Would it be possible to create a worklet that would target a group of machines that are not on the domain and inject a username and password for all of the machines. I would then want to run a second worklet that would disable the local admin account on all of these machines.
There is one workaround we’ve come up with for that, where you can do a wrapper to detect the currently logged in user, and then run the script as a scheduled task as that user.
What would the work around look like?
This worklet uses that workaround, for example code:
Hi Nic,
Thanks for the example. One question. What would you replace the URL with in order to use the command variable to run the powershell script I’m assuming?
the $command variable would contain your entire powershell script that the rest of the worklet creates. That gets put into the message.ps1 script that is saved and used in the scheduled task.
So it would look something like this:
$time = (Get-Date).AddSeconds(5)
$triggerAt = New-ScheduledTaskTrigger -At $time -Once
$currentusr = (Get-WmiObject -class win32_process -ComputerName ‘localhost’ | Where-Object name -Match explorer).getowner().user
$command = "$Password = ConvertTo-SecureString “6%CA$wW” -AsPlainText -Force
New-LocalUser “tempuser” -Password $Password -FullName “tempuser” -AccountNeverExpires
Add-LocalGroupMember -Group “Administrators” -Member “tempuser”
$NewPassword = ConvertTo-SecureString “6%CA$wW” -AsPlainText -Force
Set-LocalUser -Name Administrator -Password $NewPassword
Get-LocalUser Administrator | Disable-LocalUser
gpupdate /force "
New-Item -Path “c:\ProgramData\Amagent” -Name “message.ps1” -ItemType “file” -Value $command
$action = New-ScheduledTaskAction -Execute Powershell.exe -Argument “-windowstyle hidden c:\ProgramData\Amagent\message.ps1”
Register-ScheduledTask -TaskName “StartMsg” -Trigger $triggerAt -Action $action -User $currentusr
Start-Sleep 6
Unregister-ScheduledTask -TaskName “StartMsg” -Confirm:$false
Remove-Item -Path “c:\ProgramData\Amagent\message.ps1”
Yup, you got it! There’s sometimes some syntax and character escaping that has to happen when you’re building the command string, but as long as those are taken care of then you’re good to go.
One good troubleshooting tip to make sure your message.ps1 is correctly formed is to comment out the last line, where it says “Remove-Item”. Then, after running your remediation script through Automox, you can go to:
c:\programdata\amagent
which is where the scripts from Automox are run, and look at the contents of the message.ps1 file to make sure it got setup correctly.
So I ran the code as seen below:
$time = (Get-Date).AddSeconds(5)
$triggerAt = New-ScheduledTaskTrigger -At $time -Once
$currentusr = (Get-WmiObject -class win32_process -ComputerName ‘localhost’ | Where-Object name -Match explorer).getowner().user
$command = "$Password = ConvertTo-SecureString “$ilversurfer12” -AsPlainText -Force
New-LocalUser “tempuser” -Password $Password -FullName “tempuser” -AccountNeverExpires
Add-LocalGroupMember -Group “Administrators” -Member “tempuser”
$NewPassword = ConvertTo-SecureString “$ilversurfer13” -AsPlainText -Force
Set-LocalUser -Name Administrator -Password $NewPassword
Get-LocalUser Administrator | Disable-LocalUser
gpupdate /force
"
New-Item -Path “c:\ProgramData\Amagent” -Name “message.ps1” -ItemType “file” -Value $command
$action = New-ScheduledTaskAction -Execute Powershell.exe -Argument “-windowstyle hidden c:\ProgramData\Amagent\message.ps1”
Register-ScheduledTask -TaskName “StartMsg” -Trigger $triggerAt -Action $action -User $currentusr
Start-Sleep 6
Unregister-ScheduledTask -TaskName “StartMsg” -Confirm:$false
Remove-Item -Path “c:\ProgramData\Amagent\message.ps1”
and the activity log stated the following:
Directory: C:\ProgramData\Amagent Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 8/12/2020 3:39 PM 0 message.ps1
and still no change to the machine accounts.
Sounds like the message.ps1 file didn’t get created properly. Were you able to look at it after the run, if you remove the last line of the script?
When I check the message ps1. there is nothing in it. I also got this message in the acitvity log:
At C:\ProgramData\amagent\execDir796250091\execcmd828687950.ps1:6 char:49 + … assword = ConvertTo-SecureString “$ilversurfer12” -AsPlainText -Force + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Unexpected token ‘$ilversurfer12" -AsPlainText -Force New-LocalUser “tempuser” -Password $Password -FullName “tempuser” -AccountNeverExpires Add-LocalGroupMember -Group “Administrators” -Member “tempuser” $NewPassword = ConvertTo-SecureString “$ilversurfer13” -AsPlainText -Force Set-LocalUser -Name Administrator -Password $NewPassword Get-LocalUser Administrator | Disable-LocalUser gpupdate /force "’ in expression or statement. At C:\ProgramData\amagent\execDir796250091\execcmd828687950.ps1:6 char:63 + … assword = ConvertTo-SecureString “$ilversurfer12” -AsPlainText -Force + ~~~~~~~~~~~~~~~~~~~~~ Unexpected token ‘" -AsPlainText -Force New-LocalUser "’ in expression or statement. At C:\ProgramData\amagent\execDir796250091\execcmd828687950.ps1:7 char:16 + … -LocalUser “tempuser” -Password $Password -FullName “tempuser” -Accou … + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Unexpected token ‘tempuser" -Password $Password -FullName “tempuser” -AccountNeverExpires Add-LocalGroupMember -Group “Administrators” -Member “tempuser” $NewPassword = ConvertTo-SecureString “$ilversurfer13” -AsPlainText -Force Set-LocalUser -Name Administrator -Password $NewPassword Get-LocalUser Administrator | Disable-LocalUser gpupdate /force "’ in expression or statement. + CategoryInfo : ParserError: (🙂 ], ParentContainsErrorRecordEx ception + FullyQualifiedErrorId : UnexpectedToken COMMAND TIMED OUT.
You know what might be easier? Build your original script into the message.ps1 file manually, then attach it to the worklet, and reference it from your code. That way you don’t have to worry about the complexities of constructing the text file properly and you can just put the wrapper code to call the scheduled task in the actual worklet itself.
Hi @srheins, would you be willing to try this out? I just got it working from Automox in my test Env.
Evaluation:
$tempuser= (Get-WmiObject -Class Win32_UserAccount -Filter "Name = 'tempuser'").name
$defaultadmin = (Get-WmiObject -Class Win32_UserAccount -Filter "Name = 'administrator'").disabled
if ($tempuser -eq "tempuser" -and $defaultadmin -eq "True") {
exit 0
} else
{
exit 1
}
Remediation:
$scriptblock = {
$password = ConvertTo-SecureString "ilversurfer12" -AsPlainText -Force
New-LocalUser -Name "tempuser" -Password $password -FullName "tempuser" -AccountNeverExpires
Add-LocalGroupMember -Group "Administrators" -Member "tempuser"
$newPassword = ConvertTo-SecureString "ilversurfer13" -AsPlainText -Force
$userAccount = Get-LocalUser -Name "Administrator"
Set-LocalUser -Name $userAccount -Password $newPassword
Disable-LocalUser -Name $userAccount
}
$exitCode = & "$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -NonInteractive -Command $scriptblock
Exit $exitCode
PLEASE NOTE!!!
I had to change a few quotes/double quotes as they had copied strangely, AND, it was not handling the ‘$’ character in the passwords. I removed them for now so you could try it and see it function. I am hoping someone can comment on that 🙂
I’ll give a try and let you know the results.
Hi David,
That worked. Thank you so much for your help I really appreciate it.
Glad it worked! Also, I asked the smart guys how to handle the “$” in a string. there are 2 ways.
- You can add a backtick (the one on the tilde key that I cant show without typing two of them here ``) before your $.
- If you are not inserting variables into a string, you can use single quotes rather than double quotes like this:
$password = ConvertTo-SecureString '$ilversurfer12' -AsPlainText -Force
Thank you @rich and @stew and @nick and @Tony (the smart guys)
Thanks David,
I’ll experiment and see which works best for my environment.
Perfect thank you!
Reply
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.