Create a local administrator account using PowerShell

Create-Administrator.ps1

$Username = "su"
$Password = "password"

$group = "Administrators"

$adsi = [ADSI]"WinNT://$env:COMPUTERNAME"
$existing = $adsi.Children | where {$_.SchemaClassName -eq 'user' -and $_.Name -eq $Username }

if ($existing -eq $null) {

    Write-Host "Creating new local user $Username."
    & NET USER $Username $Password /add /y /expires:never
    
    Write-Host "Adding local user $Username to $group."
    & NET LOCALGROUP $group $Username /add

}
else {
    Write-Host "Setting password for existing local user $Username."
    $existing.SetPassword($Password)
}

Write-Host "Ensuring password for $Username never expires."
& WMIC USERACCOUNT WHERE "Name='$Username'" SET PasswordExpires=FALSE

Nice one, this thing saved me!

This is the exact script I"m looking for, but the last line isn't working for me.
Error message WMIC USERACCOUNT WHERE "Name='$Username'" SET PasswordExpires=FALSE
No Instance(s) Available.
I would really appreciate some help with this It would save me some time creating this account for multiply computers.

Thanks,

If the value specified for $username also matches a domain account, this script will attempt to modify properties (both the password and the expiration bit) on both the local and domain accounts. I didn't see an obvious way to prevent this, though I'm sure there is one.

Nice man! Thanks for sharing it. You saved me a lot time. Thx.

Just modify $Username and $Password values, works like a charm!

Thx @ducas. Quick question: https://gist.github.com/ducas/3a65704a3b92dfa0301e#file-create-administrator-ps1-L24 is taking approximately 10 seconds to return. Are you seeing the same behavior? If not, any thoughts on why this is taking so long?

Thanks!

I would suggest you use a single quote for the password, like this: 'password'. If your password contains special characters, the password is not set properly.

Hi , thanks is very ""útil" ...jajajaj BR.

probably easier to use proper way of doing this:

New-LocalUser -AccountNeverExpires:$true -Password ( ConvertTo-SecureString -AsPlainText -Force 'somepassword') -Name '
someuser' | Add-LocalGroupMember -Group administrators

You need rights of administrator to run this script, if you want do this from "run as power shell script". You can modify it with rights:

ipconfig|out-null;[Console]::outputEncoding =[System.Text.Encoding]::GetEncoding('cp866') $IsElevated=$false foreach ($sid in [Security.Principal.WindowsIdentity]::GetCurrent().Groups) { if ($sid.Translate([Security.Principal.SecurityIdentifier]).IsWellKnown([Security.Principal.WellKnownSidType]::BuiltinAdministratorsSid)) { $IsElevated=$true } } if (-not $IsElevated) { Start-Process "$psHome\powershell.exe" -Verb Runas -ArgumentList ("-command cd $pwd; " + $MyInvocation.Line) exit }

New-LocalUser -AccountNeverExpires:$true -Password ( ConvertTo-SecureString -AsPlainText -Force 'somepassword') -Name ' someuser' | Add-LocalGroupMember -Group administrators

This is far simpler and easier to understand.

When we excute this powershell in Intune, we receive acces denied error. Anyone an idee how to run this script with admin rights in intune?

@dalexander101
You probably don't need help anymore, but specifying to only update the local account worked for me.
WMIC USERACCOUNT WHERE "Domain='$env:ComputerName'AND Name='$usr'" SET PasswordExpires=FALSE

thanks a lot it working perfectly,, I want to run this to remote servers with around 200 machines, can you please let me know how and where need to change.

clean and simple, appreciate you sharing!

lets just hope you do not deploy that script to the clients rather than remote-execute it, since the password is in the script.
There are methods to encrypt it in a script.

Thank You.
Works like a charm.