Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Creates a backup local admin user with a random password. Designed for use with Microsoft LAPS. Should be run as a computer logon script.
# The name of the account
$accountName = 'LocalAdmin'
$accountFullName = 'Local Administrator'
$accountComment = 'Backup Local Administrator Account'
# Any users listed here will be disabled by this script
$usersToDisable = 'Administrator','Guest'
# Set up some Event Log stuff
$sourceName = "$($MyInvocation.MyCommand.Name).ps1"
New-EventLog -LogName Application -Source "$sourceName" -ErrorAction SilentlyContinue -WarningAction SilentlyContinue
# If the account already exists, exit
if ((Get-WmiObject Win32_UserAccount -filter "domain = '$Env:COMPUTERNAME' and Name = '$accountName'") -ne $null) {
Write-EventLog -LogName Application -Source $sourceName -EntryType Information -EventId 1 -Message "$accountName already exists" -ErrorAction SilentlyContinue -WarningAction SilentlyContinue
# Create the account
cmd.exe /c "net user $accountName `"$([guid]::NewGuid().guid)`" /add /y /comment:`"$accountComment`" /fullname:`"$accountFullName`""
# Add the account to the Administrators group
cmd.exe /c "net localgroup Administrators $accountName /add"
# Disable the specified users
$usersToDisable | Foreach-Object {cmd.exe /c "net user $_ /active:no"}
# Try and write an event to the Event Log
Write-EventLog -LogName Application -Source $sourceName -EntryType Information -EventId 2 -Message "Created local administrator account: $accountName" -ErrorAction SilentlyContinue -WarningAction SilentlyContinue
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment