question

PerserPolis-1732 avatar image
0 Votes"
PerserPolis-1732 asked AlexZhu-MSFT edited

Create a local user admin account on each computer in domain based on the name of domain user account

Hi,

I want to create a local user admin account on each computer in domain client Computers based on the name of domain user account as per requirements given below

1) Set password for “localuser” as “password”
2) Make “user” the member of local administrators group
3) USer must change password at next logon

For example:

I have a domain user account and it is called "mbiden" , the local user account should be called after creating "mbidenAdmin"

That is my PowerShell script with computername and Admin, it creating a local user admin with "Computername+"Admin", but I want to create create local admin based on the domain user account name

$a=$env:computername+"Admin"
New-LocalUser -AccountNeverExpires:$true -Password ( ConvertTo-SecureString -AsPlainText -Force 'password') -Name $a -FullName "Local Administrator" -Description "Local Administrator" | Add-LocalGroupMember -Group administrators

Can anybody help me?

Regards

windows-serverwindows-server-powershellwindows-active-directorymem-cm-application
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndreasBaumgarten avatar image
1 Vote"
AndreasBaumgarten answered

Hi @PerserPolis-1732 ,

if you are logged-in with your domain user you can try $env:USERNAME instead of $env:computername in your script.


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PerserPolis-1732 avatar image
0 Votes"
PerserPolis-1732 answered PerserPolis-1732 edited

Hi,

I did change the script as following:

$a=$env:username+"Admin"
New-LocalUser -AccountNeverExpires:$true -Password ( ConvertTo-SecureString -AsPlainText -Force 'password') -Name $a -FullName "Local Administrator" -Description "Local Administrator" | Add-LocalGroupMember -Group administrators.

It is working with username but only if I run it locally on the machine, but it is not working if I deploy the script on the same machine with SCCM.
If I deploy it, it created "AdministratorAdmin"

Regards

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ClementBETACORNE avatar image
0 Votes"
ClementBETACORNE answered

Hello,

You can try to have the information regarding the currently logged user with win32_LoggedOnUser :

 $regexsession = '.+Domain="(.+)",Name="(.+)"$'
    
 $session_user = Get-WmiObject -Class win32_LoggedOnUser | Select Antecedent -Unique
    
 foreach($session in $session_user) {
     if($session.antecedent -match $regexsession) {
         #Matches[2] will contain the username
         Write-Output $Matches[2]
     }
 }

Regards,




5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PerserPolis-1732 avatar image
0 Votes"
PerserPolis-1732 answered

Hi,

thank you for your replay.

How does look the script with currently logged with my script?

Regards

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ClementBETACORNE avatar image
0 Votes"
ClementBETACORNE answered

Something like that :

 $regexsession = '.+Domain="(.+)",Name="(.+)"$'
        
 $session_user = Get-WmiObject -Class win32_LoggedOnUser | Select Antecedent -Unique
        
 foreach($session in $session_user) {
     if($session.antecedent -match $regexsession) {
         #Matches[2] will contain the username
         $a="$($Matches[2])Admin"
     }
 }
    
 New-LocalUser -AccountNeverExpires:$true -Password ( ConvertTo-SecureString -AsPlainText -Force 'password') -Name $a -FullName "Local Administrator" -Description "Local Administrator" | Add-LocalGroupMember -Group administrators


Regards,

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PerserPolis-1732 avatar image
0 Votes"
PerserPolis-1732 answered ClementBETACORNE commented

Hi,

Running the following script

**$regexsession = '.+Domain="(.+)",Name="(.+)"$'

$session_user = Get-WmiObject -Class win32_LoggedOnUser | Select Antecedent -Unique

foreach($session in $session_user) {
if($session.antecedent -match $regexsession) {
#Matches[2] will contain the username
$a="$($Matches[2])Admin"
}
}

New-LocalUser -AccountNeverExpires:$true -Password ( ConvertTo-SecureString -AsPlainText -Force 'password') -Name $a -FullName "Local Administrator" -Description "Local Administrator" | Add-LocalGroupMember -Group administrators**

The Power Shell scripts has created the user called "UMFD-1Admin"**



That script is working, but still created "AdministratorAdmin"

**$regexsession = '.+Domain="(.+)",Name="(.+)"$'

$session_user = Get-WmiObject -Class win32_LoggedOnUser | Select Antecedent -Unique

foreach($session in $session_user) {
if($session.antecedent -match $regexsession) {
#Matches[2] will contain the username
$a="$($Matches[2])Admin"
}
}
$a=$env:username+"Admin"

New-LocalUser -AccountNeverExpires:$true -Password ( ConvertTo-SecureString -AsPlainText -Force 'User@123') -Name $a -FullName "Local Administrator" -Description "Local User Administrator" | Add-LocalGroupMember -Group administrators**



Regards








· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

It will go through the loop so some configuration and tuning are needed, do you have some users or services which are running under the name UMFD-1 ?

0 Votes 0 ·
PerserPolis-1732 avatar image
0 Votes"
PerserPolis-1732 answered PerserPolis-1732 edited

No I dont have any users or services UMFD-1.

the following script does work only if I run it locally

$regexsession = '.+Domain="(.+)",Name="(.+)"$'
$session_user = Get-WmiObject -Class win32_LoggedOnUser | Select Antecedent -Unique
foreach($session in $session_user) {
if($session.antecedent -match $regexsession) {

$a="$($Matches[2])Admin"
}
}
$a=$env:username+"Admin"
New-LocalUser -AccountNeverExpires:$true -Password ( ConvertTo-SecureString -AsPlainText -Force 'User@123') -Name $a -FullName "Local Administrator" -Description "Local User Administrator" | Add-LocalGroupMember -Group administrators****



Thank you for help

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ClementBETACORNE avatar image
0 Votes"
ClementBETACORNE answered PerserPolis-1732 commented

Ok so let's try it another way by using event log of user profile :

 $UserLogon = Get-WinEvent -LogName  'Microsoft-Windows-User Profile Service/Operational' `
 | Where-Object {$_.Id -eq 2} | Select-Object -First 1
    
 $LastUser = Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\$($UserLogon.UserId.Value)" -Name "ProfileImagePath"
 $substringIndex = $LastUser.ProfileImagePath.LastIndexOf("\") + 1
 $LastUserName = $LastUser.ProfileImagePath.Substring($substringIndex)
 $a=$LastUserName+"Admin"
 New-LocalUser -AccountNeverExpires:$true -Password ( ConvertTo-SecureString -AsPlainText -Force 'password') -Name $a -FullName "Local Administrator" -Description "Local Administrator" | Add-LocalGroupMember -Group administrators

Regards,


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

Could you tell me please how I can change the script to create a local admin account based on computer domain account?
I mean it should create a local admin account based on domain computer name.

Regards

0 Votes 0 ·