Last active
March 25, 2022 08:12
-
-
Save NielsS79/dc1ca1d15e1393991e192155b83851ed to your computer and use it in GitHub Desktop.
The first script creates a new, local account with administrator priveleges and stores its randomized password in an accessible location. The second script takes it all away again.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
.SYNOPSIS | |
This script creates a new, local account with administrator priveleges and stores its randomized password in an accessible location. | |
.DESCRIPTION | |
This script was developed to make sure power users have a seperate, local account to be used for elevated operations. | |
Please visit https://threeisacloud.tech/power-to-the-user/ for more information. | |
Configuration is done via the (few) variables below. I assume they are self-explanatory. | |
.NOTES | |
Author: Niels Scheffers <niels.scheffers@etesian.nl> | |
Last modified: 2022-03-09 | |
#> | |
$userName = 'poweruser'; | |
$userFullName = 'Power User (elevation account)'; | |
$userDescription = 'Elevation account provisioned for power user.'; # Specify the account description. This cannot contain more than 48 chars. This input is _not_ validated. | |
$passwordLength = 16; # Specify the length of the random password. | |
$passwordMinNonAlphaChars = 2; # Specify the _minimum_ number of non-alphanumeric characters the random password must contain. | |
$passwordFile = 'C:\PowerUser\HiPowerUser!.txt'; # Specify the location and name of the password file. This path will be created if it doesn't exist. The file will be overwritten if it exists. | |
Try { | |
if (Get-LocalUser -Name $userName -ErrorAction SilentlyContinue) { | |
Throw "User '$($userName)' already exists."; | |
} | |
Write-Host "Adding user '$($userName)'..."; | |
Add-Type -AssemblyName System.Web; # We need to add this for the line below. Does not work at all in PowerShell Core, as .NET Core does not support System.Web. | |
$password = [System.Web.Security.Membership]::GeneratePassword($passwordLength, $passwordMinNonAlphaChars); | |
$user = New-LocalUser $userName -Password (ConvertTo-SecureString -String $password -AsPlainText -Force) -PasswordNeverExpires -FullName $userFullName -Description $userDescription; | |
Write-Host "Adding user to 'Administrators' group..."; | |
$localAdminGroup = Get-LocalGroup -SID 'S-1-5-32-544'; # Look up the .\Administrators group by SID. This prevents screw-ups when the group has a different name. Yes, I'm looking at you, French language. :) | |
Add-LocalGroupMember -Group $localAdminGroup -Member $user; | |
Write-Host "Storing password in '$($passwordFile)'..."; | |
$passwordFilePath = Split-Path -Path $passwordFile; | |
if (-not(Test-Path -Path $passwordFilePath)) { | |
New-Item -ItemType Directory -Force -Path $passwordFilePath | Out-Null; | |
} | |
Clear-Content -Path $passwordFile -ErrorAction SilentlyContinue; | |
Add-Content -Path $passwordFile -Value $password; | |
Exit 0; | |
} | |
Catch { | |
Write-Host 'Exception encountered:'; | |
Write-Host $_.Exception.Message; | |
Exit -1; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
.SYNOPSIS | |
This script removes any local account matching the configured username. | |
.DESCRIPTION | |
This script was developed to make sure power users have a seperate, local account to be used for elevated operations. | |
Please visit https://threeisacloud.tech/power-to-the-user/ for more information. | |
Configuration is done via the (single) variable below. I assume it is self-explanatory. | |
.NOTES | |
Author: Niels Scheffers <niels.scheffers@etesian.nl> | |
Last modified: 2022-03-09 | |
#> | |
$userName = 'poweruser'; | |
Try { | |
if (-not(Get-LocalUser -Name $userName -ErrorAction SilentlyContinue)) { | |
Throw "User '$($userName)' doesn't exist."; | |
} | |
Write-Host "Removing user '$($userName)'..."; | |
Remove-LocalUser $userName; | |
Exit 0; | |
} | |
Catch { | |
Write-Host 'Exception encountered:'; | |
Write-Host $_.Exception.Message; | |
Exit -1; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment