Skip to main content

I created this simple worklet to deploy the Local Administrator Password Solution client to machines and create the local administrative user we are going to use. Please disable the default local administrator account with a GPO.



Worklet is maintained on our github page.



evaluation code



Exit 1


Remedation code



### Variables ###


$username = "" #### Enter username you want to create ###


$password = "" ### Enter initial password ###


### Variables ###





$User=gwmi -class Win32_UserAccount | Where {$_.Name -eq $username}





if (-Not $User)


{ 


[void](net user /add $username $password)


[void](net localgroup administrators $username /add)


    if ($? -eq "True")


        { Write-Output "User successfully created." }


    else {Write-Output "Failed to create user!" }


}


Else {Write-Output "User already exists." }





$Installed = (Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Where-Object { $_.DisplayName -Match "Local Administrator Password Solution" })





If(-Not $Installed) {


    [void](Start-Process -FilePath 'msiexec.exe' -ArgumentList ('/qn', '/i', '"LAPS.x64.msi"') -Wait -Passthru)


    


    if ($? -eq "True")


        { Write-Output "LAPS client successfully installed." }


    else {Write-Output "Failed to install LAPS client!" }


    } 


else {


    Write-Output "LAPS client already installed."


    }

version 2 on github also disables the default administrator account.

Hello , Can you use this to send a local admin account and password to all windows machines in a group? We are having LAPS issues right now over our VPN.



Thanks you


Steve

Yes, you could use it for that with some tweaks, all worklets run a system level so you could reset the password of a local account.






### Variables ###


$username = "" #### Enter username you want to change ###


$password = "" ### Enter password ###


### Variables ###





$User=gwmi -class Win32_UserAccount | Where {$_.Name -eq $username}





if ($User)


{ 


[void](net user $username $password)


    if ($? -eq "True")


        { Write-Output "Password successfully reset." }


    else {Write-Output "Failed to reset password!" }


}


Else {Write-Output "User does not exists." }

So that you’re not storing a password in code, consider the following for creating a secure random initial password. 

 

$scriptblock = {
  #Function to generate Random Passwords
    function New-RandomPassword {
        param(
             Parameter()]
             int]$MinimumPasswordLength = 18,
             Parameter()]
             int]$MaximumPasswordLength = 29,
             Parameter()]
             int]$NumberOfAlphaNumericCharacters = 9,
             Parameter()]
             switch]$ConvertToSecureString
        )
        Add-Type -AssemblyName 'System.Web'
        $length = Get-Random -Minimum $MinimumPasswordLength -Maximum $MaximumPasswordLength
        $password =   System.Web.Security.Membership]::GeneratePassword($length,$NumberOfAlphaNumericCharacters)
        if ($ConvertToSecureString.IsPresent) {
            ConvertTo-SecureString -String $password -AsPlainText -Force
        } else {
            $password
        }
    }

    # Generate random password
    $pw = ConvertTo-SecureString "$(New-RandomPassword)" -AsPlainText -Force
}

#Run scriptblock in 64-bit powershell
$64bit = & "$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -NonInteractive -Command $scriptblock

 

Reply


Terms & ConditionsCookie settings