none
Customsettings.ini script to make a random local admin password? stored somewhere safe? RRS feed

  • Question

  • Hi,

    Is it possibly and if so how can i create a Customsettings.ini script to make a random local admin password? stored somewhere safe? The problem occurs when I install a pc, and then the pc user is somewhere in the country where they don't have access to our AD. Then I could handout the admin password for that pc? I don't want to give out the current local admin password. So this way we have two local admin accounts?

    So is would be very nice if customsettings created a local admin with the username admin and put a random password and stored it with the pc name in any document or is this to hard?

    And why don't the alert me function work?

    best regards Kjell

    Thursday, October 8, 2015 8:25 AM

All replies

  • That can be done. I have a PowerShell script that does that. I took a couple of other scripts I found and put together the parts I needed.

    My solution was to create a task sequence for "off-site" computers (all laptops, some desktops) to do things like install the VPN, run a script that creates a local account with random password, sets the MAK for Windows and Office, etc.

    Change the parts of the script to customize for your needs, like the server name and user name.

    #.Synopsis
    #  Generate pseudo-random passwords based on templates
    #
    #.Parameter Template
    #  The template for the password you want to generate. This defines which types of characters are generated for each character in the password. 
    #  IMPORTANT: the US English alphabet is hard-coded ... (we make no apologies, but thought you should know that)
    #
    #  The valid template characters are:
    #  * L - any uppercase letter (A-Z)
    #  * l - any lowercase letter (a-z)
    #  * C - uppercase consonant  
    #  * c - lowercase consonant
    #  * V - uppercase vowel
    #  * v - lowercase vowel
    #  * H - uppercase HEX (0123456789ABCDEF)
    #  * h - lowercase HEX (0123456789abcdef)
    #  * . - punctuation
    #  * d - numeric Digit character 
    #  * a - any alphabetic character: a-z, A-Z
    #  * A - any alphanumeric character: a-z, A-Z, 0-9
    #  * * - any character: a-z, A-Z, 0-9 + punctuation
    #  * An actual number modifies the presceding character to allow UP TO that many of that character class
    #  * An escaped character: \L will be inserted literally...
    #  * Anything else will be inserted literally...
    #
    #.Example
    #  New-Password "Cvcvcdd"
    #  Jemad46
    #
    #  Description
    #  -----------
    #  Generates a "pronounceable" 7 character password consisting of alternating consonants and vowels followed by a 2-digit number
    #
    #.Example
    #  ("Cvcvcdd," * 8).Split(",") | New-Password
    #
    #  Description
    #  -----------
    #  Demonstrates that the function can take pipeline input. Passing multiple templates via the pipeline will generate multiple passwords. 
    #  In this case, we generate EIGHT "pronounceable" 7 character password consisting of alternating consonants and vowels followed by a 2-digit number
    #
    #.Example
    #  1..6 | ForEach { New-Password "Cv3c2v3cd4" }
    #  Haavgaef922
    #  Celboey399
    #  Mavbaew1
    #  Voebhit896
    #  Qeeoddaw34
    #  Bowaf2
    #
    #  Description
    #  -----------
    #  Generates 6 variable-length, mostly "pronounceable" password.  The numbers indicate the maximum counts for each of the character types.
    #
    #.Example
    #  New-Password "Cvvc.Cvvcdd"
    #  Ziir-Diud55
    #
    #  Description
    #  -----------
    #  Generates a password which starts with an upper-case consonant, followed by two lower-case vowels, followed by a punctuation mark, followed by an upper-case consonant, followed by two lower-case vowels, followed by two numbers.
    #
    #.Example
    #  New-Password "********"
    #  !u($OA:*
    #
    #  Description
    #  -----------
    #  Generates a totally random 8 character password
    #
    #.Example
    #  New-Password "Get-Cvcvvc"
    #  Get-Wodeaj
    #
    #  Description
    #  -----------
    #  Generates a password which looks like a strange PowerShell command, starting with "Get-" and ending with an uppercase consonant, a vowel, a consonant, two vowels, and a final consonant.
    #
    #.Notes
    #  On PowerShell 2.0 if you define an alias "rand" to point to Microsoft.PowerShell.Utility\Get-Random, this script will use the Get-Random cmdlet instead of it's built-in rand function.
    #  Set-Alias rand Microsoft.PowerShell.Utility\Get-Random -Option AllScope
    #.Inputs
    #  [String]
    #    A string template for a password
    #.Outputs 
    #  [String] 
    #    A password string
    
    # History:
    # v 1.1 - bugfix for the \ escape character
    #       + added a hex option (H for upper) and (h for lower)
    #       + changed the '#' to 'd' for digits so you can write the patterns without quotes.
    # v 1.0 - first release
    # 
    
    # function New-Password {
    #[CmdletBinding()]
    Param (
    #   [Parameter(ValueFromPipeline=$true,Position=0)]
       [string]$Template = "************"
    )
    
    
    BEGIN {
      #if($Template.Length -lt 8) { THROW "Passwords less than 8 characters are not allowed." }
       ## You might consider avoiding the O which is easily confused with 0 except in the Consolas font ;)
       [char[]]$UpperAlpha = 'A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z'
       [char[]]$LowerAlpha = 'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z'
       [char[]]$UpperConsonants = 'B','C','D','F','G','H','J','K','L','M','N','P','Q','R','S','T','V','W','X','Y','Z'
       [char[]]$LowerConsonants = 'b','c','d','f','g','h','j','k','l','m','n','p','q','r','s','t','v','w','x','y','z'
       [char[]]$LowerVowels = 'a','e','i','o','u' 
       [char[]]$UpperVowels = 'A','E','I','O','U' 
       [char[]]$Numeric = '1','2','3','4','5','6','7','8','9','0'
       [char[]]$UpperHex = '1','2','3','4','5','6','7','8','9','0','A','B','C','D','E','F'
       [char[]]$LowerHex = '1','2','3','4','5','6','7','8','9','0','a','b','c','d','e','f'
       # In case this is used in a DCPromo answer files, theres a few chars to avoid: Ampersand, Less than, double quote and back slash
       # And because they're easily confused for ' , let's also avoid the backtick ` 
       ## '&','<','"','\','``',
       [char[]]$Punctuation = '!','#','$','%','''','(',')','*','+',',','-','.','/',':',';','=','>','?','@','[',']','^','_' 
       
       $script:RANDOM = new-object Random
       function rand { 
          begin { $list = @() }
          process { $list += $_ }
          end { 
             $list[$RANDOM.Next(0,$list.Count-1)] 
          }
       }
    }
    PROCESS {
       if($_) { $Template = $_ }
       Write-Verbose "Template: $Template"
       $password = ""
       $randoms = @()
       for($c = 0; $c -lt $Template.Length; $c++) {
          switch -CaseSensitive ($Template[$c])
          {
             'l' { # Make this character a Lowercase Alpha
                $password += $LowerAlpha | rand
                break
             }
             'L' { # Make this character a Uppercase Alpha
                $password += $UpperAlpha | rand
                break
             } 
             'l' { # Make this character a Lowercase Alpha
                $password += $LowerAlpha | rand
                break
             }
             'C' { # Make this character a Uppercase consonant
                $password += $UpperConsonants | rand
                break
             }
             'c' { # Make this character a Lowercase consonant
                $password += $LowerConsonants | rand
                break
             }
             'V' { # Make this character a Uppercase vowel
                $password += $UpperVowels | rand
                break
             }
             'v' { # Make this character a Lowercase vowel
                $password += $LowerVowels | rand
                break
             }
             'H' { # Make this character a Uppercase vowel
                $password += $UpperHex | rand
                break
             }
             'h' { # Make this character a Lowercase vowel
                $password += $LowerHex | rand
                break
             }
             '.' { # Make this character punctuation
                $password += $Punctuation | rand
                break
             }
             'd' { # Make this character numeric
                $password += $Numeric | rand
                break
             }
             'a' { # Make this character any alphabetic
                $password += $UpperAlpha + $LowerAlpha  | rand
                break
             }          
             'A' { # Make this character any alphanumeric
                $password += $UpperAlpha + $LowerAlpha + $Numeric | rand
                break
             } 
             '*' { # Make this character any character
                $password += $UpperAlpha + $LowerAlpha + $Numeric + $Punctuation | rand
                break
             }
             # For a number, decrement the number, and then go back one...
             { [bool](([string]$_) -as [int]) } { 
                if($randoms -notcontains $c) {
                   $randoms += $c
                   [int]$count = $(0..([int][string]$_) | rand)
                } else { 
                   [int]$count = $(([int][string]$_) - 1)
                }
                if($c -gt 0 -and $count -gt 0) { 
                   $Template = $Template.Remove($c,1).Insert($c,$count)
                   $c -= 2 
                   Write-Verbose "ALTER Template: $Template  Active: $($Template[$c]) ($c), Generating $count ($_)  Password: $password"
                }
                break
             }
             '\' {
                $password += $Template[(++$c)]
                break
             }
             default {
                $password += $Template[$c]
                break
             }
          }
       }
       # Specify the file path and name to record the changes made.
    	$TXTFile = "\\MDT-SERVER-NAME\SHARE$\LocalAccounts\" + $ENV:COMPUTERNAME + "_PSWD.txt"
    	$Password | Out-File $TXTFile 
    	Write-Host "The collected data exported was `"$Password`" "
    	$objOu = [ADSI]"WinNT://localhost"
    	$objUser = $objOU.Create("User", "USER-ACCOUNT-NAME")
    	$objUser.setpassword($Password)
    	$objUser.SetInfo()
    	$objUser.description = "Account set by IT, DO NOT REMOVE"
    	$objUser.SetInfo()
       return $Password
    
    }
    
    
    #}


    If this post is helpful please vote it as Helpful or click Mark for answer.

    Thursday, October 8, 2015 2:16 PM
  • Hi,

    Nice script, now Im not good at powershell I've read 3 basic courses in Java. Do I have to edit more than the last part where it says

    \\MDT-SERVER-NAME\SHARE$\LocalAccounts\

    ? and then also create a folder called localaccounts or is there to it that I have to choose the password streangt? Im assuming I just save to save it as a bat file to run it? Or should I ask my colleague for assistans he is good at powershell =).

    Best regards Kjell, Have a nice weekand!

    Friday, October 9, 2015 12:10 PM
  • You can edit the following:

    Location to store the password generated - "\\MDT-SERVER-NAME\SHARE$\LocalAccounts\"

    This part is up to you, but I append "_PSWD.txt" to the file name which includes the computer name.

    Name of the user account created - "USER-ACCOUNT-NAME"

    Description of user account - "Account set by IT, DO NOT REMOVE"

            Wherever you decide to save the file, the folder must already exist.

    To add the account to a group, I use Ed Wilson's script - http://blogs.technet.com/b/heyscriptingguy/archive/2010/11/25/use-powershell-to-add-local-users-to-local-groups.aspx

    When it's all said and done each machine that runs this will have a local administrator account with a unique password.

    Below is a script you can use for "offsite" machines. For the sake of simplicity, you can create a task sequence for offsite machines and then add the script below as an application to that task sequence or you can come up with another method that works best for you.


    If this post is helpful please vote it as Helpful or click Mark for answer.


    • Edited by Dan_Vega Friday, October 9, 2015 3:44 PM
    Friday, October 9, 2015 2:50 PM
  • Here you go, complete with the ability to set the MAK for Microsoft Office 2010 - 2016

    <job id="Offsite Configuration">
    <script language="VBScript" src="..\..\scripts\ZTIUtility.vbs"/>
    <script language="VBScript"> 
    
    '//----------------------------------------------------------------------------
    '// Purpose: Used to onfigure computer for offsite use
    '// Usage: cscript Configure-Offsite.wsf [/debug:true]
    '// Version: 1.0 - October 9, 2015
    '// Author: Daniel Vega
    '//----------------------------------------------------------------------------
    
    '//----------------------------------------------------------------------------
    '// Global constant and variable declarations
    '//---------------------------------------------------------------------------- 
    
    Option Explicit 
    
    Dim iRetVal 
    Dim sSysDrive
    Dim Choice
    
    sSysDrive = oShell.ExpandEnvironmentStrings("%SYSTEMDRIVE%")
    
    If oFSO.FileExists(oENV("ProgramFiles") & "\Microsoft Office\Office16\Winword.exe") then
    	Choice = "Office16x86"
    ElseIf oFSO.FileExists(oENV("ProgramFiles(x86)") & "\Microsoft Office\Office16\Winword.exe") then
    	Choice = "Office16x64"
    If oFSO.FileExists(oENV("ProgramFiles") & "\Microsoft Office\Office15\Winword.exe") then
    	Choice = "Office15x86"
    ElseIf oFSO.FileExists(oENV("ProgramFiles(x86)") & "\Microsoft Office\Office15\Winword.exe") then
    	Choice = "Office15x64"
    ElseIf oFSO.FileExists(oENV("ProgramFiles") & "\Microsoft Office\Office14\Winword.exe") then
    	Choice = "Office14x86"
    ElseIf oFSO.FileExists(oENV("ProgramFiles(x86)") & "\Microsoft Office\Office14\Winword.exe") then
    	Choice = "Office14x64"
    Else Wscript.Echo "Office wasn't found"
    End If
    
    '//----------------------------------------------------------------------------
    '// End declarations
    '//---------------------------------------------------------------------------- 
    
    '//----------------------------------------------------------------------------
    '// Main routine
    '//---------------------------------------------------------------------------- 
    
    On Error Resume Next
    iRetVal = ZTIProcess
    ProcessResults iRetVal
    On Error Goto 0 
    
    '//---------------------------------------------------------------------------
    '//
    '// Function: ZTIProcess()
    '//
    '// Input: None
    '// 
    '// Return: Success - 0
    '// Failure - non-zero
    '//
    '// Purpose: Perform main ZTI processing
    '// 
    '//---------------------------------------------------------------------------
    Function ZTIProcess() 
    
    
    	oLogging.CreateEntry "Configure-Offsite: Starting offsite configuration", LogTypeInfo	
    
    	' Disable Zone Checks
    	oEnv("SEE_MASK_NOZONECHECKS") = 1 
    
    	' Create User account
    	oFSO.CopyFile oUtility.ScriptDir & "\AddUsertoGroup.ps1", oENV("SystemDrive") & "\MININT\Scripts\", True
    	oFSO.CopyFile oUtility.ScriptDir & "\Create-ACCOUNT.ps1", oENV("SystemDrive") & "\MININT\Scripts\", True
    	Wscript.Echo " Creating local account "
    	oShell.Run("powershell Set-ExecutionPolicy Unrestricted"),0,True
    	oShell.Run("powershell %systemdrive%\MININT\Scripts\Create-ACCOUNT.ps1 ""XXXXXXXXX"""),0,True
    	oShell.Run("powershell %systemdrive%\MININT\Scripts\AddUsertoGroup.ps1 -user ACCOUNT -group Administrators"),0,True
    	oShell.Run("powershell Set-ExecutionPolicy Restricted"),0,True
    
    	' Set MAK and Activate Microsoft Office
    Select Case Choice
    	Case "Office16x64"
    		oLogging.CreateEntry "Office 2016 on 64bit device", LogTypeInfo
    		oShell.Run("cscript " & oENV("ProgramFiles(x86)") & "\Microsoft Office\Office16\ospp.vbs /inpkey:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX")
    		oShell.Run("cscript " & oENV("ProgramFiles(x86)") & "\Microsoft Office\Office16\ospp.vbs /act"),0,True
    	Case "Office16x86"
    		oLogging.CreateEntry "Office 2016 on 32bit device", LogTypeInfo
    		oShell.Run("cscript " & oENV("ProgramFiles") & "\Microsoft Office\Office16\ospp.vbs /inpkey:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX")
    		oShell.Run("cscript " & oENV("ProgramFiles") & "\Microsoft Office\Office16\ospp.vbs /act"),0,True
    	Case "Office15x64"
    		oLogging.CreateEntry "Office 2013 on 64bit device", LogTypeInfo
    		oShell.Run("cscript " & oENV("ProgramFiles(x86)") & "\Microsoft Office\Office15\ospp.vbs /inpkey:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX")
    		oShell.Run("cscript " & oENV("ProgramFiles(x86)") & "\Microsoft Office\Office15\ospp.vbs /act"),0,True
    	Case "Office15x86"
    		oLogging.CreateEntry "Office 2013 on 32bit device", LogTypeInfo
    		oShell.Run("cscript " & oENV("ProgramFiles") & "\Microsoft Office\Office15\ospp.vbs /inpkey:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX")
    		oShell.Run("cscript " & oENV("ProgramFiles") & "\Microsoft Office\Office15\ospp.vbs /act"),0,True
    	Case "Office14x64"
    		oLogging.CreateEntry "Office 2010 on 64bit device", LogTypeInfo
    		oShell.Run("cscript " & oENV("ProgramFiles(x86)") & "\Microsoft Office\Office14\ospp.vbs /inpkey:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX")
    		oShell.Run("cscript " & oENV("ProgramFiles(x86)") & "\Microsoft Office\Office14\ospp.vbs /act"),0,True
    	Case "Office14x86"
    		oLogging.CreateEntry "Office 2010 on 32bit device", LogTypeInfo
    		oShell.Run("cscript " & oENV("ProgramFiles") & "\Microsoft Office\Office14\ospp.vbs /inpkey:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX")
    		oShell.Run("cscript " & oENV("ProgramFiles") & "\Microsoft Office\Office14\ospp.vbs /act"),0,True
    	Case Else
    		oLogging.CreateEntry "Error: Office version unknown or not found", LogTypeError	
    End Select	
    
    	' Clean desktop shortcuts
    	oFSO.DeleteFile sSysDrive & ("\users\public\desktop\*.lnk"), True
    	
    	' Enable Zone Checks
    	oEnv.Remove("SEE_MASK_NOZONECHECKS")
    
    	oLogging.CreateEntry "Configure-Offsite: Finished offsite configuration", LogTypeInfo	
    	
    End Function 
    
    </script>
    </job>
    Save this script as "Configure-Offsite.wsf" and store the PowerShell files in the same folder as this script. Then import it into MDT as an application. The run command will be: cscript.exe Configure-Offsite.wsf


    If this post is helpful please vote it as Helpful or click Mark for answer.

    • Proposed as answer by Dan_Vega Monday, October 12, 2015 1:09 PM
    Friday, October 9, 2015 3:38 PM
  • Hi,

    I wanted to try out the script on a installed PC. So i changed "\\MDT-SERVER-NAME\SHARE$\LocalAccounts\"

    to my share and created localaccounts folder. Then I saved file as a .bat and pressed on run as admin. But it dident create the account?

    /Kjell

    Monday, October 12, 2015 9:16 AM
  • It wouldn't work as a batch file because it's VBScript and should be saved as .WSF

    You should run it using the command: cscript.exe filename.wsf


    If this post is helpful please vote it as Helpful or click Mark for answer.

    Monday, October 12, 2015 1:11 PM
  • tried that got this error :(

    Monday, October 12, 2015 2:29 PM
  • Running the script from your desktop will not work. You need to save the VBscript and PowerShell scripts in the same directory. Then import that as an application into MDT.

    Hide the application and then add it to your task sequence for "offsite" systems.


    If this post is helpful please vote it as Helpful or click Mark for answer.

    Monday, October 12, 2015 2:53 PM
  • Hi,

    Are you sure? It dident work when applied as an app also. Im sure im doing something wrong, can it be that our OS is in swedish so administrators is actually called administratör?

    Why shouldent the script be able to run in win 7 =)? Should the wsf script be applied at state restore install apps?

    im going to try to read the logs and script again!

    Wednesday, October 14, 2015 7:20 AM
  • Works fine for me on our Windows 7 and 8.1 machines. I haven't used it on my Windows 10 image yet because I don't have MAKs for Office 2016 and Windows 10. The only difference between the script I use and the script I provided you is that my script copies over a config file for Firefox.

    I haven't tried it with different languages, so maybe that could be the issue.


    If this post is helpful please vote it as Helpful or click Mark for answer.

    Wednesday, October 14, 2015 1:20 PM