I haven’t tried it yet, but what do you think of deploying a CI to users, and then just using the script to check through the current logged on user’s hive? I would simplify the script a lot, but I’ve not deployed a Configuration Baseline to users yet/
From: [email protected] [mailto:[email protected]] On Behalf Of Sherry Kissinger Sent: Thursday, April 23, 2015 10:27 AM To: [email protected] Subject: Re: [mssms] RE: Configuration Item to check printer connections in each profile on a PC Per user, as you know; is difficult to tease out. Here's a sample of something similar; but it would be an advertisement, not a ConfigItem; so that you could then pull the data out via hardware inventory. A configitem makes more sense, (your method), if you have a lot of shared machines; because you would need to load up a user hive as system to try to look inside it. This is probably more personal preference than anything concrete, but I tend to avoid loading up user hives to read them--if I can in any way be kind to the client, I try to do that. and loading up a hive and reading it could take more time than I'm willing to think is a "good thing" on clients. I'm not saying the right thing to do for you is to completely about-face and switch to scripts run as adverts; but you could test at least the concept of script #1 (to create and set security on a custom namespace) and then subsequent scripts to populate that. I adore ConfigItems as you know... but user specific stuff is one of those grey areas where sometimes a "run only when user is logged in" package/program/advert might provide more accurate results. But it all depends what you're looking for. On Thursday, April 23, 2015 9:03 AM, "Krueger, Jeff" <[email protected]<mailto:[email protected]>> wrote: Paging Sherry…. help From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Krueger, Jeff Sent: Wednesday, April 22, 2015 2:05 PM To: [email protected]<mailto:[email protected]> Subject: [mssms] Configuration Item to check printer connections in each profile on a PC Hoping someone has done something like this before where you need to loop through the user profiles and look for something in their registry hive. I’ve made Configuration Item that runs a powershell script that checks for connections to a particular print server. It does a reg load on each user’s profile and then checks for reg keys pointing to the server we’re interested in. I’m getting inconsistent results, the configuration item is checking for a Boolean value returned by the script, if it’s false then the machine is compliant. But I’m getting non-compliant results for machines I know shoul d evaluate as compliant. The script is below, if anyone has a simpler way to accomplish this, that would be super helpful. #Create New PS Drive to access the user Keys New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS | Out-Null Set-Location HKU: #Create empty array to which we will add our list of wrong printer connections $BadPrinters = @() #Gets the current user's SID to look for printers $strCurrentUser = (Get-WmiObject Win32_ComputerSystem -Computer ".").UserName $objCurrentUser = New-Object System.Security.Principal.NTAccount($strCurrentUser) $strCurrentUserSID = ($objCurrentUser.Translate([System.Security.Principal.SecurityIdentifier])).Value $PrintServer = '*PrintServer01*' #Lookup the printer in the current user hive $GetKey = Test-Path .\$strCurrentUserSid\Printers\Connections IF ($GetKey -eq $true) { $BadPrintServer = Get-ChildItem -Path .\$strCurrentUserSid\Printers\Connections | Where-Object {$_.Name -like $Printserver} Foreach ($badconnects in $BadPrintServer) { $BadPrinters += "$badconnects" } } #Exclude users from list of profiles we will load $strUserName = ((Get-WmiObject Win32_ComputerSystem -Computer ".").UserName).Split('\')[1] $ExcludedUsers = @($strUserName, 'ADMINI~1', 'Public') #Reg load each user profile and check for the printers $GetUsersToLoad = Get-ChildItem -path "$env:SystemDrive\Users" -Exclude $ExcludedUsers $UserList = @() Foreach ($user in $GetUsersToLoad) { $UserList += $user.Name } Foreach ($profile in $UserList) { &Reg.exe Load HKU\$Profile c:\users\$Profile\ntuser.dat | Out-Null Start-Sleep -s 3 $TempGetKey = Test-Path HKU:\$Profile\Printers\Connections IF ($TempGetKey -eq $true) { $TempBadPrintServer = Get-ChildItem -Path HKU:\$Profile\Printers\Connections | Where-Object {$_.Name -like $PrintServer} Foreach ($connection in $TempBadPrintServer) { IF ($connection -ne $Null) { $BadPrinters += $connection.ToString() Remove-Variable connection } } Remove-Variable TempBadPrintServer } Remove-Variable TempGetKey [gc]::Collect() Try{ & cmd /c Reg.exe Unload HKU\$Profile 2>&1 | Out-Null } Catch{} Start-Sleep -s 3 cd HKU: } cd c: Remove-PSDrive HKU $BadPrinters.count -gt '0' Jeff Krueger [email protected]<mailto:[email protected]> IT - Henry Ford Health System 248.853.4466 ________________________________ CONFIDENTIALITY NOTICE: This email contains information from the sender that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected from disclosure. This email is intended for use only by the person or entity to whom it is addressed. If you are not the intended recipient, any use, disclosure, copying, distribution, printing, or any action taken in reliance on the contents of this email, is strictly prohibited. If you received this email in error, please contact the sending party by reply email, delete the email from your computer system and shred any paper copies. Note to Patients: There are a number of risks you should consider before using e-mail to communicate with us. See our Privacy & Security page on www.henryford.com<http://www.henryford.com/> for more detailed information as well as information concerning MyChart, our new patient portal. If you do not believe that our policy gives you the privacy and security protection you need, do not send e-mail or Internet communications to us.
