From 82fa1ec451be419afff4d21fc769e1af0757b2e9 Mon Sep 17 00:00:00 2001 From: compuvin Date: Thu, 18 Nov 2021 15:06:37 -0500 Subject: [PATCH 1/3] Bug Fix Users who signed into the PC using something other than all lowercase caused issues. --- RemoveUsers.ps1 | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/RemoveUsers.ps1 b/RemoveUsers.ps1 index 57d0851..b50a58d 100644 --- a/RemoveUsers.ps1 +++ b/RemoveUsers.ps1 @@ -4,7 +4,7 @@ $SafeUsers = "Public", "Default", "Default.migrated", "juser" #User profiles to ##### $UsersToRemove = Get-ChildItem "C:\Users" |? {$_.psiscontainer -and $_.lastwritetime -le (get-date).adddays(-$DaysBack)} -$UsersFromReg = Get-ChildItem "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" | Where-Object { (-not($_ -match 'S-1-5-18|S-1-5-19|S-1-5-20')) } #Users from registry, ignoring system accounts +$UsersFromReg = Get-ChildItem "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" | Where-Object { (-not($_ -match 'S-1-5-18|S-1-5-19|S-1-5-20')) } #Users from registry, ignoring system accounts $Key = $UsersFromReg | Get-ItemProperty -name "ProfileImagePath" @@ -19,7 +19,13 @@ Get-EventLog -LogName "Security" -InstanceId 4624 -ErrorAction "SilentlyContinue $AccountName = $EventMessage.ReplacementStrings[5] $LogonType = $EventMessage.ReplacementStrings[8] + if ( $Lowercase ) { + # Make all usernames lowercase so they group properly in Inventory + $AccountName = $AccountName.ToLower() + + } + # Look for events that contain local or remote logon events, while ignoring Windows service accounts if ( ( $LogonType -in "2", "10" ) -and ( $AccountName -notmatch "^(DWM|UMFD)-\d" ) ) { @@ -43,6 +49,7 @@ Get-EventLog -LogName "Security" -InstanceId 4624 -ErrorAction "SilentlyContinue if (([DateTime]$EventMessage.TimeGenerated.ToString("yyyy-MM-dd")) -ge ([DateTime](get-date).adddays(-$DaysBack))) { $SafeUsers += $AccountName + Write-Host $AccountName ' added to SafeUsers' } } @@ -54,12 +61,12 @@ Get-EventLog -LogName "Security" -InstanceId 4624 -ErrorAction "SilentlyContinue foreach ($item in $UsersToRemove) { - if ($SafeUsers.Contains($item.Name) -eq 0 -and (($item.Name).Split("." + ($env:USERDNSDomain).Split(".")[0])[0]).Length -gt 0 -and $SafeUsers.Contains(($item.Name).Split("." + ($env:USERDNSDomain).Split(".")[0])[0]) -eq 0) + if ($SafeUsers -contains $item.Name -eq 0 -and (($item.Name).Split("." + ($env:USERDNSDomain).Split(".")[0])[0]).Length -gt 0 -and $SafeUsers -Contains (($item.Name).Split("." + ($env:USERDNSDomain).Split(".")[0])[0]) -eq 0) { $Key | ForEach-Object { If($_.ProfileImagePath.ToLower() -match $item.Name) { - Write-Output $_.PSPath ' = ' $_.ProfileImagePath + Write-Host $_.PSPath ' = ' $_.ProfileImagePath Remove-Item $_.PSPath -Recurse -Force takeown /f $_.ProfileImagePath /a /r /d Y > null 2>&1 Remove-Item $_.ProfileImagePath -Recurse -Force From de26dff817778487e460ad0023c3ee552b9edd85 Mon Sep 17 00:00:00 2001 From: compuvin Date: Thu, 18 Nov 2021 15:09:29 -0500 Subject: [PATCH 2/3] CodeFactor Fix Switched Write-Host to Write-Output --- RemoveUsers.ps1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/RemoveUsers.ps1 b/RemoveUsers.ps1 index b50a58d..edadc34 100644 --- a/RemoveUsers.ps1 +++ b/RemoveUsers.ps1 @@ -49,7 +49,7 @@ Get-EventLog -LogName "Security" -InstanceId 4624 -ErrorAction "SilentlyContinue if (([DateTime]$EventMessage.TimeGenerated.ToString("yyyy-MM-dd")) -ge ([DateTime](get-date).adddays(-$DaysBack))) { $SafeUsers += $AccountName - Write-Host $AccountName ' added to SafeUsers' + Write-Output $AccountName ' added to SafeUsers' } } @@ -66,7 +66,7 @@ foreach ($item in $UsersToRemove) $Key | ForEach-Object { If($_.ProfileImagePath.ToLower() -match $item.Name) { - Write-Host $_.PSPath ' = ' $_.ProfileImagePath + Write-Output $_.PSPath ' = ' $_.ProfileImagePath Remove-Item $_.PSPath -Recurse -Force takeown /f $_.ProfileImagePath /a /r /d Y > null 2>&1 Remove-Item $_.ProfileImagePath -Recurse -Force From b823097d450eab9b93afdd875629f0cfc818b41c Mon Sep 17 00:00:00 2001 From: compuvin Date: Thu, 18 Nov 2021 15:32:00 -0500 Subject: [PATCH 3/3] Misc. Bugfixes --- RemoveUsers.ps1 | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/RemoveUsers.ps1 b/RemoveUsers.ps1 index edadc34..52342c4 100644 --- a/RemoveUsers.ps1 +++ b/RemoveUsers.ps1 @@ -19,13 +19,9 @@ Get-EventLog -LogName "Security" -InstanceId 4624 -ErrorAction "SilentlyContinue $AccountName = $EventMessage.ReplacementStrings[5] $LogonType = $EventMessage.ReplacementStrings[8] - if ( $Lowercase ) { - - # Make all usernames lowercase so they group properly in Inventory - $AccountName = $AccountName.ToLower() - - } - + # Make all usernames lowercase so they group properly in Inventory + $AccountName = $AccountName.ToLower() + # Look for events that contain local or remote logon events, while ignoring Windows service accounts if ( ( $LogonType -in "2", "10" ) -and ( $AccountName -notmatch "^(DWM|UMFD)-\d" ) ) { @@ -49,7 +45,7 @@ Get-EventLog -LogName "Security" -InstanceId 4624 -ErrorAction "SilentlyContinue if (([DateTime]$EventMessage.TimeGenerated.ToString("yyyy-MM-dd")) -ge ([DateTime](get-date).adddays(-$DaysBack))) { $SafeUsers += $AccountName - Write-Output $AccountName ' added to SafeUsers' + Write-Output ($AccountName + ' added to SafeUsers') } } @@ -66,7 +62,7 @@ foreach ($item in $UsersToRemove) $Key | ForEach-Object { If($_.ProfileImagePath.ToLower() -match $item.Name) { - Write-Output $_.PSPath ' = ' $_.ProfileImagePath + Write-Output ($_.PSPath + ' = ' + $_.ProfileImagePath) Remove-Item $_.PSPath -Recurse -Force takeown /f $_.ProfileImagePath /a /r /d Y > null 2>&1 Remove-Item $_.ProfileImagePath -Recurse -Force