User Panel
User Panel
User Panel
|
Posted: 7/4/2017 5:01:52 PM EDT
[#1]
GPO is the best solution. Group Policy still has the ability to create local accounts and rename the default admin account.
I use this in my environment to create local admin accounts for the desktop support team and to add the desktop support team's group to the local administrator group. |
|
|
|
Posted: 7/5/2017 9:35:30 AM EDT
[#2]
Quote HistoryQuoted:
GPO is the best solution. Group Policy still has the ability to create local accounts and rename the default admin account. I use this in my environment to create local admin accounts for the desktop support team and to add the desktop support team's group to the local administrator group. https://www.reddit.com/r/sysadmin/comments/ https://community.spiceworks.com/topic/ Including MS - https://blogs.technet.../ms14-025-an-update-for-group-policy-preferences/ The docs say that existing policies still work, but you cannot create new ones. |
|
|
|
Posted: 7/5/2017 10:40:02 AM EDT
[#3]
Quote HistoryQuoted:
Multiple references say this is no longer so. https://www.reddit.com/r/sysadmin/comments/ https://community.spiceworks.com/topic/ Including MS - https://blogs.technet.../ms14-025-an-update-for-group-policy-preferences/ The docs say that existing policies still work, but you cannot create new ones. |
|
|
|
Posted: 7/5/2017 12:00:03 PM EDT
[#4]
We've started doing this with our own agent written in .NET. It creates a local admin account with a random password, securely syncs that password to a web based dashboard that's accessed via 2FA and SSO creds, where it can be looked up. Then that password is changed ever 24 hours. So if my techs need a local admin password on a machine, the login to the dashboard, find the particular machine they need, and look up the password.
We're working on a mobile app as well. We're thinking about selling it as a SaaS service if we can work out the bugs. But yeah, the new thing to do is use PowerShell scripts. |
|
|
|
Posted: 7/5/2017 8:40:37 PM EDT
[#5]
I've got the basics of a script put together. It has a few problems though...
I found it weird that I have to put a SetInfo after each entry on the account creation. It really falls apart on the old admin account password set and disable. I'm assuming there's some PS magic like the $NewUser = $ADSIComp.Create line in the new account creation. I just don't know what it is. Ideas? $TargetComputers = Get-Content c:\scripts\computerlist.txt
Edit - put script in a Code block to see if it made any real difference
$NewAdminUser = 'WeirdAdminAccount' $OldAdminUser = 'Administrator' $group = "Administrators" $EnableUser = 512 $DisableUser = 2 FOREACH ($Target in $TargetComputers) { # # Create a new local user on each target computer # $ADSIComp = [adsi]"WinNT://$Target" $NewUser = $ADSIComp.Create('User',$NewAdminUser) $NewUser.SetPassword('HardPW9)') $NewUser.SetInfo() $NewUser.Description = "Local Administrator" $NewUser.SetInfo() $NewUser.userflags = $EnableUser $NewUser.SetInfo() # # Put new local user into specified group (local administrator for this script) # & NET LOCALGROUP "$group" $NewAdminUser /add # # Reset password and disable local Administrator account on each target computer # $OldAdmin = [adsi]"WinNT://$Target,OldAdminUser" $OldAdmin.SetPassword('HardPW9)') $OldAdmin.SetInfo() $OldAdmin.Description = "Disabled Local Administrator" $OldAdmin.SetInfo() $OldAdmin.userflags = $DisableUser $OldAdmin.SetInfo() } |
|
|
|
Posted: 7/5/2017 10:02:38 PM EDT
[#6]
Crap - this reminds me of 15 feet of wide greenbar stretched down the hallway looking for a misplaced period in a COBOL listing....
$OldAdmin = [adsi]"WinNT://$Target,OldAdminUser" should be $OldAdmin = [adsi]"WinNT://$Target/$OldAdminUser" I need to do some testing, but I think its working. :-) |
|
|
|
Posted: 7/5/2017 10:48:42 PM EDT
[#7]
A few more tweaks, and here is what I have that (so far) seems to work...
The input text file is just a list of the computers I want to touch, one per line (If we're going to have Code tags, can we ask that they are language aware instead of just a different quote system?) # Create New Local Admins
# Disable local Administrator $TargetComputers = Get-Content c:\scripts\computerlist.txt $NewAdminUser = 'WeirdAdminAccount' $OldAdminUser = 'Administrator' $LocalGroup = "Administrators" $EnableUser = 512 $DisableUser = 2 FOREACH ($Target in $TargetComputers) { # # Create a new local user on each target computer # $ADSIComp = [adsi]"WinNT://$Target" $NewUser = $ADSIComp.Create('User',$NewAdminUser) $NewUser.SetPassword('HardPW9)') $NewUser.SetInfo() $NewUser.Description = "Local Administrator" $NewUser.SetInfo() $NewUser.userflags = $EnableUser $NewUser.SetInfo() # # Put new local user into specified group (local administrator for this script) # #& NET LOCALGROUP "$group" $NewAdminUser /add $AddToGroup = [ADSI]("WinNT://$Target/$LocalGroup,group") $AddToGroup.add("WinNT://$NewAdminUser,user") $AddToGroup.setinfo() # # Reset password and disable local Administrator account on each target computer # $OldAdmin = [adsi]"WinNT://$Target/$OldAdminUser" $OldAdmin.SetPassword('HardPW9)') $OldAdmin.SetInfo() $OldAdmin.Description = "Disabled Local Administrator" $OldAdmin.SetInfo() $OldAdmin.userflags = $DisableUser $OldAdmin.SetInfo() } |
|
|
Win a FREE Membership!
Sign up for the ARFCOM weekly newsletter and be entered to win a free ARFCOM membership. One new winner* is announced every week!
You will receive an email every Friday morning featuring the latest chatter from the hottest topics, breaking news surrounding legislation, as well as exclusive deals only available to ARFCOM email subscribers.
AR15.COM is the world's largest firearm community and is a gathering place for firearm enthusiasts of all types.
From hunters and military members, to competition shooters and general firearm enthusiasts, we welcome anyone who values and respects the way of the firearm.
Subscribe to our monthly Newsletter to receive firearm news, product discounts from your favorite Industry Partners, and more.
Copyright © 1996-2024 AR15.COM LLC. All Rights Reserved.
Any use of this content without express written consent is prohibited.
AR15.Com reserves the right to overwrite or replace any affiliate, commercial, or monetizable links, posted by users, with our own.
