Deploy LAPS agent and create local administrator (Local Administrator Password Solution)

I created this simple worklet to deploy the Local Administrator Password Solution client to machines and create the local administrative user we are going to use. Please disable the default local administrator account with a GPO.

Worklet is maintained on our github page.

evaluation code

Exit 1

Remedation code

### Variables ###
$username = "" #### Enter username you want to create ###
$password = "" ### Enter initial password ###
### Variables ###

$User=gwmi -class Win32_UserAccount | Where {$_.Name -eq $username}

if (-Not $User)
{ 
[void](net user /add $username $password)
[void](net localgroup administrators $username /add)
    if ($? -eq "True")
        { Write-Output "User successfully created." }
    else {Write-Output "Failed to create user!" }
}
Else {Write-Output "User already exists." }

$Installed = (Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Where-Object { $_.DisplayName -Match "Local Administrator Password Solution" })

If(-Not $Installed) {
    [void](Start-Process -FilePath 'msiexec.exe' -ArgumentList ('/qn', '/i', '"LAPS.x64.msi"') -Wait -Passthru)
    
    if ($? -eq "True")
        { Write-Output "LAPS client successfully installed." }
    else {Write-Output "Failed to install LAPS client!" }
    } 
else {
    Write-Output "LAPS client already installed."
    }
2 Likes

version 2 on github also disables the default administrator account.