Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, February 26, 2018 10:56 PM
Hello
I have been trying to create a new local Admin Account for our domain computers.
The account will not be a domain account -- Simply a local admin account on each machine.
I've tried "Add-LocalUser", [ADSI]"WinNT:// (which gives me an error it could not find the distinguishedName
I Get my computer names based on OU
$computers=Get-ADComputer -filter * -SearchBase "OU=Test OU,OU=Computers,OU=subOU,DC=mydomain,DC=local"
This brings up the proper machines.
$Computers = Get-ADComputer -filter * -SearchBase "OU=Test OU,OU=Computers,OU=COCL,DC=COCL,DC=local"
foreach ($comp in $computers)
{
$ping = Test-Connection $Comp.Name -Quiet -Count 1
if ($ping)
{
$comp.name | out-file c:\onlinecomputers.txt -append
$group = "Administrators"
$Username = 'newLocalAdmin'
$Password = '123456789'
$AdminAcct = '$Comp/$Username' # invalid format error.
$Sec = ConvertTo-SecureString $Password -AsPlainText -Force
$fullComp = $Comp.Name
New-LocalUser $FullComp -Password $Sec -AccountNeverExpires -Description "Local Admin Account" -FullName "Local Admin" -PasswordNeverExpires
Add-LocalGroupMember -Group $Group -Member $Username
#Record the computers that the admin acct was added to
$comp.name | out-file c:\onlinecomputers.txt -append
}
else {
#record computername if it is offline
$comp.name | out-file c:\offlinecomputers.txt -append
}
}
I'm out of ideas as to why it won't work. Any suggestions?
Thank You
Terry
All replies (15)
Tuesday, February 27, 2018 2:43 AM ✅Answered
Hi Terry,
New-LocalUser and Add-LocalGroupMember cmdlets do not have the ComputerName parameter, you may need to use Invoke-Command cmdlet to do this remotely. The following example creates a single local admin, for your reference, hope it is helpful to you:
$userName = 'newLocalAdmin'
$password = ConvertTo-SecureString -String '123456789' -AsPlainText -Force
$group = 'Administrators'
Invoke-Command -ComputerName $comp -ArgumentList $userName, $password, $group -ScriptBlock {
New-LocalUser -Name $args[0] -FullName 'Local Admin' -Description 'Local Admin Account' -Password $args[1] -PasswordNeverExpires -AccountNeverExpires
Add-LocalGroupMember -Group $args[2] -Member $args[0]
}
If you need further help, please feel free to let us know.
Best Regards,
Albert
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Tuesday, February 27, 2018 3:41 PM ✅Answered
Albert
Thank You so much!!!
This is "exactly" what I needed. I will have to do some reading on the invoke-command to get a full understanding of it.
I'm looking at attaching the script to a GPO and set it to only run once, to prevent the overhead of having it applied every time someone logs in.
this is awesome, Thanks
Terry
Monday, February 26, 2018 11:15 PM
To do this remotely look in the Gallery or get the module here:
Find-Module LocalAccount | Install-Module
\(ツ)_/
Tuesday, February 27, 2018 3:44 PM
As much as I wanted to try this script out, I found it way over my head for understanding it. I like to understand what a script is doing at any given point, and I could not understand this one.
I do thank you for it though. At one point I will try to dive into each aspect of it (after all, Im still a noob with powershell).
Thank you
Terry
Tuesday, February 27, 2018 3:47 PM
The LocalAccount module does not require remoting as it uses direct ADSI which can be used on any Windows system. I recommend using that. It is also faster than PS Remoting which requires custom setup and configuration.
The Add-Local and New-Local commands are only available n Windows 10 and later. The LocalAccount module works on all versions of Windows.
\(ツ)_/
Tuesday, February 27, 2018 3:49 PM
As much as I wanted to try this script out, I found it way over my head for understanding it. I like to understand what a script is doing at any given point, and I could not understand this one.
I do thank you for it though. At one point I will try to dive into each aspect of it (after all, Im still a noob with powershell).
Thank you
Terry
The LocalAccount module also comes with complete help so you can understand what it is doing.
\(ツ)_/
Friday, March 2, 2018 3:41 PM
Hello
This script runs perfectly if I run it from my workstation, but when I put it in the startup GPO, it does not actually do anything. Running a Gpresult shows that the GPO was applied, yet the admin account does not get created.
I have put the script both in the sysvol location and on an accessible share on the server, and same result. But again, running if from my workstation, it runs flawlessly.
Here's the script:
$userName = 'cLAdmin'
$password = ConvertTo-SecureString -String 'p@$$w0rD' -AsPlainText -Force
$group = 'Administrators'
$computers=Get-ADComputer -filter * -SearchBase "OU=Test OU,OU=Computers,OU=sOU,DC=domain,DC=local"
foreach ($comp in $Computers)
{
Invoke-Command -ComputerName $comp.Name -ArgumentList $userName, $password, $group -ScriptBlock {
New-LocalUser -Name $args[0] -FullName 'Local Admin' -Description 'Local Admin Account' -Password $args[1] -PasswordNeverExpires -AccountNeverExpires -UserMayNotChangePassword
Add-LocalGroupMember -Group $args[2] -Member $args[0]
}
}
Is there something special that needs to be added to have it run from the GPO?
Thank You
Terry
Friday, March 2, 2018 3:52 PM
You cannot do this from a startup script for obvious reasons. It is also a very bad thing to try to do. Why would this ever be necessary?
\(ツ)_/
Friday, March 2, 2018 4:18 PM
I am only trying to find a way to have it run on each computer. I am looking at a scheduled task GPO right now. but I do only want it to run once on each system.
There are several latops/devices that do not log into the domain but every couple months, so I need to to run when the user logs into the domain.
Please bare with my ignorance in some of this as I am embarking on new territory for myself. I have not yet taken any server or GPO courses (scheduled for later this month).
Thank You
Terry
Friday, March 2, 2018 4:29 PM
You do not have to run this on each computer and you do not have to use a startup script. It is a one time issue. Just run the commands once against each computer and you are done.
\(ツ)_/
Friday, March 2, 2018 4:44 PM
I have approx 250 computers to run this on. Not all computers will be on the domain at any given time. To avoid having to monitor when a specific computer comes on the domain, I need it to run automatically when they sign into the domain.
I can see why I would not use it as a start up script.
My objective is to create the new admin account on all computers in the domain so that I can rename/disable "THE" Administrator account; in time.
Friday, March 2, 2018 4:52 PM
Are they all running Windows 10?
If not do they all have the LocalAdmin module for earlier systems installed?
I think you need to take a bit of time to learn PowerShell and how to set up windows.
The Gallery has script that use ADSI to create local accounts. You can use one of these. Unfortunately you will be broadcasting an admin password all over your network which is not a good idea.
\(ツ)_/
Friday, March 2, 2018 5:05 PM
Thank you
Right now I have win 10 and win 7 machines, but am in the midst of a win 10 roll-out city wide. I'm thinking of simply adding the new Admin account to my image so that when I image each machine, the account will be there.
I'll have to modify my wim file for that, but that is something that I've been doing already.
I've looked at the ADSI script and it confuses me. I am learning powershell bit by bit.
Thank you for all your input.
Terry
Friday, March 2, 2018 5:09 PM
By all means add it to the image. That is the easiest and safest way to do this.
Take the time saved and invest it in learning PowerShell and more about how to manage Windows in the Enterprise.
\(ツ)_/
Monday, March 5, 2018 8:36 AM
Hi,
According to your situation, LAPS may meet your needs, for your reference:
Local Administrator Password Solution
https://technet.microsoft.com/en-us/mt227395.aspx
Best Regards,
Albert
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]