Skip to main content

Would it be possible to create a worklet that would target a group of machines that are not on the domain and inject a username and password for all of the machines. I would then want to run a second worklet that would disable the local admin account on all of these machines.

There is one workaround we’ve come up with for that, where you can do a wrapper to detect the currently logged in user, and then run the script as a scheduled task as that user.


What would the work around look like?


This worklet uses that workaround, for example code:





Hi Nic,



Thanks for the example. One question. What would you replace the URL with in order to use the command variable to run the powershell script I’m assuming?



image001.png



image002.png



image003.png



image004.png



image006.jpg



image008.jpg


the $command variable would contain your entire powershell script that the rest of the worklet creates. That gets put into the message.ps1 script that is saved and used in the scheduled task.


So it would look something like this:



$time = (Get-Date).AddSeconds(5)



$triggerAt = New-ScheduledTaskTrigger -At $time -Once



$currentusr = (Get-WmiObject -class win32_process -ComputerName ‘localhost’ | Where-Object name -Match explorer).getowner().user



$command = "$Password = ConvertTo-SecureString “6%CA$wW” -AsPlainText -Force



New-LocalUser “tempuser” -Password $Password -FullName “tempuser” -AccountNeverExpires



Add-LocalGroupMember -Group “Administrators” -Member “tempuser”



$NewPassword = ConvertTo-SecureString “6%CA$wW” -AsPlainText -Force



Set-LocalUser -Name Administrator -Password $NewPassword



Get-LocalUser Administrator | Disable-LocalUser



gpupdate /force "



New-Item -Path “c:\ProgramData\Amagent” -Name “message.ps1” -ItemType “file” -Value $command



$action = New-ScheduledTaskAction -Execute Powershell.exe -Argument “-windowstyle hidden c:\ProgramData\Amagent\message.ps1”



Register-ScheduledTask -TaskName “StartMsg” -Trigger $triggerAt -Action $action -User $currentusr



Start-Sleep 6



Unregister-ScheduledTask -TaskName “StartMsg” -Confirm:$false



Remove-Item -Path “c:\ProgramData\Amagent\message.ps1”



image001.png



image002.png



image003.png



image004.png



image006.jpg


Yup, you got it! There’s sometimes some syntax and character escaping that has to happen when you’re building the command string, but as long as those are taken care of then you’re good to go.



One good troubleshooting tip to make sure your message.ps1 is correctly formed is to comment out the last line, where it says “Remove-Item”. Then, after running your remediation script through Automox, you can go to:


c:\programdata\amagent


which is where the scripts from Automox are run, and look at the contents of the message.ps1 file to make sure it got setup correctly.


So I ran the code as seen below:



$time = (Get-Date).AddSeconds(5)


$triggerAt = New-ScheduledTaskTrigger -At $time -Once


$currentusr = (Get-WmiObject -class win32_process -ComputerName ‘localhost’ | Where-Object name -Match explorer).getowner().user



$command = "$Password = ConvertTo-SecureString “$ilversurfer12” -AsPlainText -Force


New-LocalUser “tempuser” -Password $Password -FullName “tempuser” -AccountNeverExpires


Add-LocalGroupMember -Group “Administrators” -Member “tempuser”


$NewPassword = ConvertTo-SecureString “$ilversurfer13” -AsPlainText -Force


Set-LocalUser -Name Administrator -Password $NewPassword


Get-LocalUser Administrator | Disable-LocalUser


gpupdate /force


"



New-Item -Path “c:\ProgramData\Amagent” -Name “message.ps1” -ItemType “file” -Value $command



$action = New-ScheduledTaskAction -Execute Powershell.exe -Argument “-windowstyle hidden c:\ProgramData\Amagent\message.ps1”



Register-ScheduledTask -TaskName “StartMsg” -Trigger $triggerAt -Action $action -User $currentusr


Start-Sleep 6


Unregister-ScheduledTask -TaskName “StartMsg” -Confirm:$false



Remove-Item -Path “c:\ProgramData\Amagent\message.ps1”



and the activity log stated the following:


Directory: C:\ProgramData\Amagent Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 8/12/2020 3:39 PM 0 message.ps1



and still no change to the machine accounts.


Sounds like the message.ps1 file didn’t get created properly. Were you able to look at it after the run, if you remove the last line of the script?


When I check the message ps1. there is nothing in it. I also got this message in the acitvity log:



At C:\ProgramData\amagent\execDir796250091\execcmd828687950.ps1:6 char:49 + … assword = ConvertTo-SecureString “$ilversurfer12” -AsPlainText -Force + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Unexpected token ‘$ilversurfer12" -AsPlainText -Force New-LocalUser “tempuser” -Password $Password -FullName “tempuser” -AccountNeverExpires Add-LocalGroupMember -Group “Administrators” -Member “tempuser” $NewPassword = ConvertTo-SecureString “$ilversurfer13” -AsPlainText -Force Set-LocalUser -Name Administrator -Password $NewPassword Get-LocalUser Administrator | Disable-LocalUser gpupdate /force "’ in expression or statement. At C:\ProgramData\amagent\execDir796250091\execcmd828687950.ps1:6 char:63 + … assword = ConvertTo-SecureString “$ilversurfer12” -AsPlainText -Force + ~~~~~~~~~~~~~~~~~~~~~ Unexpected token ‘" -AsPlainText -Force New-LocalUser "’ in expression or statement. At C:\ProgramData\amagent\execDir796250091\execcmd828687950.ps1:7 char:16 + … -LocalUser “tempuser” -Password $Password -FullName “tempuser” -Accou … + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Unexpected token ‘tempuser" -Password $Password -FullName “tempuser” -AccountNeverExpires Add-LocalGroupMember -Group “Administrators” -Member “tempuser” $NewPassword = ConvertTo-SecureString “$ilversurfer13” -AsPlainText -Force Set-LocalUser -Name Administrator -Password $NewPassword Get-LocalUser Administrator | Disable-LocalUser gpupdate /force "’ in expression or statement. + CategoryInfo : ParserError: (🙂 ], ParentContainsErrorRecordEx ception + FullyQualifiedErrorId : UnexpectedToken COMMAND TIMED OUT.


You know what might be easier? Build your original script into the message.ps1 file manually, then attach it to the worklet, and reference it from your code. That way you don’t have to worry about the complexities of constructing the text file properly and you can just put the wrapper code to call the scheduled task in the actual worklet itself.


Hi @srheins, would you be willing to try this out? I just got it working from Automox in my test Env.



Evaluation:



$tempuser= (Get-WmiObject -Class Win32_UserAccount -Filter "Name = 'tempuser'").name

$defaultadmin = (Get-WmiObject -Class Win32_UserAccount -Filter "Name = 'administrator'").disabled

if ($tempuser -eq "tempuser" -and $defaultadmin -eq "True") {

exit 0

} else

{

exit 1

}



Remediation:



$scriptblock = {

$password = ConvertTo-SecureString "ilversurfer12" -AsPlainText -Force

New-LocalUser -Name "tempuser" -Password $password -FullName "tempuser" -AccountNeverExpires

Add-LocalGroupMember -Group "Administrators" -Member "tempuser"

$newPassword = ConvertTo-SecureString "ilversurfer13" -AsPlainText -Force

$userAccount = Get-LocalUser -Name "Administrator"

Set-LocalUser -Name $userAccount -Password $newPassword

Disable-LocalUser -Name $userAccount

}

$exitCode = & "$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -NonInteractive -Command $scriptblock

Exit $exitCode



PLEASE NOTE!!!


I had to change a few quotes/double quotes as they had copied strangely, AND, it was not handling the ‘$’ character in the passwords. I removed them for now so you could try it and see it function. I am hoping someone can comment on that 🙂


I’ll give a try and let you know the results.



image001.png



image002.png



image003.png



image004.png



image006.jpg



image008.jpg


Hi David,



That worked. Thank you so much for your help I really appreciate it.



image001.png



image002.png



image003.png



image004.png



image006.jpg



image008.jpg


Glad it worked! Also, I asked the smart guys how to handle the “$” in a string. there are 2 ways.





  1. You can add a backtick (the one on the tilde key that I cant show without typing two of them here ``) before your $.


  2. If you are not inserting variables into a string, you can use single quotes rather than double quotes like this:




$password = ConvertTo-SecureString '$ilversurfer12' -AsPlainText -Force



Thank you @rich and @stew and @nick and @Tony (the smart guys)


Thanks David,



I’ll experiment and see which works best for my environment.



image001.png



image002.png



image003.png



image004.png


Perfect thank you!


Reply