Quantcast

PowerShell nonsense

Westy

the teste
Nov 22, 2002
55,572
21,573
Sleazattle
1637279820470.png


Wouldn't an EXIF viewer/editor like this be an easier way? No idea what you are trying to accomplish

 
View attachment 167626

Wouldn't an EXIF viewer/editor like this be an easier way? No idea what you are trying to accomplish

I'm not only interested in image files. I would like to know generically how to use data that PowerPoint returns in tabular format.
 
$coordinateTable
[int]$degrees
[int]$minutes
[int]$seconds

# Get basic file properties
# -------------------------
[string]$directory = "E:\John's documents\~ Household\Land\Tobacco Road\~ Photos, house and yard\2021\"
[string]$fileName = "2021-11-16 111715 .jpg"
[string]$target = $directory + $fileName

Get-ItemProperty -path $target | Format-List -Property * -Force

# Get known image detail properties
# =================================
# Create an ImageFile object and load an image file
# -------------------------------------------------
$image = New-Object -ComObject Wia.ImageFile
$image.LoadFile($target)

# Read specified metadata
# -----------------------
"Latitude reference is '" + $image.Properties.Item('GpsLatitudeRef').Value + "'.`n"
$coordinateTable = $image.Properties.Item('GpsLatitude').Value
$coordinateTable
"Latitude degrees = " + $coordinateTable[1].Value
 

canadmos

Cake Tease
May 29, 2011
21,573
20,991
Canaderp
I'm no programmer, but it looks like you're reading the data. Now you need to select what you want to use.
 

canadmos

Cake Tease
May 29, 2011
21,573
20,991
Canaderp
Oh and there are tons of scripts and whatnot on one of Microsoft's pages (Github now...maybe?), which can be useful.
 

canadmos

Cake Tease
May 29, 2011
21,573
20,991
Canaderp
Windows and its permissions is frustrating sometimes...

I created a little powershell script today to grab the members of a group in AD, write it to a text file, print that text file to a pdf and then email said pdf.

You'd think writing the script would be the hard part. Nope, its allowing whatever account the script is running as to create the printer and port. Even when running the script with Task Scheduler, set to run with highest priveleges, shit still doesn't work.

What worked was adding that account to the local admin group on the server the script is on. Not ideal. :banghead: :banghead: :banghead: :banghead:
 

6thElement

Schrodinger's Immigrant
Jul 29, 2008
16,722
14,175
Windows and its permissions is frustrating sometimes...

I created a little powershell script today to grab the members of a group in AD, write it to a text file, print that text file to a pdf and then email said pdf.

You'd think writing the script would be the hard part. Nope, its allowing whatever account the script is running as to create the printer and port. Even when running the script with Task Scheduler, set to run with highest priveleges, shit still doesn't work.

What worked was adding that account to the local admin group on the server the script is on. Not ideal. :banghead: :banghead: :banghead: :banghead:
I had a similar fight a few weeks ago with wanting to email the output from a sqlcmd query. Annoying.
 

binary visions

The voice of reason
Jun 13, 2002
22,136
1,208
NC
@canadmos weird, you should be about to pipe things to Out-Printer -Name "Microsoft print to PDF" in a Windows environment, as long as the user has access to that printer, without elevation.

That said, things get funky when you're trying to do userworld processes (like printing) from non-interactive service accounts. In my experience, you don't typically need to actually make the user an admin but you do need to figure out what that user needs access to and delegate it.

But converting raw Powershell text to PDF is wasteful anyway. PDFs are for formatted documents. Just send the text file :monkeydance:
 
Last edited:

canadmos

Cake Tease
May 29, 2011
21,573
20,991
Canaderp
@canadmos weird, you should be about to pipe things to Out-Printer -Name "Microsoft print to PDF" in a Windows environment, as long as the user has access to that printer, without elevation.

That said, things get funky when you're trying to do userworld processes (like printing) from non-interactive service accounts. In my experience, you don't typically need to actually make the user an admin but you do need to figure out what that user needs access to and delegate it.

But converting raw Powershell text to PDF is wasteful anyway. PDFs are for formatted documents. Just send the text file :monkeydance:
True, it wasn't printing the file that was the problem, it was creating the port and printer itself - and allowing a non-interactive account to do so.

I forget the details, but each time the script runs, it creates the port and printer, "prints" to that port/file and then does the rest. Then removes them when done.

Agreed that text would eliminate all of this, but I wanted a PDF as it's much harder to change it, compared to text file. This all revolves around some security groups that we need to periodically review and get approved by management. Our internal auditors are a picky bunch and would 100% question the validity of a plain text file.
 

binary visions

The voice of reason
Jun 13, 2002
22,136
1,208
NC
Our internal auditors are a picky bunch and would 100% question the validity of a plain text file.
Get-FileHash -Algorithm SHA384

Include the hash in the email contents you send.

Way more reliable than PDF. Just as easy to copy the contents and re-print it to PDF. File hash can't be faked.
 

canadmos

Cake Tease
May 29, 2011
21,573
20,991
Canaderp
I have to periodically review the permissions on a bunch of folders - normally I just use Powershell to grab the members of two AD groups - I then combine csv files and yadda yadda yadda I get the access list reports out at the end of some manual work.

But earlier this week I thought to myself, huh, lets try and get rid of the manual work. I started to write a new Powershell script which I wanted to:
  • Get the list of folders
  • Query the ACL on each and grab the name of the two AD groups that I'm review, for each folder
  • Use those group names and get the list of members
  • Use those group names to also get the managedBy attribute and save that to a seperate csv file, along with the current folder name/path
  • Save the lists to some csv files
  • Mail the csv files to myself, so that I can put it in SharePoint (or somewhere in Office365)
  • Use Power Bi to create the actual reports, which I can send out for approval
  • Setup this all to autorefresh, so I can get it either on demand or "live"
Sounded easy but its been a chore...

Like what happens if one of the groups in the ACL is empty?
What happens if the script can't find one of the group names - IE, what if some DUMMY has put a 2nd group in there with a similar name?
What happens when the ACL group contains users AND groups?
What happens when your ACL object, which you think is just a name, is passed to an AD cmdlet?
What if I want to change the Get-ADGroupMember line to be recursive?

Luckily I have access to our own "ChatGPT", so I haven't really had to deal with fat fingering a bunch of code. But still, you can't tell it to do anything complicated or long, or you just end up arguing with it about why something it writes doesn't work. :rofl:

Anyways, hopefully I finish this by Monday and no one will notice.
 

binary visions

The voice of reason
Jun 13, 2002
22,136
1,208
NC
Anyways, hopefully I finish this by Monday and no one will notice.
Did anyone notice?

Try/Catch is your friend :D.

Personally, I'd probably have a dedicated function for looking at the contents of the ACL and cleaning it up/validating it, then another function for taking the verified-as-valid AD objects and building a list of users (e.g. "is this thing I have a user? Add it to the user array. Is it a group? Fetch group members. Is the group empty? Output a warning and continue.").

What'd you end up building?
 

canadmos

Cake Tease
May 29, 2011
21,573
20,991
Canaderp
Did anyone notice?
Only the one guy I told about it. :busted:

It took longer to figure out a few things than I wanted, but got it going. For some reason, when using Get-ADGroupMember, it would create an array and sometimes not - this was a little frustrating, but I forced it to work in the end.

So basically what I have now is...

  • Powershell script running, on a schedule, in an on-prem vm.
    • I set the path at the start, along with some other variables - so if needed I can just edit those in the future, if I reuse it.
    • Script goes out, and gets the list of folders from the path. For each folder it then gets the ACL list and then selects the two groups that control access to said folder.
    • Script then does more mumbo jumbo and eventually spits out user and/or group names from the two groups, along with object type, email address and path/folder name, into a CSV file.
    • Assuming there are no errors, the file is then emailed to a distribution group.
  • Then my power automate account grabs the file and saves it to a sharepoint site
  • Then my power bi report refreshes shortly after the file is written. It shows the folder owner, folder path, the two groups granting access and two lists, showing who has modify and read only access.

Now I can just get a pdf from the report, rather than doing a bunch of manual work getting the members of those groups, formatting csv files, etc etc.

The only thing that isn't great, in an ideal world, is that the file gets sent to my email - if I get fired or something, then it'll stop working - but oh well. I have access to a shared mailbox, but I've never been able to get it to be able to access the sharepoint site - I'd probably need to assign an Office365 license to it, which I'm not sure we allow.