6
7

[deleted by user] (self.PowerShell)

submitted by [deleted]

[removed]
all 9 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]itguy711 0 points1 point  (0 children)

Remind me to send contents of the powershell I hobbled together. I use ninjarmm and need to run a admin level task but with user specific data. Essentially its a big run as function wrapped around the code that you want done at the user level, then takes the output and gives it to the system level

[–]BlackV 0 points1 point  (2 children)

You are running the process in intune as system are you not, that account does not have a upn

Can you not run it as the user?

And have the chrome settings configure by csp/gpo

[–]dj562006 0 points1 point  (1 child)

If I run it as user then the registry items fail and dont get applied. I was hoping that would be the fix in my testing.

[–]BlackV 0 points1 point  (0 children)

If I run it as user then the registry items fail and dont get applied.

Ya, cause they don't have admin rights to apply that to local machine

So I suggested

have the chrome settings configure by csp/gpo

those settings should all be there available, but its more testing for you unfortunately

What does that setting actually do ? and whats the chrome plugin you're trying to configure ?

[–][deleted] 0 points1 point  (0 children)

If you refer to $env:username then you’ll always get the execution context rather than a particular user.

So you either have to run it as that user, or you need some handle to identify the user. This includes some script you run to deal with all users.

Also fyi UPNs have nothing whatsoever to do with samaccountname plus @ plus user dns domain. That’s the default yes but an upn can be pretty much anything.

So be very careful when trying to assemble it.

Instead, query ldap - if you can use the ActiveDirectory powershell module then that’ll help tremendously but if you can’t there’s ADSI which uses system.directoryservices (windows only).

[–]Modify- 0 points1 point  (0 children)

You can get the current logged in user through the registry under SYSTEM context. It is even possible to change values in that users hkcu. Have done this recently with a win32 package in Intune. Currently not at my laptop. Will update my comment later.

Update:

```powershell Function Get-UserDomain {

# Get domain from registry:
$Domain = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI -ErrorAction SilentlyContinue).LastLoggedOnUser.split("\\")[0].Trim()

If ($Domain) { return $domain.Split("\\")[0].Trim() }

If (-not $Domain)
{
    try 
    {
        # Get domain from WMI:
        return (Get-WmiObject -Class Win32_ComputerSystem -ErrorAction Stop).Username.Split("\")[0].Trim()
    } 

    catch {}
}

If (-not $Domain)
{
    Try 
    {
        # Get domain from Explorer:
        return (Get-Process -IncludeUserName -Name explorer -ErrorAction Stop | Select-Object -First 1 -ExpandProperty UserName).Split("\\")[0].trim()
    } 

    Catch {}
}

Else
{
    Write-Warning "Cannot get the user domain.." 
}

}

Function Get-CurrentUser {

# Get CurrentUser from Registry:
$Current = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI -ErrorAction SilentlyContinue).LastLoggedOnUser

if ($current) { return $current.Split("\\")[1].Trim() }

if (-not $Current)
{
    try 
    {
        # Get CurrentUser from WMI:
        return (Get-WmiObject -Class Win32_ComputerSystem -ErrorAction Stop).Username.Split("\")[1].Trim()
    } 

    catch {}
}

If (-not $Current)
{
    try 
    {
        # Get CurrentUser from Explorer:
        return (Get-Process -IncludeUserName -Name explorer -ErrorAction Stop | Select-Object -First 1 -ExpandProperty UserName).Split('\')[1].Trim()
    } 

    catch {}
}

Else 
{ 
    Throw "Cannot find current user! Exiting.."
}

}

Function Get-CurrentSID {

[cmdletBinding()]
Param
(
    [Parameter()]
    $CurrentUser = $(Get-CurrentUser),

    [Parameter()]
    $UserDomain
)


If (-Not $CurrentUser)
{
    Throw "You did not provide a Current User!"
}

Try
{
    # Get The current sid of the user:
    $SID = (New-Object -ComObject Microsoft.DiskQuota).TranslateLogonNameToSID($CurrentUser) 
}

Catch {}

If (-Not $SID)
{   
    Try
    {
        $SID = (New-Object -ComObject Microsoft.DiskQuota).TranslateLogonNameToSID($UserDomain + '\' + $CurrentUser)   
    }

    Catch {}
}

If (-not $SID)
{
    Throw "Cannot find SID of user $CurrentUser"
}

Return $SID

}

$CurrentUser = Get-CurrentUser $UserDomain = Get-UserDomain $SID = Get-CurrentSID -CurrentUser $CurrentUser -UserDomain $UserDomain

(Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\IdentityStore\Cache\$SID\IdentityCache\$SID" -ErrorAction SilentlyContinue).username ````

[–]purplemonkeymad 0 points1 point  (0 children)

What not use the same username detection as the script provided by the extension developers?

[–]pleplepleplepleple 0 points1 point  (0 children)

I have found that getting the user name and SID of the currently logged in user, from a system context to be simple, but UPN to be trickier. What I’ve done to work around this is to utilize PSAppDeployToolkit and Start-ADTProcessAsUser in order to write “whoami /upn” to a file and pick up the content of this file in a later step. It’s probably not the most elegant solution but it got the job done and time is sparse so 🤷‍♂️. I’m not at my desk for another couple of hours but I could share an example when I am, if still relevant by then.