locked
Create Local Admin Account on remote pc RRS feed

  • Question

  • Hello!

    Using the following PS to create local admin account on domain joined remote pcs.  A test computer is added to C:\pc.txt file.  Running the script on a domain controller but when I run I get this error...

    PS C:\> .\Create-LocalAdmin.ps1

    At C:\Create-LocalAdmin.ps1:10 char:35
    + Foreach ($computer in $computers) {
    +                                   ~
    Missing closing '}' in statement block or type defin
        + CategoryInfo          : ParserError: (:) [], P
        + FullyQualifiedErrorId : MissingEndCurlyBrace

     -----------------------------


    #Define variables
    $computers = Get-Content C:\PC.txt
    #$computers = Import-CSV C:\PC.csv | select Computer
    $username = "localadm"
    $password = "xxxff221GG"
    $fullname = "Local Admin"
    $local_security_group = "Administrators"
    $description = "Local Admin Account for IT"
    
    Foreach ($computer in $computers) {
        $users = $null
        $comp = [ADSI]"WinNT://$computer"
    
        #Check if username exists   
        Try {
            $users = $comp.psbase.children | select -expand name
            if ($users -like $username) {
                Write-Host "$username already exists on $computer"
    
            } else {
                #Create the account
                $user = $comp.Create("User","$username")
                $user.SetPassword("$password")
                $user.Put("Description","$description")
                $user.Put("Fullname","$fullname")
                $user.SetInfo()         
    
                #Set password to never expire
                #And set user cannot change password
                $ADS_UF_DONT_EXPIRE_PASSWD = 0x10000 
                $ADS_UF_PASSWD_CANT_CHANGE = 0x40
                $user.userflags = $ADS_UF_DONT_EXPIRE_PASSWD + $ADS_UF_PASSWD_CANT_CHANGE
                $user.SetInfo()
    
                #Add the account to the local admins group
                $group = [ADSI]"WinNT://$computer/$local_security_group,group"
                $group.add("WinNT://$computer/$username")
    
                    #Validate whether user account has been created or not
                    $users = $comp.psbase.children | select -expand name
                    if ($users -like $username) {
                        Write-Host "$username has been created on $computer"
                    } else {
                        Write-Host "$username has not been created on $computer"
                    }
                   }
            }
    
         Catch {
               Write-Host "Error creating $username on $($computer.path):  $($Error[0].Exception.Message)"
               }


    Thank you



    • Edited by WildPacket Friday, November 1, 2019 4:14 PM
    Friday, October 4, 2019 4:09 PM

All replies

  • Ask the author of the script to fix it for you.

    -- Bill Stewart [Bill_Stewart]

    Friday, October 4, 2019 4:10 PM
  • The error message is exact. The script is missing a closure at the end.


    \_(ツ)_/

    Friday, October 4, 2019 5:30 PM
  • Thank you everybody I figured that one out.

    It is now creating a local user on the remote pc but not adding that user to the local admin group.

    Error:

    Error creating localadm on :  Exception calling "add" with "1" argument(s): "A member could not be added to or removed from the local group because the member does not exist.
    "

    Friday, October 4, 2019 5:59 PM
  • Use GPO settings to manage the members of the local Administrators groups on computers.

    -- Bill Stewart [Bill_Stewart]

    Friday, October 4, 2019 6:10 PM
  • install-module localusermanagement

    This provides all remote local account management commands.


    \_(ツ)_/


    • Edited by jrv Friday, October 4, 2019 6:28 PM
    • Proposed as answer by jrv Thursday, October 31, 2019 2:15 PM
    Friday, October 4, 2019 6:28 PM
  • First post your code correctly for this forum.

    See: How to post code in Technet Forums

    Edit your post and fix the code post.  As posted it is very difficult to read and cannot be copied correctly which is why we have the code post9ing tool.

    You also need to post your error.

    I also recommend learning what a CSV file is.  I suspect the issue is that you do not have a csv file.

    https://en.wikipedia.org/wiki/Comma-separated_values


    \_(ツ)_/

    Thursday, October 31, 2019 2:16 PM
  • Thank you Jrv for your support.   I have worked with csv files before and they work. 

    I have it working now with the below script.  I am just trying to tweak/generate a message that when the account already exists it shows that on the screen when the script is running.  Currently it throws lots of errors and one of the error says the account already exists.

    The below script now creates and add the user to local admin group on computers mentioned in the c"\pc.txt file

    ###List all variables for this script and what they equal.###
    
    $computers = Get-Content C:\PC.txt
    $username = "admin"
    $password = "Password1"
    $localGroupName = "Administrators"
    $description = "IT Support"
    
    ###Creates the user account and assigns the password and description from above.###
    
    $computers |foreach {
    
         $computer = [ADSI]"WinNT://$_,computer"
        $user = $computer.Create("user", $username)
        $user.SetPassword($password)
        $user.Setinfo()
        $user.description = $description
        $user.setinfo()
        $user.UserFlags = 65536
        $user.SetInfo()
        $group = [ADSI]("WinNT://$_/administrators,group")
        $group.add("WinNT://$username,user")
        }


    Thank you in advance.


    • Edited by WildPacket Thursday, October 31, 2019 2:45 PM
    Thursday, October 31, 2019 2:36 PM
  • What you have just posted tells us that you do not have a CSV file but that you file is just a plain text file. REad the link to see why this is not a Csv file.

    Please fix your posts and post the code correctly.

    Wee see this constantly here. New users to Windows technology assume any file with a CSV extension is a Csv file.  A Csv file is a structured data file that has to be in a specific format.  Until a user understands what a CSV file is they continue to make the same bad assumptions and fail to see the problem.

    Please carefully read the link I posted and please post you code correctly in this forum.


    \_(ツ)_/

    Thursday, October 31, 2019 2:48 PM
  • I would also say not to arbitrarily set the UserFlags attribute unless you understand how bit flags work in an unsigned integer value.

    Big picture though: Why do you need to create an admin account in the first place? Windows already has a built-in administrator account (RID 500). Also, you can manage the membership in the Administrators group (SID S-1-5-32-544) using Group Policy.

    What problem are you trying to solve?


    -- Bill Stewart [Bill_Stewart]

    Thursday, October 31, 2019 2:54 PM
  • Thank you guys for assisting.  Much appreciated!

    @Bill: We have the local administrator account disabled and want to create a new local admin account with a unique name and with password set to never expires.  Microsoft LAPS not an option.

    Just trying to tweak the code I posed above (thanks to jrv I used the link he provided)  

    want to make the code so if the script cannot reach the pc in the list, it shows not accessible and if the account already exists it shows the account already exists.

    Thursday, October 31, 2019 3:05 PM
  • We have the local administrator account disabled

    Why?

    ...and want to create a new local admin account with a unique name and with password set to never expires.

    Again: Why? You are describing what you are doing, but you are not saying why. The why is important.

    What problem are you trying to solve?


    -- Bill Stewart [Bill_Stewart]

    Thursday, October 31, 2019 8:00 PM
  • Bill is likely trying to get at this for the following reason.

    On Windows 10 and later the standard "Administrator" account is disabled by default after an install. If the system is imaged then the setup can add the Domain Admins during this process. On standalone systems the install asks for an initial account which is assigned as the admin account. The builtin/administrators account actually has a few more privileges that the later admin account or than any admin account created or enabled.

    In a domain we use GP to add a new local admin account using the "Restricted Groups" policy.  This also locks down the local admin group and prevents any users from adding any account to this group.  This is a preferred security step.


    \_(ツ)_/


    • Edited by jrv Thursday, October 31, 2019 8:25 PM
    Thursday, October 31, 2019 8:24 PM
  • Thank you guys once again.

    If  I understand this correctly ..Here is why.

    The reason we want to have a local admin account added is cos sometimes the machines lose trust and if we do not have a local admin account we cannot get in to the machine locally.


    Friday, November 1, 2019 12:46 PM
  • The reason we want to have a local admin account added is cos sometimes the machines lose trust and if we do not have a local admin account we cannot get in to the machine locally.

    Why not use the local Administrator account and manage that password?

    You can use this:

    Reset-LocalAccountPassword.ps1


    -- Bill Stewart [Bill_Stewart]

    Friday, November 1, 2019 2:05 PM
  • Thank you Bill. 

    This whole thing started cos the big boss don't want to touch the local Administrator account and wants it disabled.  

    Friday, November 1, 2019 5:25 PM
  • Why?

    -- Bill Stewart [Bill_Stewart]

    Friday, November 1, 2019 5:34 PM
  • Thank you guys once again.

    If  I understand this correctly ..Here is why.

    The reason we want to have a local admin account added is cos sometimes the machines lose trust and if we do not have a local admin account we cannot get in to the machine locally.


    In Windows the built-in/administrators account is always available even if it is disabled.  Just boot to a recovery prompt and you can re-enable the account then do a normal boot. The account cannot be disabled permanently the same as it cannot be deleted.


    \_(ツ)_/

    Friday, November 1, 2019 5:37 PM
  • The built-in Administrator account (RID 500) is only "special" because it cannot be deleted and it cannot be removed from the Administrators group (S-1-5-32-544). There are also some security policies that apply to this specific account, but if the policies are set correctly, I don't think there's a good reason not to use the built-in Administrator account.

    -- Bill Stewart [Bill_Stewart]

    Friday, November 1, 2019 5:43 PM