Skip to main content

I’m attempting to script a LAPS installation which requires the creation of a local account. When I test the powershell script on my local machine everything works great. When I tried to run it through Automox I get an error.

Get-LocalGroupMember : The term 'Get-LocalGroupMember' is not recognized as 
the name of a cmdlet, function, script file, or operable program. Check the 
spelling of the name, or if a path was included, verify that the path is 
correct and try again.
At C:\ProgramData\amagent\execDir691746467\execcmd943937958.ps1:3 char:15
+ $isingorup = (Get-LocalGroupMember $group).Name -Contains $user
+               ~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Get-LocalGroupMember:String) )] 
   , CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

New-LocalUser : The term 'New-LocalUser' is not recognized as the name of a 
cmdlet, function, script file, or operable program. Check the spelling of the 
name, or if a path was included, verify that the path is correct and try again.
At C:\ProgramData\amagent\execDir691746467\execcmd943937958.ps1:6 char:1
+ New-LocalUser "CTPAdmin" -Password $password -Description "Local Admi ...
+ ~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (New-LocalUser:String) )], Comma 
   ndNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

Add-LocalGroupMember : The term 'Add-LocalGroupMember' is not recognized as 
the name of a cmdlet, function, script file, or operable program. Check the 
spelling of the name, or if a path was included, verify that the path is 
correct and try again.
At C:\ProgramData\amagent\execDir691746467\execcmd943937958.ps1:7 char:1
+ Add-LocalGroupMember -Group $group -Member "CTPAdmin"
+ ~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Add-LocalGroupMember:String) )] 
   , CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException


COMMAND TIMED OUT.

When looking up the possible cause of this error I found that the Microsoft.Powershell.LocalAccounts module is only available with powershell x64. 

Does Automox use x86 powershell and if so is a x64 powershell available?

Sure does. There is a way to execute 64-bit PowerShell. To do that, checkout https://support.automox.com/help/enforce-windows-registry-settings-worklet just under the “64-Bit Registry Workaround” section or see the 64-bit example below.

 

Before that, the net commands still work for x86 powershell

net user ITAdmin $password /ADD /Y

net localgroup Administrators ITAdmin /ADD

 

Here is a 64-bit example

$scriptblock = {

    ############# EDIT HERE ############
    $account = "ITAdmin"
    $description = "IT local admin account"
    ####################################

    # Function to generate Random Passwords
    function New-RandomPassword {
        param(
             Parameter()]
             int]$MinimumPasswordLength = 18,
             Parameter()]
             int]$MaximumPasswordLength = 29,
             Parameter()]
             int]$NumberOfAlphaNumericCharacters = 9,
             Parameter()]
             switch]$ConvertToSecureString
        )
        Add-Type -AssemblyName 'System.Web'
        $length = Get-Random -Minimum $MinimumPasswordLength -Maximum $MaximumPasswordLength
        $password = sSystem.Web.Security.Membership]::GeneratePassword($length,$NumberOfAlphaNumericCharacters)
        if ($ConvertToSecureString.IsPresent) {
            ConvertTo-SecureString -String $password -AsPlainText -Force
        } else {
            $password
        }
    }

    # Generate random password
    $pw = ConvertTo-SecureString "$(New-RandomPassword)" -AsPlainText -Force

    # Create User Account and Add to Administrator Group
    New-LocalUser $account -Password $pw -FullName $account -Description $description -verbose
    Add-LocalGroupMember -Group Administrators -Member $account -verbose

    # Validate Account was created
    $ac = Get-LocalUser $account
    IF($ac){
        $grp = Get-LocalGroupMember Administrators
        IF($grp){
            # Account exists and is a local admin
            return 0
        }else{
            # Account exists but is not a local admin
            return 2
        }
    }else{
        # Account doesn't exist return 1
        return 1
    }
}

# Run scriptblock in 64-bit powershell
$64bit = & "$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -NonInteractive -Command $scriptblock

$out = switch ($64bit)
{
    0 {"Succesfully created $account and added to local admin group"}
    1 {"Failed to create $account"}
    2 {"Succesfully created $account and failed to add to local admin group"}
    Default {"$64bit"}
}

Write-Output $out
Exit $64bit

 

 

shameless plug... you should also check out

 

Thank you so much! This is perfect. 

Wouldn’t the following line require more specificity if it’s to validate that the account is within the admin group? It looks like it only checks if there are any administrators at all.

$grp = Get-LocalGroupMember Administrators

Does this change improve the effectiveness?

$grp = Get-LocalGroupMember Administrators | Where-Object {$_.name -like "*$Account*"}

 

Reply


Terms & ConditionsCookie settings