PowerShell launch script in new instance
I have a Master script that has several options. When you select 1 in the menu, action 1 will be executed and afterwards you'll get back to the menu. This is working fine but I would like to be able to select for example 8, which launches the code block of the Permissions script in a new PowerShell window. I would like to have all code in one script and not call another script.
I know this can be done with 'Start-Process powershell' as found in several threats. This does open an new PowerShell window but doesn't execute the code block properly of the Permissions script. Any help would be appreciated.
Master script:
<# Author: Me #>
# Variables
$User = [Environment]::UserName
$OutputPath = "C:\Users\$User\Downloads\"
# Functions
Function Manager ($u) {
$m = Get-ADObject -Identity $u.managedBy -Properties displayName,cn
if($m.ObjectClass -eq "user") { $m.displayName } Else{ $m.cn } }
# Hit play
do {
[int]$userMenuChoice = 0
cls
while ( $userMenuChoice -lt 1 -or $userMenuChoice -gt 7) {
Write-Host "PowerShell for dummies"
Write-Host "__________________________________________________"
Write-Host "1. Groups created in the last 3 weeks"
Write-Host "2. Users created in the last 3 weeks"
Write-Host "3. All BEL Users"
Write-Host "4. Users with an incorrect display name or city"
Write-Host "5. Users de-provisioned within 3 weeks"
Write-Host "6. Files/Folders: Activate inheritance & set owner to admin"
Write-Host "7. Quit"
[int]$userMenuChoice = Read-Host "Please choose an option"
switch ($userMenuChoice) {
1{# Groups created in the last 3 weeks
$When = ((Get-Date).AddDays(-21)).Date
Get-ADGroup -SearchBase "OU=Groups,OU=BEL,OU=EU,DC=domain,DC=net" -Filter {whenCreated -ge $When} -Properties * |
Select whenCreated, cn, displayName, GroupScope, GroupCategory, description, info, @{Label="Managed By"; expression= { Manager $_ } } | Export-Csv $OutputPath"New groups.csv" -NoTypeInformation -Delimiter ";" -Encoding utf8; start $OutputPath"New groups.csv"}
2{# Users created in the last 3 weeks
$When = ((Get-Date).AddDays(-21)).Date
Get-ADUser -SearchBase "OU=BEL,OU=EU,DC=domain,DC=net" -Filter {whenCreated -ge $When} -Properties * | Select whenCreated, Name,displayName, sn, givenName, sAMAccountName, title, description, employeeType, info, department, company, homeDirectory, scriptPath, physicalDeliveryOfficeName, @{Label="Managed By"; expression= { Manager $_ } } | Export-Csv $OutputPath"New users.csv" -NoTypeInformation -Delimiter ";" -Encoding utf8; start $OutputPath"New users.csv"}
3{# All BEL users
Get-ADUser -SearchBase "OU=Users,OU=BEL,OU=EU,DC=domain,DC=net" -Filter * -Properties * | Select whenCreated, @{Name="Lastlogon"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp)}}, Name,displayName, sn, givenName, sAMAccountName, title, description, employeeType, info, department, company, homeDirectory, scriptPath, physicalDeliveryOfficeName, @{Label="Managed By"; expression= { Manager $_ } } | Export-Csv $OutputPath"BEL Service Accounts.csv" -NoTypeInformation -Delimiter ";" -Encoding utf8; start $OutputPath"BEL Service Accounts.csv"}
4{# Users with an incorrect display name or city
Get-ADUser -SearchBase "OU=BEL,OU=EU,DC=domain,DC=net" -Filter * -Properties * | where {$_.cn -NotLike "*$($_.l)*" -and $_.distinguishedname -notmatch 'OU=Terminated Users,OU=BEL,OU=EU,DC=grouphc,DC=net' -and $_.cn -ne "BNL Service Desk"} | Select whenCreated, Name,displayName, sn, givenName, sAMAccountName, title, description, employeeType, info, department, company, homeDirectory, scriptPath, physicalDeliveryOfficeName, @{Label="Managed By"; expression= { Manager $_ } } | Export-Csv $OutputPath"Incorrect users.csv" -NoTypeInformation -Delimiter ";" -Encoding utf8; start $OutputPath"Incorrect users.csv"}
5{# Users de-provisioned within 3 weeks
$LogonDate = ((Get-Date).AddDays(-80)).Date # GIT 104 days KB-3872
$CreaDate = ((Get-Date).AddDays(-60)).Date # GIT 60 days
$PwdDate = ((Get-Date).AddDays(-90)).Date # GIT 90 days
Get-ADUser -SearchBase "OU=Users,OU=BEL,OU=EU,DC=grouphc,DC=net" -Filter {(lastLogonDate -le $LogonDate) -and (WhenCreated -lt $CreaDate) -and (PwdLastSet -le $PwdDate)} -Properties * | Select LastLogonDate, WhenCreated, PasswordLastSet, Name, title, description, employeeType, info, department, company, homeDirectory, scriptPath, physicalDeliveryOfficeName, @{Label="Managed By"; expression= { Manager $_ } } | Export-Csv $OutputPath"To be deprovisioned.csv" -NoTypeInformation -Delimiter ";" -Encoding utf8; start $OutputPath"To be deprovisioned.csv"}
6{# Files/Folders: Activate inheritance & set owner to admin
Get-ADUser -SearchBase "OU=BEL,OU=EU,DC=domain,DC=net" -Filter * -Properties * | where {$_.cn -NotLike "*$($_.l)*" -and $_.distinguishedname -notmatch 'OU=Terminated Users,OU=BEL,OU=EU,DC=grouphc,DC=net' -and $_.cn -ne "BNL Service Desk"} | Select whenCreated, Name,displayName, sn, givenName, sAMAccountName, title, description, employeeType, info, department, company, homeDirectory, scriptPath, physicalDeliveryOfficeName, @{Label="Managed By"; expression= { Manager $_ } } | Export-Csv $OutputPath"Incorrect users.csv" -NoTypeInformation -Delimiter ";" -Encoding utf8; start $OutputPath"Incorrect users.csv"}
}
}
} while ( $userMenuChoice -ne 7 )
cls
Write-Host "We left here because there's nothing else to do.."
Permissions script:
####### TO DO #######
$Target = "\\domain.net\SHARE\Target"
# Change FOLDER owners to Admin
If (Test-Path C:\PTemp) { Remove-Item C:\PTemp }
New-Item -type directory -Path C:\PTemp > $null
Write-Output "`nStart setting folder permissions on:"
$Folders = @(Get-ChildItem -Path $Target -Directory -Recurse | Select-Object -ExpandProperty FullName)
foreach ($Item1 in $Folders)
{
# Action
Write-Output $Item1
$AdjustTokenPrivileges = @"
using System;
using System.Runtime.InteropServices;
public class TokenManipulator
{
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);
[DllImport("kernel32.dll", ExactSpelling = true)]
internal static extern IntPtr GetCurrentProcess();
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr
phtok);
[DllImport("advapi32.dll", SetLastError = true)]
internal static extern bool LookupPrivilegeValue(string host, string name,
ref long pluid);
[StructLayout(LayoutKind.Sequential, Pack = 1)]
internal struct TokPriv1Luid
{
public int Count;
public long Luid;
public int Attr;
}
internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
internal const int TOKEN_QUERY = 0x00000008;
internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
public static bool AddPrivilege(string privilege)
{
try
{
bool retVal;
TokPriv1Luid tp;
IntPtr hproc = GetCurrentProcess();
IntPtr htok = IntPtr.Zero;
retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
tp.Count = 1;
tp.Luid = 0;
tp.Attr = SE_PRIVILEGE_ENABLED;
retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
return retVal;
}
catch (Exception ex)
{
throw ex;
}
}
public static bool RemovePrivilege(string privilege)
{
try
{
bool retVal;
TokPriv1Luid tp;
IntPtr hproc = GetCurrentProcess();
IntPtr htok = IntPtr.Zero;
retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
tp.Count = 1;
tp.Luid = 0;
tp.Attr = SE_PRIVILEGE_DISABLED;
retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
return retVal;
}
catch (Exception ex)
{
throw ex;
}
}
}
"@
add-type $AdjustTokenPrivileges
$Folder = Get-Item $Item1
[void][TokenManipulator]::AddPrivilege("SeRestorePrivilege")
[void][TokenManipulator]::AddPrivilege("SeBackupPrivilege")
[void][TokenManipulator]::AddPrivilege("SeTakeOwnershipPrivilege")
$NewOwnerACL = New-Object System.Security.AccessControl.DirectorySecurity
$Admin = New-Object System.Security.Principal.NTAccount("BUILTIN\Administrators")
$NewOwnerACL.SetOwner($Admin)
$Folder.SetAccessControl($NewOwnerACL)
# Add folder Admins to ACL with Full Control to descend folder structure
$Acl = Get-Acl -Path C:\PTemp
$Ar = New-Object system.security.accesscontrol.filesystemaccessrule("BUILTIN\Administrators","FullControl","Allow")
$Acl.SetAccessRule($Ar)
Set-Acl $Item1 $Acl
}
# Change FILE owners to Admin
If (Test-Path C:\PFile) { Remove-Item C:\PFile }
New-Item -type file -Path C:\PFile > $null
Write-Output "`nStart setting file permissions on:"
$Files = @(Get-ChildItem -Path $Target -File -Recurse | Select-Object -ExpandProperty FullName)
foreach ($Item2 in $Files)
{
# Action
Write-Output $Item2
$Account = New-Object System.Security.Principal.NTAccount("BUILTIN\Administrators")
$FileSecurity = new-object System.Security.AccessControl.FileSecurity
$FileSecurity.SetOwner($Account)
[System.IO.File]::SetAccessControl($Item2, $FileSecurity)
# Add file Admins to ACL with Full Control and activate inheritance
$PAcl = Get-Acl -Path C:\PFile
$PAr = New-Object system.security.accesscontrol.filesystemaccessrule("BUILTIN\Administrators","FullControl","Allow")
$PAcl.SetAccessRule($PAr)
Set-Acl $Item2 $PAcl
}
# Clean-up junk
Write-Output "`nCleaning up.."
rm C:\PTemp, C:\PFile
Write-Output "`nAll done :)"
What I tried so far, with a shorter code block but also without success:
6{# Test
Start-Process powershell {Get-ADUser -SearchBase "OU=Users,OU=BEL,OU=EU,DC=domain,DC=net" -Filter * -Properties * | Select whenCreated, @{Name="Lastlogon"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp)}}, Name,displayName, sn, givenName, sAMAccountName, title, description, employeeType, info, department, company, homeDirectory, scriptPath, physicalDeliveryOfficeName, @{Label="Managed By"; expression= { Manager $_ } } | Export-Csv $OutputPath"BEL Service Accounts.csv" -NoTypeInformation -Delimiter ";" -Encoding utf8; start $OutputPath"BEL Service Accounts.csv"}}}
DarkLite14 Answers
Instead of starting a cmd to start a new powershell instance you can:
start powershell {echo hello}
To prevent immediate exit of new started powershell:
start powershell {echo hello; Read-Host}
answered on Stack Overflow Nov 23, 2016 by 
Ghashange
GhashangeTo launch in an external PS window, you can use the following:
invoke-expression 'cmd /c start powershell -Command { [script block here] }'
E.g.:
invoke-expression 'cmd /c start powershell -Command { write-host "Hi, new window!"; set-location "C:\"; get-childitem ; sleep 3}'
arco444
NuxUsing cmd to start powershell?
start-process powershell -ArgumentList '-noexit -command 'Commands for the new PowerShell''
Marty Wiedmeyer
ZoeAlthough start powershell command looks cleaner, it doesn't allow you to do everything that you can do with invoke-expression. For example, the following opens a new window, changes its title and background color, and leaves the window open:
invoke-expression 'cmd /c start powershell -NoExit -Command { `
cd -path $env:homedrive$env:homepath/Documents/MySillyFolder; `
$host.UI.RawUI.WindowTitle = "A Silly Little Title"; `
color -background "red"; `
}';
It also runs fine from within another powershell script.
If you try to do this using the start powershell {...} syntax it will give an error on the title-changing line, and won't keep the window open. (I suppose It's possible that there's some obscure syntax hack that will make start powershell work, but I haven't been able to find one.)
answered on Stack Overflow Oct 5, 2018 by 
thund
thundUser contributions licensed under CC BY-SA 3.0