I’ve got a bunch of older SOE machines that still had the local Administrator account enabled. As part of implementing Microsoft LAPS, I wanted to disable that account, and use a newly-created ‘LocalAdmin’ account with LAPS.
The account is created with a randomly-generated GUID as the password. The account’s password is going to come under the management of LAPS anyway. Additionally, it would be a terrible idea to hard-code a password into a script that’s stored in Sysvol.
If an account with that name already exists, the script will quit. Some basic events are also logged to the Event Log to indicate what happened.
My first revision of the script used ADSI to create the account and add it to the Administrators group, but I found that my mileage varied with that method. Some computers had the account created, but it wasn’t a member of Administrators.
It’s now set up to use plain “NET USER” and “NET LOCALGROUP” commands. This is an example of what would be executed:
This script is designed to be set up as a computer Startup Script:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# The name of the account | |
$accountName = 'LocalAdmin' | |
$accountFullName = 'Local Administrator' | |
$accountComment = 'Backup Local Administrator Account' | |
# Any users listed here will be disabled by this script | |
$usersToDisable = 'Administrator','Guest' | |
# Set up some Event Log stuff | |
$sourceName = "$($MyInvocation.MyCommand.Name).ps1" | |
New-EventLog –LogName Application –Source "$sourceName" –ErrorAction SilentlyContinue –WarningAction SilentlyContinue | |
# If the account already exists, exit | |
if ((Get-WmiObject Win32_UserAccount –filter "domain = '$Env:COMPUTERNAME' and Name = '$accountName'") -ne $null) { | |
Write-EventLog –LogName Application –Source $sourceName –EntryType Information –EventId 1 –Message "$accountName already exists" –ErrorAction SilentlyContinue –WarningAction SilentlyContinue | |
exit | |
} | |
# Create the account | |
cmd.exe /c "net user $accountName `"$([guid]::NewGuid().guid)`" /add /y /comment:`"$accountComment`" /fullname:`"$accountFullName`"" | |
# Add the account to the Administrators group | |
cmd.exe /c "net localgroup Administrators $accountName /add" | |
# Disable the specified users | |
$usersToDisable | Foreach-Object {cmd.exe /c "net user $_ /active:no"} | |
# Try and write an event to the Event Log | |
Write-EventLog –LogName Application –Source $sourceName –EntryType Information –EventId 2 –Message "Created local administrator account: $accountName" –ErrorAction SilentlyContinue –WarningAction SilentlyContinue |