PowerShell Setting ACL Inheritance and Propegation

I recently worked on a project that required a lot of  AdHoc moving of user home directories. To make the process easier for the support teams, I put together a PowerShell script (and a web front end for it, but more on that later) that would move a users home directory to a new server and update their account's homeDirectory attribute.

As is often the case these days, these home directories are stored on NAS devices that typically auto-create home directories on the fly with the appropriate permissions. As a result, my script needed to explicitly grant the user Full Control to their new folder. I didn't find the native help on the set-acl cmdlet very helpful in regard to adding a user to an existing folder's ACL. Luckily I did something similar in VB.NET and had good idea of what needed to be done. That along with a little get-acl and get-member action (and a little trial and error) got me where I needed to be.

The process is actually pretty straight froward.

1. Capture the current ACL with Get-ACL
   $DirACL = Get-ACL "\\FileServer\users$\JoeUser"
2. Create a new FileSystemAccessRule for the user and add it to the ACL you just captured
   $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule "Domain\JoeUser","FullControl","ContainerInherit,ObjectInherit","None","Allow"
   $DirACL.AddAccessRule($AccessRule)
3. Write the new ACL back with set-acl
   Set-ACL "\\FileServer\users$\JoeUser" $DirACL

Since it take a couple of lines and is something that often needs to be repeated, it could easily be made a function like this:

Function Set-FullControl {

     param ([string]$User, [string]$FolderPath)

     $DirACL = Get-ACL $FolderPath

     $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $User,"FullControl","ContainerInherit,ObjectInherit","None","Allow"

     $DirACL.AddAccessRule($AccessRule)

     Set-ACL $FolderPath $DirACL

}

Set-FullControl "DOMAIN\JoeUser" "\\FileServer\users$\JoeUser"

Secure DoD Drive Wiping with SCCM

I mentioned in my last post a need to do a secure drive wipe on remote systems. There are several good and free options for wiping drives, but not many that can be executed remotely. Microsoft however offers a nice tool called SDelete as part of their free Sysinternals Suite. SDelete will do a DoD 5220.22-M sanitization of free space on a drive, but by itself isn't very good at destroying all of the data on a disk. That is where WinPE comes in. Using WinPE and sdelete is something that Derek Meier has blogged about previously. We're going to take this a step further and use SCCM to make this process remotely executable. Plus, we'll use a package to deliver the files to WinPE, so there is no need to modify the boot.wim or do any custom WinPE builds.

We'll basically use an SCCM Task Sequences to boot into Windows PE and format the drive with a single, empty C: partition. Then we'll use sdelete to handle the DoD wipe of the empty partition.

To do this, we'll need to get SDelete to Windows PE. So to start, we'll create a package with SDelete.exe (which can be downloaded from here: http://technet.microsoft.com/en-us/sysinternals/bb897443.aspx).

We'll also create a file called sdelete.reg with the following contents:

----------------- begin sdelete.reg -----------------

Windows Registry Editor Version 5.00


[HKEY_CURRENT_USER\Software\Sysinternals\SDelete]
"EulaAccepted"=dword:00000001

----------------- end sdelete.reg -----------------

Once the package with these two files is created, we can now move to our task sequence.

Note: These steps only apply for systems with a single hard drive. If you have multiple hard drives, you'll need to to repeat steps 3 and 4 for each disk in the system.

Step 1: Add a task to Restart into WinPE using your favorite boot.wim.
Step 2: We're going to copy over the files from our sdelete package. To do this, add a General -> Run Command Line task. Check the box by Package and select the package created with the sdelete files in it. The command line the I use whenever I'm copying files from a package to WinPE is:
xcopy.exe ".\*.*" "%WinDir%" /E /C /Q /H /R /Y /I

(Ignore the whole Enable Remote Control section in this image. If you want to learn about using VNC to connect to WinPE, see my previous post)

Step 3: Now that the files are in place, we'll add another Run Command Line task, which we'll use to accept the Systernals EULA for sdelete.exe. This time our command line will be:

regedit /s sdelete.reg 

Set the Start in field to %WinDir%, since that is where we copied the files.

Step 4: Now we'll create on big C partition to fill the entire drive. Add a Disks -> Format and Partition Disk task.  Set Disk number to 0 and Disk type to Standard(MBR). Create a new Volume. Set the Partition type to Primary and set it to use 100% of the free space. The File system should be NTFS and I recommend checking the Quick Format box (the seven pass 0/1 fill takes long enough).

Step 5: Now that we have one big, empty C: partition, its time to use sdelete to make sure that the old data is unrecoverable. For this we'll go back to a Run Command Line task. Our command will be:

sdelete.exe -p 7 -c -z

The -p 7 gives us seven passes. The -c tells it to clean free space. The -z tells it to zero free space.

Its important to set the Start in to C:\, otherwise you might try and clean the X: drive.

Now you're ready to go destroy some data! Just advertise your task sequence and watch it go to work making information unrecoverable. I think it goes without saying, but you should be very careful about where this is advertised, especially if you're using mandatory assignments.