<# This script is provided as-is with no guarantee as to its performance, safety

1. <# This script is provided as-is with no guarantee as to its performance, safety, or fitness.
2. (c)2017 ROCKHARBOR Church #>
3.  
4. param(
5. [string]$hostname,
6. [string]$driveletter
7. )
8.  
9. If (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
10. Write-Warning "You do not have Administrator rights to run this script.`nPlease relaunch script or PowerShell session as an Administrator"
11. Break
12. }
13.  
14. If (-NOT (Get-Command 'subinacl' -errorAction SilentlyContinue) -AND -NOT (Get-Command '.\subinacl' -errorAction SilentlyContinue)) {
15. Write-Warning "The SubInAcl command doesn't seem to be installed or to be in the current path.`nYou must put the path to SubInAcl in the path environment variable or put SubInAcl.exe in the current directory."
16. Break
17. }
18.  
19. If (-NOT [string]::IsNullOrEmpty($hostname)) {
20. If ([string]::IsNullOrEmpty($driveletter)) {
21. $driveletter = "X"
22. }
23. $cred = Get-Credential -Message "Please enter the username and password you want to use to connect to the remote machine. This user should be an administrator on that machine."
24. New-PSDrive -Name "$driveletter" -PSProvider "FileSystem" -Credential $cred -Root "\\$hostname\C$"
25. If (-NOT $?) {
26. Write-Warning "Failed to connect to network drive. The hostname supplied was $hostname"
27. Break
28. }
29. } Else {
30. $driveletter = "C"
31. }
32.  
33. # icacls and subinacl won't work with PSDrive, so we have to CD to the drive
34. $scriptDir = Get-Location
35. cd ${driveletter}:
36.  
37. $fontPath = "Windows\Fonts\*"
38.  
39. # First, change owner to the builtin admins group
40. subinacl.exe /file $fontPath /setowner="BUILTIN\Administrators"
41.  
42. # Then, disable ACL inheritance
43. icacls $fontPath /inheritance:d
44.  
45. # Now, remove all ACLs from the files
46. icacls $fontPath /remove "BUILTIN\Administrators"
47. icacls $fontPath /remove "BUILTIN\Users"
48. icacls $fontPath /remove "RH\All Staff"
49. icacls $fontPath /remove "NT AUTHORITY\SYSTEM"
50. icacls $fontPath /remove "NT SERVICE\TrustedInstaller"
51. icacls $fontPath /remove *S-1-15-2-1
52. icacls $fontPath /remove *S-1-15-2-2
53.  
54. #Now, add back the correct ACLs
55. icacls $fontPath /grant *S-1-15-2-2:RX
56. icacls $fontPath /grant *S-1-15-2-1:RX
57. icacls $fontPath /grant "BUILTIN\Users:RX"
58. icacls $fontPath /grant "NT AUTHORITY\SYSTEM:RX"
59. icacls $fontPath /grant "BUILTIN\Administrators:RX"
60. icacls $fontPath /grant "NT SERVICE\TrustedInstaller:F"
61.  
62. #Finally, reset the owner to TrustedInstaller
63. subinacl.exe /file $fontPath /setowner="NT SERVICE\TrustedInstaller"
64.  
65. #Clean up and we're done
66. Set-Location -Path $scriptDir
67. If (-NOT [string]::IsNullOrEmpty($hostname)) {
68. Remove-PSDrive -Name "$driveletter"
69. If (-NOT $?) {
70. Write-Warning "Failed to remove the network drive. You should manually remove the connection to $hostname on drive letter $driveletter"
71. }
72. }
73.  
74. Write-Host "Successfully reset font permissions. You should restart any open programs at a minimum, and restart the system as soon as possible."
75. Break