Skip to content

Instantly share code, notes, and snippets.

@NielsS79
Last active March 25, 2022 08:12
Show Gist options
  • Save NielsS79/dc1ca1d15e1393991e192155b83851ed to your computer and use it in GitHub Desktop.
Save NielsS79/dc1ca1d15e1393991e192155b83851ed to your computer and use it in GitHub Desktop.
The first script creates a new, local account with administrator priveleges and stores its randomized password in an accessible location. The second script takes it all away again.
<#
.SYNOPSIS
This script creates a new, local account with administrator priveleges and stores its randomized password in an accessible location.
.DESCRIPTION
This script was developed to make sure power users have a seperate, local account to be used for elevated operations.
Please visit https://threeisacloud.tech/power-to-the-user/ for more information.
Configuration is done via the (few) variables below. I assume they are self-explanatory.
.NOTES
Author: Niels Scheffers <niels.scheffers@etesian.nl>
Last modified: 2022-03-09
#>
$userName = 'poweruser';
$userFullName = 'Power User (elevation account)';
$userDescription = 'Elevation account provisioned for power user.'; # Specify the account description. This cannot contain more than 48 chars. This input is _not_ validated.
$passwordLength = 16; # Specify the length of the random password.
$passwordMinNonAlphaChars = 2; # Specify the _minimum_ number of non-alphanumeric characters the random password must contain.
$passwordFile = 'C:\PowerUser\HiPowerUser!.txt'; # Specify the location and name of the password file. This path will be created if it doesn't exist. The file will be overwritten if it exists.
Try {
if (Get-LocalUser -Name $userName -ErrorAction SilentlyContinue) {
Throw "User '$($userName)' already exists.";
}
Write-Host "Adding user '$($userName)'...";
Add-Type -AssemblyName System.Web; # We need to add this for the line below. Does not work at all in PowerShell Core, as .NET Core does not support System.Web.
$password = [System.Web.Security.Membership]::GeneratePassword($passwordLength, $passwordMinNonAlphaChars);
$user = New-LocalUser $userName -Password (ConvertTo-SecureString -String $password -AsPlainText -Force) -PasswordNeverExpires -FullName $userFullName -Description $userDescription;
Write-Host "Adding user to 'Administrators' group...";
$localAdminGroup = Get-LocalGroup -SID 'S-1-5-32-544'; # Look up the .\Administrators group by SID. This prevents screw-ups when the group has a different name. Yes, I'm looking at you, French language. :)
Add-LocalGroupMember -Group $localAdminGroup -Member $user;
Write-Host "Storing password in '$($passwordFile)'...";
$passwordFilePath = Split-Path -Path $passwordFile;
if (-not(Test-Path -Path $passwordFilePath)) {
New-Item -ItemType Directory -Force -Path $passwordFilePath | Out-Null;
}
Clear-Content -Path $passwordFile -ErrorAction SilentlyContinue;
Add-Content -Path $passwordFile -Value $password;
Exit 0;
}
Catch {
Write-Host 'Exception encountered:';
Write-Host $_.Exception.Message;
Exit -1;
}
<#
.SYNOPSIS
This script removes any local account matching the configured username.
.DESCRIPTION
This script was developed to make sure power users have a seperate, local account to be used for elevated operations.
Please visit https://threeisacloud.tech/power-to-the-user/ for more information.
Configuration is done via the (single) variable below. I assume it is self-explanatory.
.NOTES
Author: Niels Scheffers <niels.scheffers@etesian.nl>
Last modified: 2022-03-09
#>
$userName = 'poweruser';
Try {
if (-not(Get-LocalUser -Name $userName -ErrorAction SilentlyContinue)) {
Throw "User '$($userName)' doesn't exist.";
}
Write-Host "Removing user '$($userName)'...";
Remove-LocalUser $userName;
Exit 0;
}
Catch {
Write-Host 'Exception encountered:';
Write-Host $_.Exception.Message;
Exit -1;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment