Tuesday, August 15, 2017

Powershell - Gather Mapped Drives from a List of Computer Names

I created the following Powershell script to gather remotely the mapped drives that users had in their profiles.  I had to create the script to gather the mapped drives from users that were not currently logged in.  The following script is what I came up with.

Sometimes the mappedDrivesInfo.txt file that is created is not copied from the remote device because the drive mapping was unsuccessful.  I separated the file collection portion from the main script and it worked flawlessly.




$ErrorActionPreference="SilentlyContinue"

$myCreds = Get-Credential -Credentail domain\localAdmin
Remove-PSDrive X -Force | Out-Null
Remove-PSDrive Y -Force | Out-Null
New-PSDrive -Name Y -PSProvider FileSystem -Root \\server\info | Out-Null
ForEach ($cName in Get-Content compList.txt) {
    Write-Host
    Write-Host "Connecting to: $cName"
    If (Test-Connection -ComputerName $cName -BufferSize 16 -Count 1 -ErrorAction 0 -Quiet) {
        Write-Host "Connection Successful"
        New-PSDrive -Name X -PSProvider FileSystem -Root \\$cName\c$ -Credential $myCreds | Out-Null
        $u = Get-WmiObject -Class Win32_UserProfile -ComputerName $cName -Credential $myCreds -Filter { SID like '%S-1-5-21-1793613773-621299329-1849977318%' }
        $LastUsers = $u | Sort-Object -Property LastUseTime -Descending 
        If ($LastUsers) {
            ForEach ($userAccount in $LastUsers) {
                $Loaded = $userAccount.Loaded
                # Covert the date to readable format
                $Script:Time = ([WMI]'').ConvertToDateTime($userAccount.LastUseTime)
                $Script:UserSID = New-Object System.Security.Principal.SecurityIdentifier($userAccount.SID)
                $User = $Script:UserSID.Translate([System.Security.Principal.NTAccount])
                $uName = $User -replace "DOMAIN\\", ""
                Write "Found user profile for: $User Last Logon: $Script:Time SID: $Script:UserSID ComputerName: $cName"
                Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "powershell.exe -WindowStyle Hidden -NonInteractive -c Get-ChildItem -Path Microsoft.Powershell.Core\Registry::HKEY_USERS\$Script:UserSID\Network\ | Get-ItemProperty -Name RemotePath | Format-Table PSChildName, RemotePath -Wrap > c:\users\$cName-$uName-mappedDrivesInfo.txt"  -ComputerName $cName -Credential $myCreds | Out-Null
            } 
        }
        Start-Sleep -Seconds 5
        $mappedFiles = Get-ChildItem -Filter *mappedDrivesInfo.txt -File X:\Users
        ForEach ($mFile in $mappedFiles) {
            Write-Host "Found the following mapped drive file: $mFile"
            If ($mFile.Length -gt 0) {
                cp X:\users\$mFile Y:\$mFile
                Write-Host "Copied the above file."
            }
            Else {
                Write-Host "File is empty.  Did not copy it."
            }
        }
        Remove-PSDrive X -Force | Out-Null
    
    }
    Else {
        Write-Host "Unable to connect to $cName"
    }
}
Remove-PSDrive Y -Force | Out-Null



No comments:

Post a Comment

Test Authentication from Linux Console using python3 pexpect

Working with the IT420 lab, you will discover that we need to discover a vulnerable user account.  The following python3 script uses the pex...