none
Create Local User account via GPO in Windows 10 RRS feed

  • Question

  • We have a hospital emergency program where we need a local account created (non admin) to run emergency software when the domain is not available.

    We have always used the Preferences - Add Local Account.

    However with Windows 10 it is now greyed out?

    I get there was a security issue but why not just FIX the issue and encrypt the passwords in Group Policy rather than just block the ability to create local accounts with Group Policy.

    Yes we can do a script but that is LESS SECURE because then we cannot change the password regularly without redeploying another script.

    Now we do use LAPS for Local Admin but that cannot be leveraged to create non-admin local accounts because it is NOT an option.


    lforbes

    Wednesday, November 21, 2018 8:07 PM

All replies

  • Hello,

    Since the KB MS14-025 this functionality is disabled so if you want to create a local user you will have to use a Powershell script or vbscript to do that like Partha is saying.

    Below the article regarding this change of behavior and a proposed workaround from Microsoft :

    https://support.microsoft.com/en-us/help/2962486/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevati

    Best Regards,

    Thursday, November 22, 2018 8:18 AM
  • I get there was a security issue but why not just FIX the issue and encrypt the passwords in Group Policy rather than just block the ability to create local accounts with Group Policy.

    This cannot be fixed because there is no shared secret between the admin user (who types in the password) and the target computer (where the password is applied). No shared secret means no encryption. At least no reliable encryption.

    AFAIK you can still edit the XML manually and add the cpassword attribute: https://msdn.microsoft.com/en-us/library/cc422911.aspx

    To encrypt it correctly, use one of the scripts you can find via https://www.google.com/search?q=gpp+cpassword+decrypt and invert the script logic.

    Or setup a workstation that misses MS14-025...


    Greetings/Grüße, Martin - https://mvp.microsoft.com/en-us/PublicProfile/5000017 Mal ein gutes Buch über GPOs lesen? - http://www.amazon.de/Windows-Server-2012--8-Gruppenrichtlinien/dp/3866456956 Good or bad GPOs? My blog - http://evilgpo.blogspot.com And if IT bothers me? Coke bottle design refreshment - http://sdrv.ms/14t35cq

    Thursday, November 22, 2018 8:28 AM
  • Hi,
    We can try the two following scripts in the articles Script to create local users on workstation and Create a local user account and add it to administrators group , after it is run as a user login script or a computer boot script, check to see if it works.

    Tip: This answer contains the content of a third-party website. Microsoft makes no representations about the content of these websites. We provide this content only for your convenience.

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, November 22, 2018 10:10 AM
    Moderator
  • Hi,
    If this question has any update? Also, for the question, is there any other assistance we could provide?
    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, November 27, 2018 7:10 AM
    Moderator
  • Hi,
    I am just writing to see if this issue has any update. If anything is unclear, please feel free to let us know.
    Have a nice day!
    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Friday, November 30, 2018 12:58 AM
    Moderator
  • Have you tried PS. https://social.technet.microsoft.com/Forums/en-US/b0edfcbd-c926-456d-a162-7d5ccad81e8f/creating-a-remote-local-admin-account?forum=winserverpowershell

    Again not secure in the slightest because it is not enforced and any local admin user can change it. You cannot change the password without redeploying another script which for 85,000 workstations definitely takes longer than 90 min Group Policy does.

    lforbes


    • Edited by lforbes Monday, December 3, 2018 4:57 AM
    Monday, December 3, 2018 4:45 AM
  • I get there was a security issue but why not just FIX the issue and encrypt the passwords in Group Policy rather than just block the ability to create local accounts with Group Policy.

    This cannot be fixed because there is no shared secret between the admin user (who types in the password) and the target computer (where the password is applied). No shared secret means no encryption. At least no reliable encryption.

    AFAIK you can still edit the XML manually and add the cpassword attribute: https://msdn.microsoft.com/en-us/library/cc422911.aspx

    To encrypt it correctly, use one of the scripts you can find via https://www.google.com/search?q=gpp+cpassword+decrypt and invert the script logic.

    Or setup a workstation that misses MS14-025...


    Greetings/Grüße, Martin - https://mvp.microsoft.com/en-us/PublicProfile/5000017 Mal ein gutes Buch über GPOs lesen? - http://www.amazon.de/Windows-Server-2012--8-Gruppenrichtlinien/dp/3866456956 Good or bad GPOs? My blog - http://evilgpo.blogspot.com And if IT bothers me? Coke bottle design refreshment - http://sdrv.ms/14t35cq


    I am not sure what you mean by shared secret. The Windows 7 work fine with the server 2008 GPO method. The Windows 10 are what I need. Fascinating that they can add a password in the unattend.xml for the admin for image building and in provisioning packs and not in GPO. However these are non-admin local accounts. I can even create it without a password because they are not domain. However I cannot get the account to even create.

    lforbes

    Monday, December 3, 2018 4:53 AM
  • Hi,
    We can try the two following scripts in the articles Script to create local users on workstation and Create a local user account and add it to administrators group , after it is run as a user login script or a computer boot script, check to see if it works.

    Tip: This answer contains the content of a third-party website. Microsoft makes no representations about the content of these websites. We provide this content only for your convenience.

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    As I said above in the original post, a script is not an option. I have 85,000 workstations to support and I have to be able to change the password within the 90 min GPO window and have it ENFORCED. A script is useless as it runs once. Anyone with admin can reset the password and break everything.

    lforbes

    Monday, December 3, 2018 4:56 AM
  • Hi,
    Our test environment also cannot use this group policy Preferences to create a local account. We recommend using other methods.

    Or I suggest you submit a service request to MS Professional tech support service so that a dedicated support professional can further assist you with this request.
     
    The following web site for more detail of Professional Support Options and incident submission methods is for your reference:
    https://support.microsoft.com/en-in/gp/contactus81?forceorigin=esmc&Audience=Commercial

    https://support.microsoft.com/en-us/help/4051701/global-customer-service-phone-numbers

    Thank you for your understanding and support.

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, December 4, 2018 2:58 PM
    Moderator