Disconnect Specified Mapped Drives for All Users On All Systems

  • 27 May 2021
  • 2 replies
  • 640 views
Tony-Automox
Userlevel 5

This worklet will disconnect all mapped drives specified by $removeDrives in the evaluation and remediation. Be sure to set $removeDrives identically in both. The drives will not appear disconnected until after a reboot. Details of the user and drives disconnected will appear in the activity log.


Evaluation:


<#

.SYNOPSIS

    Delete Specified Mapped Drives for All Users on a System

    OS Support: Windows 7 and above

    Powershell: 2.0 and above

    Run Type: Evaluation

.DESCRIPTION

    This worklet is designed to search for any mapped drives specified with $remoteDrives, and disconnect them. If any setting is found to be non-compliant, the evaluation script will close with an

    exit code of '1' to trigger remediation.  $removeDrives needs to be set the same for evaluation and remediation to work correctly.  If drives are found and disconnected, the drives will not appear disconnected until after a reboot.

    To use this worklet, add the desired parameters to the $removeDrives line at the top of this script.

.NOTES

    Author: twiese

    Date: May 27, 2021

#>



# Define mapped drives to disconnect

$removeDrives = @("Y","Z")

# ----------------------------------



# Get User details including SID

$users = Get-WmiObject -Class Win32_UserAccount -Filter "LocalAccount = 'True'"



# Add HKEY_USERS to a PSDrive for easy access later

New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS -ErrorAction SilentlyContinue | Out-Null



# Loop through the list of users to check each for matching drives to disconnect and exit when first one is found

Foreach ($user in $users) {



    # Retrieve SIDs for each user

    $sid = $user.SID

    $name = $user.Name

    

    # Load Registries for users, if ntuser.dat exists

    # this prevents us from attempting to load Administrator and similar accounts

    

    if (Test-Path "C:\Users\$name\ntuser.dat") {

        

        # Load user's ntuser.dat into the registry

        & reg load "HKU\$sid" "C:\Users\$name\ntuser.dat" | Out-Null

        

        # Get mapped drives for user and see if any match drives to be removed

        $drives = (Get-ChildItem -Path HKU:\$sid\Network | Get-ItemProperty).PSChildName

        $matches = $removeDrives | Where-Object { $drives -contains $_ }



        # If any user has a matching drive, immediately clean-up PSDrive and exit for remediation without checking for further matches

        If ($matches) {

                Remove-PSDrive -Name HKU

                Exit 1

        }

    }

}



# Clean-up the PSDrive if no results

Remove-PSDrive -Name HKU

Exit 0

Remediation:


<#

.SYNOPSIS

    Delete Specified Mapped Drives for All Users on a System

    OS Support: Windows 7 and above

    Powershell: 2.0 and above

    Run Type: Remediation

.DESCRIPTION

    This worklet is designed to search for any mapped drives specified with $remoteDrives, and disconnect them. If any setting is found to be non-compliant, the evaluation script will close with an

    exit code of '1' to trigger remediation.  $removeDrives needs to be set the same for evaluation and remediation to work correctly.  If drives are found and disconnected, the drives will not appear disconnected until after a reboot.

    To use this worklet, add the desired parameters to the $removeDrives line at the top of this script.

.NOTES

    Author: twiese

    Date: May 27, 2021

#>



# Define mapped drives to disconnect

$removeDrives = @("Y","Z")

# ----------------------------------



# Get Users details including SID

$users = Get-WmiObject -Class Win32_UserAccount -Filter "LocalAccount = 'True'"



# Add HKEY_USERS to a PSDrive for easy access later

New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS -ErrorAction SilentlyContinue | Out-Null



# Loop through the list of users to check each for matching drives to disconnect

Foreach ($user in $users) {



    # Retrieve SIDs for each user

    $sid = $user.SID

    $name = $user.Name



    # Load Registries for users, if ntuser.dat exists

    # this prevents us from attempting to load Administrator and similar accounts



    If (Test-Path "C:\Users\$name\ntuser.dat") {



        # Load user's ntuser.dat into the registry

        & reg load "HKU\$sid" "C:\Users\$name\ntuser.dat" | Out-Null

        

        # Get mapped drives for user and see if any match drives to be removed

        $drives = (Get-ChildItem -Path HKU:\$sid\Network | Get-ItemProperty).PSChildName

        $matches = $removeDrives | Where-Object { $drives -contains $_ }

        

        # If any mapped drives match ones to be disconnected, disconnect them

        If ($matches) {

            ForEach ($match in $matches) {

                Try {

                    Remove-Item "HKU:\$sid\Network\$match"

                    Write-Output "User: $name, drive $match disconnected.  "

                    

                } Catch {

                    Write-Output "User: $name, drive $match couldn't be disconnected.  "

                }

            }

        }

    }

}



# Clean-up the PSDrive

Remove-PSDrive -Name HKU

2 replies

M
Userlevel 4
Badge

Any chance we can get a rework of this to match a mapped name instead of a specific drive letter? We have sporadic mapped drive letters (manually done, I know, I know) I’ve been struggling to get this working using PS-GetDrive and this looks more elegant 

M
Userlevel 4
Badge

Here's a quick and ugly hot-take on your script.. modified to parse all SIDs in HKU and agnostic of drive letters.. let me know what you think :D 

New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS -ErrorAction SilentlyContinue | Out-Null

$users = @(Get-ChildItem -Path HKU:\)
foreach ($user in $users) {
    $exists = (Get-ChildItem -Path HKU:\$user\Network | Get-ItemProperty)
    foreach ($exist in $exists) {
        if ($exist.RemotePath -match "chicago") {
            $delete = $exist.PSChildName
            Remove-Item "HKU:\$user\Network\$delete"

            Write-Output "User: $user, drive "$exist.RemotePath" disconnected."
    }
    }
}

 

Reply


Terms & ConditionsCookie settings