Skip to main content

Deploy LAPS agent and create local administrator (Local Administrator Password Solution)

  • November 19, 2020
  • 4 replies
  • 510 views
Maikel
Forum|alt.badge.img
  • Maikel
  • Channel Partner
  • 65 replies

I created this simple worklet to deploy the Local Administrator Password Solution client to machines and create the local administrative user we are going to use. Please disable the default local administrator account with a GPO.


Worklet is maintained on our github page.


evaluation code


Exit 1

Remedation code


### Variables ###

$username = "" #### Enter username you want to create ###

$password = "" ### Enter initial password ###

### Variables ###



$User=gwmi -class Win32_UserAccount | Where {$_.Name -eq $username}



if (-Not $User)

{ 

[void](net user /add $username $password)

[void](net localgroup administrators $username /add)

    if ($? -eq "True")

        { Write-Output "User successfully created." }

    else {Write-Output "Failed to create user!" }

}

Else {Write-Output "User already exists." }



$Installed = (Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Where-Object { $_.DisplayName -Match "Local Administrator Password Solution" })



If(-Not $Installed) {

    [void](Start-Process -FilePath 'msiexec.exe' -ArgumentList ('/qn', '/i', '"LAPS.x64.msi"') -Wait -Passthru)

    

    if ($? -eq "True")

        { Write-Output "LAPS client successfully installed." }

    else {Write-Output "Failed to install LAPS client!" }

    } 

else {

    Write-Output "LAPS client already installed."

    }
Living with vulnerabilities is a choice, not a necessity!
    JoeBud
    1 person likes this
    • JoeBud
      JoeBud

    4 replies

    Maikel
    Forum|alt.badge.img
    • Maikel
    • Author
    • Channel Partner
    • 65 replies
    • December 4, 2020

    version 2 on github also disables the default administrator account.

    Living with vulnerabilities is a choice, not a necessity!
    Nic-Automox
    1 person likes this
    • Nic-Automox
      Nic-Automox
    S
    • sbeer
    • Rookie
    • 1 reply
    • February 22, 2021

    Hello , Can you use this to send a local admin account and password to all windows machines in a group? We are having LAPS issues right now over our VPN.


    Thanks you

    Steve

    Maikel
    Forum|alt.badge.img
    • Maikel
    • Author
    • Channel Partner
    • 65 replies
    • February 27, 2021

    Yes, you could use it for that with some tweaks, all worklets run a system level so you could reset the password of a local account.


    

### Variables ###

$username = "" #### Enter username you want to change ###

$password = "" ### Enter password ###

### Variables ###



$User=gwmi -class Win32_UserAccount | Where {$_.Name -eq $username}



if ($User)

{ 

[void](net user $username $password)

    if ($? -eq "True")

        { Write-Output "Password successfully reset." }

    else {Write-Output "Failed to reset password!" }

}

Else {Write-Output "User does not exists." }
    Living with vulnerabilities is a choice, not a necessity!
    Nic-Automox
    1 person likes this
    • Nic-Automox
      Nic-Automox
    TJ_Coppola
    Forum|alt.badge.img
    • TJ_Coppola
    • Pro
    • 32 replies
    • August 22, 2024

    So that you’re not storing a password in code, consider the following for creating a secure random initial password. 

     

    $scriptblock = {
  #Function to generate Random Passwords
    function New-RandomPassword {
        param(
            [Parameter()]
            [int]$MinimumPasswordLength = 18,
            [Parameter()]
            [int]$MaximumPasswordLength = 29,
            [Parameter()]
            [int]$NumberOfAlphaNumericCharacters = 9,
            [Parameter()]
            [switch]$ConvertToSecureString
        )
        Add-Type -AssemblyName 'System.Web'
        $length = Get-Random -Minimum $MinimumPasswordLength -Maximum $MaximumPasswordLength
        $password =  [System.Web.Security.Membership]::GeneratePassword($length,$NumberOfAlphaNumericCharacters)
        if ($ConvertToSecureString.IsPresent) {
            ConvertTo-SecureString -String $password -AsPlainText -Force
        } else {
            $password
        }
    }

    # Generate random password
    $pw = ConvertTo-SecureString "$(New-RandomPassword)" -AsPlainText -Force
}

#Run scriptblock in 64-bit powershell
$64bit = & "$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -NonInteractive -Command $scriptblock

     

    Reply


    Terms & ConditionsCookie settings

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

     
    Cookie settings