Worklet: Add a local admin user on or off domain

  • 11 September 2020
  • 1 reply
  • 385 views

Userlevel 4
Badge

Hey Guys,


So if you get locked out of a users box and you don’t have local admin credentials or in our case, not connected to VPN, heres how to make a simple local admin user with a known password to get into a box on the fly.


Evaluation: exit 1


Remediation: This will drop a local tempuser onto the box of your choice and a password of your choosing. (keep the quotes on the variables)


$scriptblock = {
#user defined variables:
$yourpass = "Password Here"
$yourname = "Name Here"
#
$Password = ConvertTo-SecureString $yourpass -AsPlainText -Force
New-LocalUser $yourname -Password $Password -FullName $yourname -AccountNeverExpires
Add-LocalGroupMember -Group "Administrators" -Member $yourname
gpupdate /force
}
& “$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe” -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -NonInteractive -Command $scriptblock

Then, make sure you delete that temp user afterwards, or you can run evaluation to see if you left it behind


$scriptblock = {
#user defined variable:
$tempname = "Your Temp Name"
#
$tempuser = Get-LocalUser | where-Object Name -eq $tempname | Measure
if ($tempuser.Count -eq 0) {
exit 0
}
else {
exit 1
}
}
& "$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -NonInteractive -Command $scriptblock

And if anything comes back with a exit 1:


$scriptblock = {
#user defined variable:
$tempname = "Your Temp Name"
Get-LocalUser $tempname | Remove-LocalUser
}
& "$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -NonInteractive -Command $scriptblock

1 reply

So..I pretty much did this…

 

Evaluation: exit 1

 

Remediation: the script above with the proper defined variables

 

HOWEVER, the using I was pushing this worklet out to was not showing any added account. I verywell could be missing something. Thoughts? Thanks in advance

Reply