Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <# This script is provided as-is with no guarantee as to its performance, safety, or fitness.
- (c)2017 ROCKHARBOR Church #>
- param(
- [string]$hostname,
- [string]$driveletter
- )
- If (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
- Write-Warning "You do not have Administrator rights to run this script.`nPlease relaunch script or PowerShell session as an Administrator"
- Break
- }
- If (-NOT (Get-Command 'subinacl' -errorAction SilentlyContinue) -AND -NOT (Get-Command '.\subinacl' -errorAction SilentlyContinue)) {
- Write-Warning "The SubInAcl command doesn't seem to be installed or to be in the current path.`nYou must put the path to SubInAcl in the path environment variable or put SubInAcl.exe in the current directory."
- Break
- }
- If (-NOT [string]::IsNullOrEmpty($hostname)) {
- If ([string]::IsNullOrEmpty($driveletter)) {
- $driveletter = "X"
- }
- $cred = Get-Credential -Message "Please enter the username and password you want to use to connect to the remote machine. This user should be an administrator on that machine."
- New-PSDrive -Name "$driveletter" -PSProvider "FileSystem" -Credential $cred -Root "\\$hostname\C$"
- If (-NOT $?) {
- Write-Warning "Failed to connect to network drive. The hostname supplied was $hostname"
- Break
- }
- } Else {
- $driveletter = "C"
- }
- # icacls and subinacl won't work with PSDrive, so we have to CD to the drive
- $scriptDir = Get-Location
- cd ${driveletter}:
- $fontPath = "Windows\Fonts\*"
- # First, change owner to the builtin admins group
- subinacl.exe /file $fontPath /setowner="BUILTIN\Administrators"
- # Then, disable ACL inheritance
- icacls $fontPath /inheritance:d
- # Now, remove all ACLs from the files
- icacls $fontPath /remove "BUILTIN\Administrators"
- icacls $fontPath /remove "BUILTIN\Users"
- icacls $fontPath /remove "RH\All Staff"
- icacls $fontPath /remove "NT AUTHORITY\SYSTEM"
- icacls $fontPath /remove "NT SERVICE\TrustedInstaller"
- icacls $fontPath /remove *S-1-15-2-1
- icacls $fontPath /remove *S-1-15-2-2
- #Now, add back the correct ACLs
- icacls $fontPath /grant *S-1-15-2-2:RX
- icacls $fontPath /grant *S-1-15-2-1:RX
- icacls $fontPath /grant "BUILTIN\Users:RX"
- icacls $fontPath /grant "NT AUTHORITY\SYSTEM:RX"
- icacls $fontPath /grant "BUILTIN\Administrators:RX"
- icacls $fontPath /grant "NT SERVICE\TrustedInstaller:F"
- #Finally, reset the owner to TrustedInstaller
- subinacl.exe /file $fontPath /setowner="NT SERVICE\TrustedInstaller"
- #Clean up and we're done
- Set-Location -Path $scriptDir
- If (-NOT [string]::IsNullOrEmpty($hostname)) {
- Remove-PSDrive -Name "$driveletter"
- If (-NOT $?) {
- Write-Warning "Failed to remove the network drive. You should manually remove the connection to $hostname on drive letter $driveletter"
- }
- }
- Write-Host "Successfully reset font permissions. You should restart any open programs at a minimum, and restart the system as soon as possible."
- Break
Add Comment
Please, Sign In to add comment