<# .SYNOPSIS --.Replaces Lock Screen images with your own .DESCRIPTION This script takes ownership and set persmissions on files located: c:\windows\web\screen This script will replace C:\windows\web\Screen\img100.jpg & C:\windows\web\Screen\img105.jpg with .\lockscreen.jpg Designed to work in Task Sequence, but would work in Application Model or Package as well. .INPUTS None. .OUTPUTS None. .NOTES Created by @gwblok .LINK https://garytown.com .LINK https://www.recastsoftware.com .COMPONENT -- .FUNCTIONALITY -- #> ## Set script requirements #Requires -Version 3.0 ##*============================================= ##* VARIABLE DECLARATION ##*============================================= #region VariableDeclaration $ScriptVersion = "21.3.8.1" #endregion ##*============================================= ##* END VARIABLE DECLARATION ##*============================================= ##*============================================= ##* FUNCTION LISTINGS ##*============================================= #region FunctionListings function enable-privilege { param( ## The privilege to adjust. This set is taken from ## http://msdn.microsoft.com/en-us/library/bb530716(VS.85).aspx [ValidateSet( "SeAssignPrimaryTokenPrivilege", "SeAuditPrivilege", "SeBackupPrivilege", "SeChangeNotifyPrivilege", "SeCreateGlobalPrivilege", "SeCreatePagefilePrivilege", "SeCreatePermanentPrivilege", "SeCreateSymbolicLinkPrivilege", "SeCreateTokenPrivilege", "SeDebugPrivilege", "SeEnableDelegationPrivilege", "SeImpersonatePrivilege", "SeIncreaseBasePriorityPrivilege", "SeIncreaseQuotaPrivilege", "SeIncreaseWorkingSetPrivilege", "SeLoadDriverPrivilege", "SeLockMemoryPrivilege", "SeMachineAccountPrivilege", "SeManageVolumePrivilege", "SeProfileSingleProcessPrivilege", "SeRelabelPrivilege", "SeRemoteShutdownPrivilege", "SeRestorePrivilege", "SeSecurityPrivilege", "SeShutdownPrivilege", "SeSyncAgentPrivilege", "SeSystemEnvironmentPrivilege", "SeSystemProfilePrivilege", "SeSystemtimePrivilege", "SeTakeOwnershipPrivilege", "SeTcbPrivilege", "SeTimeZonePrivilege", "SeTrustedCredManAccessPrivilege", "SeUndockPrivilege", "SeUnsolicitedInputPrivilege" )] $Privilege, ## The process on which to adjust the privilege. Defaults to the current process. $ProcessId = $pid, ## Switch to disable the privilege, rather than enable it. [Switch] $Disable ) ## Taken from P/Invoke.NET with minor adjustments. $definition = @' using System; using System.Runtime.InteropServices; public class AdjPriv { [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)] internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall, ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen); [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)] internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok); [DllImport("advapi32.dll", SetLastError = true)] internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid); [StructLayout(LayoutKind.Sequential, Pack = 1)] internal struct TokPriv1Luid { public int Count; public long Luid; public int Attr; } internal const int SE_PRIVILEGE_ENABLED = 0x00000002; internal const int SE_PRIVILEGE_DISABLED = 0x00000000; internal const int TOKEN_QUERY = 0x00000008; internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020; public static bool EnablePrivilege(long processHandle, string privilege, bool disable) { bool retVal; TokPriv1Luid tp; IntPtr hproc = new IntPtr(processHandle); IntPtr htok = IntPtr.Zero; retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok); tp.Count = 1; tp.Luid = 0; if(disable) { tp.Attr = SE_PRIVILEGE_DISABLED; } else { tp.Attr = SE_PRIVILEGE_ENABLED; } retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid); retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero); return retVal; } } '@ $processHandle = (Get-Process -id $ProcessId).Handle $type = Add-Type $definition -PassThru $type[0]::EnablePrivilege($processHandle, $Privilege, $Disable) } function Set-Owner{ Param ( [Parameter(Mandatory=$true)][string] $identity, [Parameter(Mandatory=$true)][String] $filepath ) $file = Get-Item -Path $filepath -force $acl = $file.GetAccessControl([System.Security.AccessControl.AccessControlSections]::None) $me = [System.Security.Principal.NTAccount]$identity $acl.SetOwner($me) $file.SetAccessControl($acl) # After you have set owner you need to get the acl with the perms so you can modify it. $acl = $file.GetAccessControl() $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($identity,"FullControl","Allow") $acl.SetAccessRule($rule) $file.SetAccessControl($acl) #$file.Close() } function Set-Permission{ Param ( [Parameter(Mandatory=$true)][string] $identity, [Parameter(Mandatory=$true)][String] $filepath, [Parameter(Mandatory=$true)][string] $FilesSystemRights, [Parameter(Mandatory=$true)][String] $type ) $file = get-item $filepath -force $newacl = $file.GetAccessControl([System.Security.AccessControl.AccessControlSections]::None) # Create new rule $FilesSystemAccessRuleArgumentList = $identity, $FilesSystemRights, $type $FilesSystemAccessRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $FilesSystemAccessRuleArgumentList # Apply new rule $NewAcl.SetAccessRule($FilesSystemAccessRule) Set-Acl -Path $file.FullName -AclObject $NewAcl } #endregion ##*============================================= ##* END FUNCTION LISTINGS ##*============================================= ##*============================================= ##* SCRIPT BODY ##*============================================= #region ScriptBody #Take OwnerShip enable-privilege SeTakeOwnershipPrivilege #Set Permissions on Files $files = Get-ChildItem -Path C:\Windows\Web\Screen $identity = "BUILTIN\Administrators" foreach ($filechild in $files) { Set-Owner -identity $identity -filepath $filechild.fullname } #Grant Rights to Admin & System # Set Adminstrators of Full Control of File $identity = "BUILTIN\Administrators" $FilesSystemRights = "FullControl" $type = "Allow" foreach ($filechild in $files) { Set-Permission -identity $identity -type $type -FilesSystemRights $FilesSystemRights -filepath $filechild.fullname } # Set SYSTEM to Full Control of Registry Item $identity = "NT AUTHORITY\SYSTEM" $FilesSystemRights = "FullControl" $type = "Allow" foreach ($filechild in $files) { Set-Permission -identity $identity -type $type -FilesSystemRights $FilesSystemRights -filepath $filechild.fullname } #Copy the 2 files into place Write-Output "Running Command: Copy-Item .\lockscreen.jpg C:\windows\web\Screen\img100.jpg -Force -Verbose" Copy-Item .\lockscreen.jpg C:\windows\web\Screen\img100.jpg -Force -Verbose Write-Output "Running Command: Copy-Item .\lockscreen.jpg C:\windows\web\Screen\img105.jpg -Force -Verbose" Copy-Item .\lockscreen.jpg C:\windows\web\Screen\img105.jpg -Force -Verbose exit $exitcode #endregion ##*============================================= ##* END SCRIPT BODY ##*=============================================