none
Can a local admin account be created during Deployment? RRS feed

  • Question

  • I previously had been building my VM's from the OS manually and logging on as a local admin account other than administrator.

    Now I have MDT creating the VM for me (Standard Client TS) with no account other than administrator. Can a local account be created with the unattend or some other process during either the Capture of the VM to a WIM or during Deployment of the WIM?

    My org would prefer to continue to have a backup account to sign onto if the admin goes haywire.

    Tuesday, May 21, 2019 12:16 PM

Answers

  • CreateLocalUser.ps1

    param($computer="localhost", $user, $password, $help)
    
     
    
    function funHelp()
    
    {
    
    $helpText=@"
    
    DESCRIPTION:
    
    NAME: CreateLocalUser.ps1 
    
    Creates a local user on either a local or remote machine.
    
     
    
    PARAMETERS: 
    
    -computer Specifies the name of the computer upon which to run the script
    
    -user    Name of user to create
    
    -help     prints help file
    
     
    
    SYNTAX:
    
    CreateLocalUser.ps1
    
    Generates an error. You must supply a user name
    
     
    
    CreateLocalUser.ps1 -computer MunichServer -user myUser 
    
     -password Passw0rd^&!
    
     
    
    Creates a local user called myUser on a computer named MunichServer
    
    with a password of Passw0rd^&!
    
     
    
    CreateLocalUser.ps1 -user myUser -password Passw0rd^&!
    
    with a password of Passw0rd^&!
    
     
    
    Creates a local user called myUser on local computer with 
    
    a password of Passw0rd^&!
    
     
    
    CreateLocalUser.ps1 -help ?
    
     
    
    Displays the help topic for the script
    
     
    
    "@
    
    $helpText
    exit
    
    }
    
     
    
    if($help){ "Obtaining help ..." ; funhelp }
    
     
    
    if(!$user -or !$password) 
    
          {
    
           $(Throw 'A value for $user and $password is required. 
    
           Try this: CreateLocalUser.ps1 -help ?')
    
            }
    
          
    
    $objOu = [ADSI]"WinNT://$computer"
    
    $objUser = $objOU.Create("User", $user)
    
    $objUser.setpassword($password)
    
    $objUser.SetInfo()
    
    $objUser.userflags = 65536
    
    $objUser.description = "YOUR DESCRIPTION GOES HERE"
    
    $objUser.SetInfo()
    

    AddUsertoGroup.ps1

    <#
    
       .Synopsis
    
        Adds a local user to a local group on either a local or remote machine.
    
       .Description
    
        This script uses [adsi] type accelerator to use ADSI to create a local group.
    
        It will throw an error if $group is not present. It uses the WinNT provider to 
    
        connect to local SAM database. This is case sensitive. This script must run with 
    
        ADMIN rights to create local groups.
    
       .Example
    
        AddUserToGroup.ps1 -computer MunichServer -user myUser -group mygroup
    
        Adds a local user called myUser on a computer named MunichServer to a local group called mygroup
    
       .Example
    
        AddUserToGroup.ps1 -user myUser -group mygroup
    
        Adds a local user called myUser on local computer to a group called mygroup
    
       .Inputs
    
        [string]
    
       .OutPuts
    
        [string]
    
       .Notes
    
        NAME:  Windows 7 Resource Kit
    
        AUTHOR: Ed Wilson
    
        LASTEDIT: 5/20/2009
    
        KEYWORDS: ADSI
    
       .Link
    
         Http://www.ScriptingGuys.com
    
    #Requires -Version 2.0
    
    #>
    
    param(
    
          $computer=$env:computerName, 
    
          [Parameter(mandatory=$true)]
    
          $user, 
    
          [Parameter(mandatory=$true)]
    
          $group
    
    ) #end param
    
    # *** Functions
    
    function New-Underline
    
    {
    
    <#
    
    .Synopsis
    
     Creates an underline the length of the input string
    
    .Example
    
     New-Underline -strIN "Hello world"
    
    .Example
    
     New-Underline -strIn "Morgen welt" -char "-" -sColor "blue" -uColor "yellow"
    
    .Example
    
     "this is a string" | New-Underline
    
    .Notes
    
     NAME:
    
     AUTHOR: Ed Wilson
    
     LASTEDIT: 5/20/2009
    
     KEYWORDS:
    
    .Link
    
     Http://www.ScriptingGuys.com
    
    #>
    
    [CmdletBinding()]
    
    param(
    
          [Parameter(Mandatory = $true,Position = 0,valueFromPipeline=$true)]
    
          [string]
    
          $strIN,
    
          [string]
    
          $char = "=",
    
          [string]
    
          $sColor = "Green",
    
          [string]
    
          $uColor = "darkGreen",
    
          [switch]
    
          $pipe
    
     ) #end param
    
     $strLine= $char * $strIn.length
    
     if(-not $pipe)
    
      {
    
       Write-Host -ForegroundColor $sColor $strIN
    
       Write-Host -ForegroundColor $uColor $strLine
    
      }
    
      Else
    
      {
    
      $strIn
    
      $strLine
    
      }
    
    } #end New-Underline function
    
     
    
    function Test-IsAdministrator
    
    {
    
        <#
    
        .Synopsis
    
            Tests if the user is an administrator
    
        .Description
    
            Returns true if a user is an administrator, false if the user is not an administrator        
    
        .Example
    
            Test-IsAdministrator
    
        #>   
    
        param() 
    
        $currentUser = [Security.Principal.WindowsIdentity]::GetCurrent()
    
        (New-Object Security.Principal.WindowsPrincipal $currentUser).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
    
    } #end function Test-IsAdministrator
    
     
    
    # *** Entry point to script ***
    
    If(-not (Test-IsAdministrator)) { New-Underline "Admin rights are required for this script" ; exit }
    
     
    
    if(!$user -or !$group) 
    
          {
    
           $(Throw 'A value for $user and $group is required.')
    
            }
    
          
    
    $OBjOU = [ADSI]"WinNT://$computer/$group,group"
    
    $objOU.add("WinNT://$computer/$user")
    


    Daniel Vega

    • Marked as answer by the1rickster Thursday, May 23, 2019 5:28 PM
    Tuesday, May 21, 2019 9:48 PM

All replies

  • I'm using some old scripts from Ed Wilson off the Windows 7 resource kit. You can probably find similar powershell scripts to create a local user account and make it an admin.

    Here's the old script for making a local user Use PowerShell to Create Local User Accounts

    You can probably find more up to date scripts that does account what you want in one script.


    Daniel Vega

    Tuesday, May 21, 2019 9:33 PM
  • Thanks. I took a look at that. Whew. I wish sometimes they would just post the actual script and then write about it, instead of posting pieces and commenting on it as they go. It's hard for me to tell what is part of the script and what are just his comments. I will use this as a base and scour the web for more PS ideas as well.
    Tuesday, May 21, 2019 9:44 PM
  • CreateLocalUser.ps1

    param($computer="localhost", $user, $password, $help)
    
     
    
    function funHelp()
    
    {
    
    $helpText=@"
    
    DESCRIPTION:
    
    NAME: CreateLocalUser.ps1 
    
    Creates a local user on either a local or remote machine.
    
     
    
    PARAMETERS: 
    
    -computer Specifies the name of the computer upon which to run the script
    
    -user    Name of user to create
    
    -help     prints help file
    
     
    
    SYNTAX:
    
    CreateLocalUser.ps1
    
    Generates an error. You must supply a user name
    
     
    
    CreateLocalUser.ps1 -computer MunichServer -user myUser 
    
     -password Passw0rd^&!
    
     
    
    Creates a local user called myUser on a computer named MunichServer
    
    with a password of Passw0rd^&!
    
     
    
    CreateLocalUser.ps1 -user myUser -password Passw0rd^&!
    
    with a password of Passw0rd^&!
    
     
    
    Creates a local user called myUser on local computer with 
    
    a password of Passw0rd^&!
    
     
    
    CreateLocalUser.ps1 -help ?
    
     
    
    Displays the help topic for the script
    
     
    
    "@
    
    $helpText
    exit
    
    }
    
     
    
    if($help){ "Obtaining help ..." ; funhelp }
    
     
    
    if(!$user -or !$password) 
    
          {
    
           $(Throw 'A value for $user and $password is required. 
    
           Try this: CreateLocalUser.ps1 -help ?')
    
            }
    
          
    
    $objOu = [ADSI]"WinNT://$computer"
    
    $objUser = $objOU.Create("User", $user)
    
    $objUser.setpassword($password)
    
    $objUser.SetInfo()
    
    $objUser.userflags = 65536
    
    $objUser.description = "YOUR DESCRIPTION GOES HERE"
    
    $objUser.SetInfo()
    

    AddUsertoGroup.ps1

    <#
    
       .Synopsis
    
        Adds a local user to a local group on either a local or remote machine.
    
       .Description
    
        This script uses [adsi] type accelerator to use ADSI to create a local group.
    
        It will throw an error if $group is not present. It uses the WinNT provider to 
    
        connect to local SAM database. This is case sensitive. This script must run with 
    
        ADMIN rights to create local groups.
    
       .Example
    
        AddUserToGroup.ps1 -computer MunichServer -user myUser -group mygroup
    
        Adds a local user called myUser on a computer named MunichServer to a local group called mygroup
    
       .Example
    
        AddUserToGroup.ps1 -user myUser -group mygroup
    
        Adds a local user called myUser on local computer to a group called mygroup
    
       .Inputs
    
        [string]
    
       .OutPuts
    
        [string]
    
       .Notes
    
        NAME:  Windows 7 Resource Kit
    
        AUTHOR: Ed Wilson
    
        LASTEDIT: 5/20/2009
    
        KEYWORDS: ADSI
    
       .Link
    
         Http://www.ScriptingGuys.com
    
    #Requires -Version 2.0
    
    #>
    
    param(
    
          $computer=$env:computerName, 
    
          [Parameter(mandatory=$true)]
    
          $user, 
    
          [Parameter(mandatory=$true)]
    
          $group
    
    ) #end param
    
    # *** Functions
    
    function New-Underline
    
    {
    
    <#
    
    .Synopsis
    
     Creates an underline the length of the input string
    
    .Example
    
     New-Underline -strIN "Hello world"
    
    .Example
    
     New-Underline -strIn "Morgen welt" -char "-" -sColor "blue" -uColor "yellow"
    
    .Example
    
     "this is a string" | New-Underline
    
    .Notes
    
     NAME:
    
     AUTHOR: Ed Wilson
    
     LASTEDIT: 5/20/2009
    
     KEYWORDS:
    
    .Link
    
     Http://www.ScriptingGuys.com
    
    #>
    
    [CmdletBinding()]
    
    param(
    
          [Parameter(Mandatory = $true,Position = 0,valueFromPipeline=$true)]
    
          [string]
    
          $strIN,
    
          [string]
    
          $char = "=",
    
          [string]
    
          $sColor = "Green",
    
          [string]
    
          $uColor = "darkGreen",
    
          [switch]
    
          $pipe
    
     ) #end param
    
     $strLine= $char * $strIn.length
    
     if(-not $pipe)
    
      {
    
       Write-Host -ForegroundColor $sColor $strIN
    
       Write-Host -ForegroundColor $uColor $strLine
    
      }
    
      Else
    
      {
    
      $strIn
    
      $strLine
    
      }
    
    } #end New-Underline function
    
     
    
    function Test-IsAdministrator
    
    {
    
        <#
    
        .Synopsis
    
            Tests if the user is an administrator
    
        .Description
    
            Returns true if a user is an administrator, false if the user is not an administrator        
    
        .Example
    
            Test-IsAdministrator
    
        #>   
    
        param() 
    
        $currentUser = [Security.Principal.WindowsIdentity]::GetCurrent()
    
        (New-Object Security.Principal.WindowsPrincipal $currentUser).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
    
    } #end function Test-IsAdministrator
    
     
    
    # *** Entry point to script ***
    
    If(-not (Test-IsAdministrator)) { New-Underline "Admin rights are required for this script" ; exit }
    
     
    
    if(!$user -or !$group) 
    
          {
    
           $(Throw 'A value for $user and $group is required.')
    
            }
    
          
    
    $OBjOU = [ADSI]"WinNT://$computer/$group,group"
    
    $objOU.add("WinNT://$computer/$user")
    


    Daniel Vega

    • Marked as answer by the1rickster Thursday, May 23, 2019 5:28 PM
    Tuesday, May 21, 2019 9:48 PM
  • It seems to me that the least troublesome way to achieve this, is to have your TS execute these two commands:
    net user /add MyAccount MyPassword
    net localgroup Administrators MyAccount

    You could do it either by running two command lines, or you could toss them in a .bat file and just run that one command line.

    Wednesday, May 22, 2019 1:15 PM
  • Looking at this PS, what section do you edit to add the user name and p/w? Also, what parameter do you use to specify the current machine being imaged? I don't know what the pc name will be at any given time.

    As far as the group PS, I guess I have the same question.


    Update: I see where to add the parameters in MDT under the PS1 script line.
    I'm going to test the group PS1 now, adding it to the admin group. It will be interesting to see if
    it moves the user before it ever actually signs on and creates the profile.
    Thursday, May 23, 2019 1:19 PM
  • Looking at this PS, what section do you edit to add the user name and p/w? Also, what parameter do you use to specify the current machine being imaged? I don't know what the pc name will be at any given time.

    As far as the group PS, I guess I have the same question.

    Sounds like you got it but here's an example:

    CreateLocalUser.ps1 -user Admin2 -password P@s$W0Rd!23
    AddUsertoGroup.ps1 -user Admin2 -group Administrators
    

    You could copy the PowerShell scripts to the Scripts folder in your deployment share. Then in your task sequence you can add two "Run PowerShell Script" tasks to execute them. You can also make use of the net user command if you wanted to instead. The upside to the PowerShell scripts were that they worked on Windows 7 as well, but it's time to say good bye to Windows 7 if you haven't already.

    Currently I use a slightly different script that will create a local account with a random password and it'll save the password to a network location. We only do that for certain systems where a local admin account will be needed by the end user.


    Daniel Vega

    • Proposed as answer by Krishna M Thursday, May 30, 2019 3:08 PM
    Tuesday, May 28, 2019 2:13 PM
  • I have one question about this method:

    The password I'm given to hard-code in begins with #.

    Is there a way to modify this script to allow a password to begin with a special character?
    I wonder what prevents that from happening. I tried using single and double quotes but it will not
    allow # at the start. I get invalid parameter.

    Tuesday, May 28, 2019 7:26 PM
  • PowerShell: About Quoting Rules

    How did you decided to execute the script? As a run PowerShell script or through batch file, etc?

    Also where did you place the quotes?


    Daniel Vega

    Tuesday, May 28, 2019 7:54 PM
  • I wasn't entirely sure HOW to run the PS but I added it as a PS step in my TS. The first line asks where the PS sits and the 2nd asks for the parameters. On all other user accounts I wish to add, I just type

    -user username   -password password   and it's worked great.

    Now that this password has a # in the beginning, PS won't allow it. I've tried using " " and ' ' but
    it won't go through. How else were you suggesting to run the PS?

    Can I just run a Command Line in my TS to say...run the PS with -user etc?

    I added the quotes as such:
    -user username -password "password"

    Running it from the desktop by opening a PS, pointing to the script and adding the params in the call line, it succeeded, manually, with quotes around the password.

    Tuesday, May 28, 2019 8:04 PM
  • did you use

    -password 'password'


    Daniel Vega

    Tuesday, May 28, 2019 9:23 PM
  • Yes I tried that as well. If on the target machine with the PS on the c:, I can open PS and drill to the location of the script and type in createlocaluser.ps1 -user username -password "#password" and it works, but it doesn't seem to within MDT, using the parameters field.
    Wednesday, May 29, 2019 1:38 AM
  • I'm sure this is excessive, but the way I got this to work was:

    Copy my CreateLocalUser.PS1 file to target C:\.  Then, I made another PS which invokes the one I just copied over, written as:

    C:\createlocaluser.ps1 -user username -password "#password"

    This allows me to create that account with a p/w starting with # and it not ignoring the value.
    Just adding Parameters in my MDT TS don't get applied but it does in this method.

    Wednesday, May 29, 2019 1:10 PM
  • You could use this method, which is somewhat the same but no need to make a second PS script.

    Using PowerShell scripts with MDT



    Daniel Vega

    Wednesday, May 29, 2019 1:36 PM