Deploy LAPS agent and create local administrator (Local Administrator Password Solution)

I created this simple worklet to deploy the Local Administrator Password Solution client to machines and create the local administrative user we are going to use. Please disable the default local administrator account with a GPO.

Worklet is maintained on our github page.

evaluation code

Exit 1

Remedation code

### Variables ###
$username = "" #### Enter username you want to create ###
$password = "" ### Enter initial password ###
### Variables ###

$User=gwmi -class Win32_UserAccount | Where {$_.Name -eq $username}

if (-Not $User)
{ 
[void](net user /add $username $password)
[void](net localgroup administrators $username /add)
    if ($? -eq "True")
        { Write-Output "User successfully created." }
    else {Write-Output "Failed to create user!" }
}
Else {Write-Output "User already exists." }

$Installed = (Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Where-Object { $_.DisplayName -Match "Local Administrator Password Solution" })

If(-Not $Installed) {
    [void](Start-Process -FilePath 'msiexec.exe' -ArgumentList ('/qn', '/i', '"LAPS.x64.msi"') -Wait -Passthru)
    
    if ($? -eq "True")
        { Write-Output "LAPS client successfully installed." }
    else {Write-Output "Failed to install LAPS client!" }
    } 
else {
    Write-Output "LAPS client already installed."
    }
3 Likes

version 2 on github also disables the default administrator account.

1 Like

Hello , Can you use this to send a local admin account and password to all windows machines in a group? We are having LAPS issues right now over our VPN.

Thanks you
Steve

Yes, you could use it for that with some tweaks, all worklets run a system level so you could reset the password of a local account.


### Variables ###
$username = "" #### Enter username you want to change ###
$password = "" ### Enter password ###
### Variables ###

$User=gwmi -class Win32_UserAccount | Where {$_.Name -eq $username}

if ($User)
{ 
[void](net user $username $password)
    if ($? -eq "True")
        { Write-Output "Password successfully reset." }
    else {Write-Output "Failed to reset password!" }
}
Else {Write-Output "User does not exists." }
1 Like