItem -Path $Target -Directory -Recurse | Select-Object -ExpandProperty FullName)
foreach ($Item1 in $Folders)
{
# Action
Write-Output $Item1
$AdjustTokenPrivileges = @"
using System;
using System.Runtime.InteropServices;
public class TokenManipulator
{
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);
[DllImport("kernel32.dll", ExactSpelling = true)]
internal static extern IntPtr GetCurrentProcess();
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr
phtok);
[DllImport("advapi32.dll", SetLastError = true)]
internal static extern bool LookupPrivilegeValue(string host, string name,
ref long pluid);
[StructLayout(LayoutKind.Sequential, Pack = 1)]
internal struct TokPriv1Luid
{
public int Count;
public long Luid;
public int Attr;
}
internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
internal const int TOKEN_QUERY = 0x00000008;
internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
public static bool AddPrivilege(string privilege)
{
try
{
bool retVal;
TokPriv1Luid tp;
IntPtr hproc = GetCurrentProcess();
IntPtr htok = IntPtr.Zero;
retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
tp.Count = 1;
tp.Luid = 0;
tp.Attr = SE_PRIVILEGE_ENABLED;
retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
return retVal;
}
catch (Exception ex)
{
throw ex;
}
}
public static bool RemovePrivilege(string privilege)
{
try
{
bool retVal;
TokPriv1Luid tp;
IntPtr hproc = GetCurrentProcess();
IntPtr htok = IntPtr.Zero;
retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
tp.Count = 1;
tp.Luid = 0;
tp.Attr = SE_PRIVILEGE_DISABLED;
retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
return retVal;
}
catch (Exception ex)
{
throw ex;
}
}
}
"@
add-type $AdjustTokenPrivileges
$Folder = Get-Item $Item1
[void][TokenManipulator]::AddPrivilege("SeRestorePrivilege")
[void][TokenManipulator]::AddPrivilege("SeBackupPrivilege")
[void][TokenManipulator]::AddPrivilege("SeTakeOwnershipPrivilege")
$NewOwnerACL = New-Object System.Security.AccessControl.DirectorySecurity
$Admin = New-Object System.Security.Principal.NTAccount("BUILTIN\Administrators")
$NewOwnerACL.SetOwner($Admin)
$Folder.SetAccessControl($NewOwnerACL)
# Add folder Admins to ACL with Full Control to descend folder structure
$Acl = Get-Acl -Path C:\PTemp
$Ar = New-Object system.security.accesscontrol.filesystemaccessrule("BUILTIN\Administrators","FullControl","Allow")
$Acl.SetAccessRule($Ar)
Set-Acl $Item1 $Acl
}
# Change FILE owners to Admin
If (Test-Path C:\PFile) { Remove-Item C:\PFile }
New-Item -type file -Path C:\PFile > $null
Write-Output "`nStart setting file permissions on:"
$Files = @(Get-ChildItem -Path $Target -File -Recurse | Select-Object -ExpandProperty FullName)
foreach ($Item2 in $Files)
{
# Action
Write-Output $Item2
$Account = New-Object System.Security.Principal.NTAccount("BUILTIN\Administrators")
$FileSecurity = new-object System.Security.AccessControl.FileSecurity
$FileSecurity.SetOwner($Account)
[System.IO.File]::SetAccessControl($Item2, $FileSecurity)
# Add file Admins to ACL with Full Control and activate inheritance
$PAcl = Get-Acl -Path C:\PFile
$PAr = New-Object system.security.accesscontrol.filesystemaccessrule("BUILTIN\Administrators","FullControl","Allow")
$PAcl.SetAccessRule($PAr)
Set-Acl $Item2 $PAcl
}
# Clean-up junk
Write-Output "`nCleaning up.."
rm C:\PTemp, C:\PFile
Write-Output "`nAll done :)"
到目前为止,我尝试的代码块更短,但也没有成功:
6{# Test
Start-Process powershell {Get-ADUser -SearchBase "OU=Users,OU=BEL,OU=EU,DC=domain,DC=net" -Filter * -Properties * | Select whenCreated, @{Name="Lastlogon"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp)}}, Name,displayName, sn, givenName, sAMAccountName, title, description, employeeType, info, department, company, homeDirectory, scriptPath, physicalDeliveryOfficeName, @{Label="Managed By"; expression= { Manager $_ } } | Export-Csv $OutputPath"BEL Service Accounts.csv" -NoTypeInformation -Delimiter ";" -Encoding utf8; start $OutputPath"BEL Service Accounts.csv"}}}
要在外部PS窗口中启动,可以使用以下命令:
invoke-expression 'cmd /c start powershell -Command { [script block here] }'
例如:
使用cmd启动powershell
start-process powershell -ArgumentList '-noexit -command 'Commands for the new PowerShell''
您可以:
start powershell {echo hello}
要防止新启动的powershell立即退出,请执行以下操作:
start powershell {echo hello; Read-Host}
虽然
start powershell
命令看起来更干净,但它不允许您使用invoke expression
执行所有操作。例如,以下操作将打开一个新窗口,更改其标题和背景色,并使窗口保持打开状态:
invoke-expression 'cmd /c start powershell -NoExit -Command { `
cd -path $env:homedrive$env:homepath/Documents/MySillyFolder; `
$host.UI.RawUI.WindowTitle = "A Silly Little Title"; `
color -background "red"; `
}';
它还可以在另一个powershell脚本中正常运行
如果您尝试使用
启动powershell{…}
语法执行此操作,它将在标题更改行上显示错误,并且不会保持窗口打开。(我想可能有一些晦涩难懂的语法黑客会使启动powershell
正常工作,但我还没有找到。)谢谢Arco444,您的示例非常有效。但出于这样或那样的原因,它对我的代码块不起作用。可能是因为里面有.Net代码吗?错误是什么?确保使用分隔命令代码>,避开所有的引号和特殊字符等。命令将其单独调用,而不是试图将其传递到内联,当然更容易,所以我会认真考虑这一方法。您好,ARCO444您是对的,调用脚本可能更容易。现在让我们用谷歌搜索这个命令,这样我就可以使用它了。谢谢你给小费!我发现启动powershell
只能使用某些命令,而不能使用其他命令<代码>调用表达式
似乎更一般。请参阅我的答案,以获取示例。请注意,start
是start process
的别名,要在带有参数的新窗口中启动另一个脚本,请使用start powershell{C:\script.ps1-arg1 value-arg2 value}
在单引号内使用双引号;否则,你早就断了线
invoke-expression 'cmd /c start powershell -NoExit -Command { `
cd -path $env:homedrive$env:homepath/Documents/MySillyFolder; `
$host.UI.RawUI.WindowTitle = "A Silly Little Title"; `
color -background "red"; `
}';