Skip to content

Instantly share code, notes, and snippets.

@mendel129
Last active January 12, 2021 23:30
  • Star 1 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save mendel129/59a175e49c57b8ef9847 to your computer and use it in GitHub Desktop.
Microsoft LAPS, https://support.microsoft.com/en-us/kb/3062591, doesn't handle user creation that well, and GPP is deprecated since ms14-025. Might get solved with startupscript (tested on win10)
#Microsoft LAPS, https://support.microsoft.com/en-us/kb/3062591, doesn't handle user creation that well, and GPP is deprecated since ms14-025
#might get solved with startupscript (tested on win10)
#get users in local administrator
$obj_group = [ADSI]"WinNT://$($env:COMPUTERNAME)/Administrators,group"
$Administrators = @($obj_group.psbase.Invoke("Members")) | foreach{([ADSI]$_).InvokeGet("Name")}
#get local users
$adsi = [ADSI]"WinNT://$($env:COMPUTERNAME)"
$Users = $adsi.psbase.children | where {$_.psbase.schemaClassName -match "user"} | select @{n="Name";e={$_.name}}
#if user customadmin does not exist, create one
If(!($Users.Name.Contains("customadmin"))){
$cn = [ADSI]"WinNT://$($env:COMPUTERNAME)"
$user = $cn.Create("User","customadmin")
$user.SetPassword($(([char[]](50..150) + 0..9 | sort {get-random})[0..18] -join ''))
$user.setinfo()
$user.description = "Local Admin User"
$user.SetInfo()
Write-Output "User customadmin was created."
}Else{
Write-Output "User customadmin already exists."
}
#Add to Administrators group
If(!($Administrators.Contains("customadmin"))){
$OBjOU = [ADSI]"WinNT://$($env:COMPUTERNAME)/Administrators,group"
$objOU.add("WinNT://$($env:COMPUTERNAME)/customadmin")
Write-Output "customadmin was added to Administrators."
}Else{
Write-Output "customadmin is already member of Administrators."
}
@mendel129
Copy link
Author

This way of creating users has the same security issue as GPP had, being the password in semi-cleartext in the script.
The idea is to just create a user, and let LAPS handle the password afterwards, so the "customadin" has the password specified in the script only for a limited time.

LAPS can also handle the built-in local administrator (rid-500) acount.
Microsoft has multiple points of view about handling the local administrator, some say disable it, some say to use it. In my humble opinion, I would disable it...
But then you need another account to manage, and there is currently no way of creating one using Group Policy...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment