There is one workaround we’ve come up with for that, where you can do a wrapper to detect the currently logged in user, and then run the script as a scheduled task as that user.

What would the work around look like?

This worklet uses that workaround, for example code:

Hi Nic,

Thanks for the example. One question. What would you replace the URL with in order to use the command variable to run the powershell script I’m assuming?

the $command variable would contain your entire powershell script that the rest of the worklet creates. That gets put into the message.ps1 script that is saved and used in the scheduled task.

So it would look something like this:

$time = (Get-Date).AddSeconds(5)

$triggerAt = New-ScheduledTaskTrigger -At $time -Once

$currentusr = (Get-WmiObject -class win32_process -ComputerName ‘localhost’ | Where-Object name -Match explorer).getowner().user

$command = "$Password = ConvertTo-SecureString “6%CA$wW” -AsPlainText -Force

New-LocalUser “tempuser” -Password $Password -FullName “tempuser” -AccountNeverExpires

Add-LocalGroupMember -Group “Administrators” -Member “tempuser”

$NewPassword = ConvertTo-SecureString “6%CA$wW” -AsPlainText -Force

Set-LocalUser -Name Administrator -Password $NewPassword

Get-LocalUser Administrator | Disable-LocalUser

gpupdate /force "

New-Item -Path “c:\ProgramData\Amagent” -Name “message.ps1” -ItemType “file” -Value $command

$action = New-ScheduledTaskAction -Execute Powershell.exe -Argument “-windowstyle hidden c:\ProgramData\Amagent\message.ps1”

Register-ScheduledTask -TaskName “StartMsg” -Trigger $triggerAt -Action $action -User $currentusr

Start-Sleep 6

Unregister-ScheduledTask -TaskName “StartMsg” -Confirm:$false

Remove-Item -Path “c:\ProgramData\Amagent\message.ps1”

Yup, you got it! There’s sometimes some syntax and character escaping that has to happen when you’re building the command string, but as long as those are taken care of then you’re good to go.

One good troubleshooting tip to make sure your message.ps1 is correctly formed is to comment out the last line, where it says “Remove-Item”. Then, after running your remediation script through Automox, you can go to:

c:\programdata\amagent

which is where the scripts from Automox are run, and look at the contents of the message.ps1 file to make sure it got setup correctly.

So I ran the code as seen below:

$time = (Get-Date).AddSeconds(5)

$triggerAt = New-ScheduledTaskTrigger -At $time -Once

$currentusr = (Get-WmiObject -class win32_process -ComputerName ‘localhost’ | Where-Object name -Match explorer).getowner().user

$command = "$Password = ConvertTo-SecureString “$ilversurfer12” -AsPlainText -Force

New-LocalUser “tempuser” -Password $Password -FullName “tempuser” -AccountNeverExpires

Add-LocalGroupMember -Group “Administrators” -Member “tempuser”

$NewPassword = ConvertTo-SecureString “$ilversurfer13” -AsPlainText -Force

Set-LocalUser -Name Administrator -Password $NewPassword

Get-LocalUser Administrator | Disable-LocalUser

gpupdate /force

"

New-Item -Path “c:\ProgramData\Amagent” -Name “message.ps1” -ItemType “file” -Value $command

$action = New-ScheduledTaskAction -Execute Powershell.exe -Argument “-windowstyle hidden c:\ProgramData\Amagent\message.ps1”

Register-ScheduledTask -TaskName “StartMsg” -Trigger $triggerAt -Action $action -User $currentusr

Start-Sleep 6

Unregister-ScheduledTask -TaskName “StartMsg” -Confirm:$false

Remove-Item -Path “c:\ProgramData\Amagent\message.ps1”

and the activity log stated the following:

Directory: C:\ProgramData\Amagent Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 8/12/2020 3:39 PM 0 message.ps1

and still no change to the machine accounts.

Sounds like the message.ps1 file didn’t get created properly. Were you able to look at it after the run, if you remove the last line of the script?

When I check the message ps1. there is nothing in it. I also got this message in the acitvity log:

At C:\ProgramData\amagent\execDir796250091\execcmd828687950.ps1:6 char:49 + … assword = ConvertTo-SecureString “$ilversurfer12” -AsPlainText -Force + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Unexpected token ‘$ilversurfer12" -AsPlainText -Force New-LocalUser “tempuser” -Password $Password -FullName “tempuser” -AccountNeverExpires Add-LocalGroupMember -Group “Administrators” -Member “tempuser” $NewPassword = ConvertTo-SecureString “$ilversurfer13” -AsPlainText -Force Set-LocalUser -Name Administrator -Password $NewPassword Get-LocalUser Administrator | Disable-LocalUser gpupdate /force "’ in expression or statement. At C:\ProgramData\amagent\execDir796250091\execcmd828687950.ps1:6 char:63 + … assword = ConvertTo-SecureString “$ilversurfer12” -AsPlainText -Force + ~~~~~~~~~~~~~~~~~~~~~ Unexpected token ‘" -AsPlainText -Force New-LocalUser "’ in expression or statement. At C:\ProgramData\amagent\execDir796250091\execcmd828687950.ps1:7 char:16 + … -LocalUser “tempuser” -Password $Password -FullName “tempuser” -Accou … + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Unexpected token ‘tempuser" -Password $Password -FullName “tempuser” -AccountNeverExpires Add-LocalGroupMember -Group “Administrators” -Member “tempuser” $NewPassword = ConvertTo-SecureString “$ilversurfer13” -AsPlainText -Force Set-LocalUser -Name Administrator -Password $NewPassword Get-LocalUser Administrator | Disable-LocalUser gpupdate /force "’ in expression or statement. + CategoryInfo : ParserError: (🙂 [], ParentContainsErrorRecordEx ception + FullyQualifiedErrorId : UnexpectedToken COMMAND TIMED OUT.

You know what might be easier? Build your original script into the message.ps1 file manually, then attach it to the worklet, and reference it from your code. That way you don’t have to worry about the complexities of constructing the text file properly and you can just put the wrapper code to call the scheduled task in the actual worklet itself.

Hi @srheins, would you be willing to try this out? I just got it working from Automox in my test Env.

Evaluation:

$tempuser= (Get-WmiObject -Class Win32_UserAccount -Filter "Name = 'tempuser'").name

$defaultadmin = (Get-WmiObject -Class Win32_UserAccount -Filter "Name = 'administrator'").disabled

if ($tempuser -eq "tempuser" -and $defaultadmin -eq "True")  {

    exit 0

 } else 

 {

    exit 1

 }

Remediation:

$scriptblock = {

    $password = ConvertTo-SecureString "ilversurfer12" -AsPlainText -Force

    New-LocalUser -Name "tempuser" -Password $password -FullName "tempuser" -AccountNeverExpires

    Add-LocalGroupMember -Group "Administrators" -Member "tempuser"

    $newPassword = ConvertTo-SecureString "ilversurfer13" -AsPlainText -Force

    $userAccount = Get-LocalUser -Name "Administrator"

    Set-LocalUser -Name $userAccount -Password $newPassword

    Disable-LocalUser -Name $userAccount

	}

$exitCode = & "$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -NonInteractive -Command $scriptblock

Exit $exitCode

PLEASE NOTE!!!

I had to change a few quotes/double quotes as they had copied strangely, AND, it was not handling the ‘$’ character in the passwords. I removed them for now so you could try it and see it function. I am hoping someone can comment on that 🙂

I’ll give a try and let you know the results.

Hi David,

That worked. Thank you so much for your help I really appreciate it.

Glad it worked! Also, I asked the smart guys how to handle the “$” in a string. there are 2 ways.

1. You can add a backtick (the one on the tilde key that I cant show without typing two of them here ``) before your $.


2. If you are not inserting variables into a string, you can use single quotes rather than double quotes like this:

$password = ConvertTo-SecureString '$ilversurfer12' -AsPlainText -Force

Thank you @rich and @stew and @nick and @Tony (the smart guys)

Thanks David,

I’ll experiment and see which works best for my environment.

Perfect thank you!