none
ForEach Help RRS feed

  • Question

  • $e1 = @("Admin", "ETB User", "Guest")
    $users = Get-WmiObject -Class win32_useraccount | Select-Object Name | Where-Object {($_.Name -notlike "cs1*") -and ($_.Name -notlike "cs2*") -and ($_.Name -notin $e1)`
    -and ($_.Name -notlike "cs3*") -and ($_.Name -notlike "cs4*") -and ($_.Name -notlike "cs5*") -and ($_.Name -notlike "cs6*") -and ($_.Name -notlike "cs7*") -and ($_.Name -notlike "cs8*")`
    -and ($_.Name -notlike "cs9*")}
    foreach ($i in $users) {
    $objComputer = [ADSI]"WinNT://127.0.0.1"
    $objUser = $objComputer.psbase.get_children().find($i)
    pause #entered for debugging purposes
    $objUser.PSBase.InvokeSet("ConnectClientDrivesAtLogon", "0")
    $objUser.SetInfo()
    }

    I can't get this to work and not sure where I'm going wrong.  I get the below error:


    Thursday, November 27, 2014 8:32 PM

Answers

  • This illustrates, quite nicely I think, the importance of asking the right question. This isn't a "how do I disable and enable users" question, but rather "how do I disable and enable logons to a terminal server" question.

    -- Bill Stewart [Bill_Stewart]

    Saturday, November 29, 2014 11:22 PM
    Moderator
  • You don't need to enable or disable users. Just manage the membership of the group that permits logons.


    -- Bill Stewart [Bill_Stewart]

    Saturday, November 29, 2014 10:48 AM
    Moderator
  • To extend Bill's approach I have just disabled  acceess for the "Remote DEsktop Users" group.  THisis done onthe security tab of the RDP connector.

    Another way is to use PowerShell remoting to access the system and then run "CHANGE LOGON DISABLE"

    Now you have complete access with no users and can do anything needed with PowerShell.


    ¯\_(ツ)_/¯

    Saturday, November 29, 2014 11:04 AM

All replies

  • First, move the $objComputer assignment outside of the foreach. This won't resolve your problem but it will stop it from recreating this variable in each loop iteration.

    Next, the $objComputer assignment is for WinNT://127.0.0.1. When I tested this out I received access denied errors for some of the child objects, as well I received objects on the local machine (expected for 127.0.0.01!) that didn't have a find() method.

    Change WinNT://127.0.0.1 to your actual domain, e.g. WinNT://addomain.example.com. Now you'll return expected domain resources and the find() method will be the one you're expecting.

    Finally, since you're not really searching a computer object, I would recommend renaming $objComputer to $objDomain.

    $e1 = @("Admin", "ETB User", "Guest")
    $users = Get-WmiObject -Class win32_useraccount | Select-Object Name | Where-Object {($_.Name -notlike "cs1*") -and ($_.Name -notlike "cs2*") -and ($_.Name -notin $e1)`
    -and ($_.Name -notlike "cs3*") -and ($_.Name -notlike "cs4*") -and ($_.Name -notlike "cs5*") -and ($_.Name -notlike "cs6*") -and ($_.Name -notlike "cs7*") -and ($_.Name -notlike "cs8*")`
    -and ($_.Name -notlike "cs9*")}
    
    $objDomain = [ADSI]"WinNT://addomain.example.com"
    	
    foreach ($i in $users) {
    
    	$objUser = $objDomain.psbase.get_children().find($i)
    	pause #entered for debugging purposes
    	$objUser.PSBase.InvokeSet("ConnectClientDrivesAtLogon", "0")
    	$objUser.SetInfo()
    }




    • Edited by Jason Warren Thursday, November 27, 2014 9:37 PM
    Thursday, November 27, 2014 9:35 PM
  • This is closer to legitimate ADSi and PowerShell but is still won't work.  The peroperty does not exist.

    $users = Get-WmiObject -Class win32_useraccount|
         Where-Object{
            $_.Name -notmatch '^cs\d' -and $_.Name -notmatch 'Admin|ETB User|Guest'
        }
    
    foreach ($user in $users){
        $u=[ADSI]"WinNT://./$($user.Name)"
        $u.PSBase.InvokeSet('ConnectClientDrivesAtLogon', 0)
    }

    You will find that there is no such property on a user objects on a local system.


    ¯\_(ツ)_/¯


    • Edited by jrv Friday, November 28, 2014 1:41 AM
    Friday, November 28, 2014 1:40 AM
  • Jason,

    It still didn't work.  I don't have Active Directory installed so not sure if that's the reason it worked for you.  Thanks for the help in any case.

    Kevin

    Friday, November 28, 2014 10:52 AM
  • What is the purpose of this script - i.e., what is it you're trying to do?

    -- Bill Stewart [Bill_Stewart]

    Friday, November 28, 2014 12:03 PM
    Moderator
  • I have this existing DOS command I used to disable all users from a text file.  This required me to keep the text file current.  I'm attempting to duplicate and update the batch file to powershell.  Here is the batch command:

    for /F %i in (C:\D1.txt) do net user /active:no %i

    And here is the beginning of the Powershell command:

    $e1 = @("Admin", "ETB User", "Guest")
    $users = Get-WmiObject -Class win32_useraccount | Select-Object Name | Where-Object {($_.Name -notlike "cs1*") -and ($_.Name -notlike "cs2*") -and ($_.Name -notin $e1)`
    -and ($_.Name -notlike "cs3*") -and ($_.Name -notlike "cs4*") -and ($_.Name -notlike "cs5*") -and ($_.Name -notlike "cs6*") -and ($_.Name -notlike "cs7*") -and ($_.Name -notlike "cs8*")`
    -and ($_.Name -notlike "cs9*")}
    
    foreach ($i in $users) {
    	#### This is where I am stuck.    
        
    }

    Friday, November 28, 2014 12:42 PM
  • Jason,

    It still didn't work.  I don't have Active Directory installed so not sure if that's the reason it worked for you.  Thanks for the help in any case.

    Kevin

    ADSI is built into PowerShell (Net Framework).  It doesn't work because there is no suchproperty as "ConnectClientDrivesAtLogon".  That is a terminal server setting on AD and not on a local user.  It is set differntly on AD.  It cannot be managed via WMI.


    ¯\_(ツ)_/¯

    Friday, November 28, 2014 1:04 PM
    • Edited by jrv Friday, November 28, 2014 1:50 PM
    Friday, November 28, 2014 1:50 PM
  • Bill-

    In the event I needed to quickly disable all users I wanted to just run this script, then later enable them all again with another script.

    Friday, November 28, 2014 6:58 PM
  • In the event I needed to quickly disable all users I wanted to just run this script, then later enable them all again with another script.

    Why? (What problem are you trying to solve?)


    -- Bill Stewart [Bill_Stewart]

    Saturday, November 29, 2014 1:57 AM
    Moderator
  • I have a single server used solely to run a custom application, in which my customers connect via RDP.  Since I'm new to all of this, having the ability to lock everyone out seemed like a good ideal.  Events could be updating files, doing troubleshooting, etc.  Since I manage the server remotely (it's an hour away) turning off RDP wasn't an option.  Hope this makes sense. 
    Saturday, November 29, 2014 10:34 AM
  • You don't need to enable or disable users. Just manage the membership of the group that permits logons.


    -- Bill Stewart [Bill_Stewart]

    Saturday, November 29, 2014 10:48 AM
    Moderator
  • To extend Bill's approach I have just disabled  acceess for the "Remote DEsktop Users" group.  THisis done onthe security tab of the RDP connector.

    Another way is to use PowerShell remoting to access the system and then run "CHANGE LOGON DISABLE"

    Now you have complete access with no users and can do anything needed with PowerShell.


    ¯\_(ツ)_/¯

    Saturday, November 29, 2014 11:04 AM
  • Bill / jrv -

    Thanks for the help on this.  I'll dig into this today.

    Thanks again,

    Kevin

    Saturday, November 29, 2014 1:15 PM
  • This illustrates, quite nicely I think, the importance of asking the right question. This isn't a "how do I disable and enable users" question, but rather "how do I disable and enable logons to a terminal server" question.

    -- Bill Stewart [Bill_Stewart]

    Saturday, November 29, 2014 11:22 PM
    Moderator