locked
Creating a remote local Admin Account RRS feed

  • Question

  • Hello

    I have been trying to create a new local Admin Account for our domain computers.

    The account will not be a domain account -- Simply a local admin account on each machine.

    I've tried "Add-LocalUser", [ADSI]"WinNT://  (which gives me an error it could not find the distinguishedName

    I Get my computer names based on OU

    $computers=Get-ADComputer -filter * -SearchBase "OU=Test OU,OU=Computers,OU=subOU,DC=mydomain,DC=local"

    This brings up the proper machines.

    $Computers = Get-ADComputer -filter * -SearchBase "OU=Test OU,OU=Computers,OU=COCL,DC=COCL,DC=local" 
    
    foreach ($comp in $computers) 
    {
    $ping = Test-Connection $Comp.Name -Quiet -Count 1
    if ($ping) 
        {
            $comp.name | out-file c:\onlinecomputers.txt -append 
            $group = "Administrators"
            $Username = 'newLocalAdmin'
            $Password = '123456789'
            $AdminAcct = '$Comp/$Username'  # invalid format error.
            $Sec = ConvertTo-SecureString $Password -AsPlainText -Force
            $fullComp =  $Comp.Name
            New-LocalUser $FullComp -Password $Sec -AccountNeverExpires -Description "Local Admin Account" -FullName "Local Admin" -PasswordNeverExpires 
            Add-LocalGroupMember -Group $Group -Member $Username
    #Record the computers that the admin acct was added to        
    $comp.name | out-file c:\onlinecomputers.txt -append
        }
    else { 
    #record computername if it is offline        
    $comp.name | out-file c:\offlinecomputers.txt -append 
         }
    }

    I'm out of ideas as to why it won't work.  Any suggestions?

    Thank You

    Terry

    Monday, February 26, 2018 10:56 PM

Answers

  • Hi Terry,

    New-LocalUser and Add-LocalGroupMember cmdlets do not have the ComputerName parameter, you may need to use Invoke-Command cmdlet to do this remotely. The following example creates a single local admin, for your reference, hope it is helpful to you:
    $userName = 'newLocalAdmin'
    $password = ConvertTo-SecureString -String '123456789' -AsPlainText -Force
    $group = 'Administrators'
    
    Invoke-Command -ComputerName $comp -ArgumentList $userName, $password, $group -ScriptBlock {
        New-LocalUser -Name $args[0] -FullName 'Local Admin' -Description 'Local Admin Account' -Password $args[1] -PasswordNeverExpires -AccountNeverExpires
        Add-LocalGroupMember -Group $args[2] -Member $args[0]
    }

    If you need further help, please feel free to let us know.

    Best Regards,
    Albert

    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, February 27, 2018 2:43 AM
  • Albert

    Thank You so much!!!

    This is "exactly" what I needed.  I will have to do some reading on the invoke-command to get a full understanding of it.

    I'm looking at attaching the script to a GPO and set it to only run once, to prevent the overhead of having it applied every time someone logs in.

    this is awesome, Thanks

    Terry
    • Marked as answer by jrv Tuesday, February 27, 2018 3:47 PM
    Tuesday, February 27, 2018 3:41 PM

All replies

  • To do this remotely look in the Gallery or get the module here:

    Find-Module LocalAccount | Install-Module


    \_(ツ)_/

    Monday, February 26, 2018 11:15 PM
  • Hi Terry,

    New-LocalUser and Add-LocalGroupMember cmdlets do not have the ComputerName parameter, you may need to use Invoke-Command cmdlet to do this remotely. The following example creates a single local admin, for your reference, hope it is helpful to you:
    $userName = 'newLocalAdmin'
    $password = ConvertTo-SecureString -String '123456789' -AsPlainText -Force
    $group = 'Administrators'
    
    Invoke-Command -ComputerName $comp -ArgumentList $userName, $password, $group -ScriptBlock {
        New-LocalUser -Name $args[0] -FullName 'Local Admin' -Description 'Local Admin Account' -Password $args[1] -PasswordNeverExpires -AccountNeverExpires
        Add-LocalGroupMember -Group $args[2] -Member $args[0]
    }

    If you need further help, please feel free to let us know.

    Best Regards,
    Albert

    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, February 27, 2018 2:43 AM
  • Albert

    Thank You so much!!!

    This is "exactly" what I needed.  I will have to do some reading on the invoke-command to get a full understanding of it.

    I'm looking at attaching the script to a GPO and set it to only run once, to prevent the overhead of having it applied every time someone logs in.

    this is awesome, Thanks

    Terry
    • Marked as answer by jrv Tuesday, February 27, 2018 3:47 PM
    Tuesday, February 27, 2018 3:41 PM
  • As much as I wanted to try this script out, I found it way over my head for understanding it.  I like to understand what a script is doing at any given point, and I could not understand this one.

    I do thank you for it though.  At one point I will try to dive into each aspect of it  (after all, Im still a noob with powershell).

    Thank you

    Terry

    Tuesday, February 27, 2018 3:44 PM
  • The LocalAccount module does not require remoting as it uses direct ADSI which can be used on any Windows system.  I recommend using that.  It is also faster than PS Remoting which requires custom setup and configuration.

    The Add-Local and New-Local commands are only available n Windows 10 and later. The LocalAccount module works on all versions of Windows.


    \_(ツ)_/


    Tuesday, February 27, 2018 3:47 PM
  • As much as I wanted to try this script out, I found it way over my head for understanding it.  I like to understand what a script is doing at any given point, and I could not understand this one.

    I do thank you for it though.  At one point I will try to dive into each aspect of it  (after all, Im still a noob with powershell).

    Thank you

    Terry

    The LocalAccount  module also comes with complete help so you can understand what it is doing.


    \_(ツ)_/

    Tuesday, February 27, 2018 3:49 PM
  • Hello

    This script runs perfectly if I run it from my workstation, but when I put it in the startup GPO, it does not actually do anything.  Running a Gpresult shows that the GPO was applied, yet the admin account does not get created.

    I have put the script both in the sysvol location and on an accessible share on the server, and same result.  But again, running if from my workstation, it runs flawlessly.

    Here's the script:

    $userName = 'cLAdmin'
    $password = ConvertTo-SecureString -String 'p@$$w0rD' -AsPlainText -Force
    $group = 'Administrators'
    $computers=Get-ADComputer -filter * -SearchBase "OU=Test OU,OU=Computers,OU=sOU,DC=domain,DC=local"
    foreach ($comp in $Computers) 
    {
    
    Invoke-Command -ComputerName $comp.Name -ArgumentList $userName, $password, $group -ScriptBlock {
        New-LocalUser -Name $args[0] -FullName 'Local Admin' -Description 'Local Admin Account' -Password $args[1] -PasswordNeverExpires -AccountNeverExpires -UserMayNotChangePassword
        Add-LocalGroupMember -Group $args[2] -Member $args[0]
    }
    }

    Is there something special that needs to be added to have it run from the GPO?

    Thank You

    Terry


    Friday, March 2, 2018 3:41 PM
  • You cannot do this from a startup script for obvious reasons.  It is also a very bad thing to try to do.  Why would this ever be necessary?


    \_(ツ)_/

    Friday, March 2, 2018 3:52 PM
  • I am only trying to find a way to have it run on each computer.  I am looking at a scheduled task GPO right now.  but I do only want it to run once on each system.

    There are several latops/devices that do not log into the domain but every couple months, so I need to to run when the user logs into the domain.

    Please bare with my ignorance in some of this as I am embarking on new territory for myself.  I have not yet taken any server or GPO courses (scheduled for later this month).

    Thank You

    Terry

    Friday, March 2, 2018 4:18 PM
  • You do not have to run this on each computer and you do not have to use a startup script.  It is a one time issue.  Just run the commands once against each computer and you are done.


    \_(ツ)_/

    Friday, March 2, 2018 4:29 PM
  • I have approx 250 computers to run this on.  Not all computers will be on the domain at any given time.  To avoid having to monitor when a specific computer comes on the domain, I need it to run automatically when they sign into the domain.

    I can see why I would not use it as a start up script.

    My objective is to create the new admin account on all computers in the domain so that I can rename/disable "THE" Administrator account; in time.

    Friday, March 2, 2018 4:44 PM
  • Are they all running Windows 10?

    If not do they all have the LocalAdmin module for earlier systems  installed?

    I think you need to take a bit of time to learn PowerShell and how to set up windows.

    The Gallery has script that use ADSI to create local accounts.  You can use one of these.  Unfortunately you will be broadcasting an admin password all over your network which is not a good idea.


    \_(ツ)_/

    Friday, March 2, 2018 4:52 PM
  • Thank you

    Right now I have win 10 and win 7 machines, but am in the midst of a win 10 roll-out city wide.  I'm thinking of simply adding the new Admin account to my image so that when I image each machine, the account will be there.

    I'll have to modify my wim file for that, but that is something that I've been doing already.

    I've looked at the ADSI script and it confuses me.  I am learning powershell bit by bit.

    Thank you for all your input.

    Terry

    Friday, March 2, 2018 5:05 PM
  • By all means add it to the image.  That is the easiest and safest way to do this.

    Take the time saved and invest it in learning PowerShell and more about how to manage Windows in the Enterprise.


    \_(ツ)_/

    Friday, March 2, 2018 5:09 PM
  • Hi,

    According to your situation, LAPS may meet your needs, for your reference:
    Local Administrator Password Solution
    https://technet.microsoft.com/en-us/mt227395.aspx

    Best Regards,
    Albert

    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, March 5, 2018 8:36 AM