Disable Local Account "User must change password at next logon" - powershell

I am trying to create an local account that automatically signs in when Windows loads. However, when signing in for the first time, the account is prompted to set a password. However, this account does not have a password set because of the -NoPassword flag. This computer is not joined to any domains.
I tried setting the -PasswordNeverExpires flag, but upon checking in lusrmgr.msc, the "User must set password on logon" box is still checked.
New-LocalUser "testmode" -NoPassword -FullName "test user" -Description "test sign-in account" -AccountNeverExpires
Add-LocalGroupMember -Group "Users" -Member "testmode"
Automatically sign the account in without prompting to set a password

Try this please:
Here you are first creating the user, then piping to set the properties of said user.
New-LocalUser -Name "testmode" -NoPassword -AccountNeverExpires -UserMayNotChangePassword -FullName "test user" -Description "test sign-in account" | Set-LocalUser -PasswordNeverExpires $true
It should yield this:

Related

Set-ADAccountPassword specifying -Credential

I triyng to reset a password using this code:
Set-ADAccountPassword -Identity <username> -Reset -NewPassword (ConvertTo-SecureString -AsPlainText 'N3WP#SS' -Force)
But it uses the credentials of the logged user to execute this action. How do I specify other user to perform this action using
-Credential?
If you are trying to specify other user :
PSCredential Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory module for Windows PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default.
To specify this parameter, you can type a user name, such as User1 or Domain01\User01 or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password.
You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object.
Prompt a specified user to change their password.
Use this command below :
Set-ADAccountPassword -Identity TestName
Please enter the current password for 'CN=Evan Narvaez,CN=Users,DC=Fabrikam,DC=com'
Password:**********
Please enter the desired password for 'CN=Evan Narvaez,CN=Users,DC=Fabrikam,DC=com'
Password:***********
Repeat Password:***********
Set a password for a user account using a distinguished name :
Set-ADAccountPassword -Identity 'CN=Elisa
Daugherty,OU=Accounts,DC=Fabrikam,DC=com' -Reset -NewPassword
(ConvertTo-SecureString -AsPlainText "p#ssw0rd" -Force)
Please take a look at this doc for more reference : Ser-ADAccountPassword

Powershell script to switch current logged in user?

I am trying to write a Powershell script to create a new Windows user an then log into that new account. I can create the new account like so:
New-LocalUser -Name $username -Description 'SomeAccountName' -Password 'SomePassword' -PasswordNeverExpires -UserMayNotChangePassword
But I am unsure if I am then able to log into the new account from the same script. Is this possible? And if so, how could I go about doing so?

Looking for an If statement to check to see if a user is a local administrator

Currently very noobish with powershell but learning my way around. Looking to make a script that checks to see if the user is apart of the local admin group. Currently what I have will check if the account is created and will create it and set the password and group.
#add administrator account to local machine and add to administrator group
if (Get-WmiObject Win32_UserAccount -Filter "LocalAccount='true' and Name='administrator'")
{
Write-Host "Account already exists"
Write-Host "Skipping account creation of local account administrator"
}
else
{
Write-Host "creating Local Admin Account"
Write-Host "Please Set the password for the Local Admin account to create it"
$Password = Read-Host -AsSecureString
New-LocalUser "Administrator" -Password $Password -FullName "Help Desk Administrator" -Description "Local Admin account"
Add-LocalGroupMember -Group Administrators -Member administrator
Write-Host "account administrator created"
}
However I need error checking to make sure that if the account already exists that is part of the admin group.
the current state of local admins on machines here is a mess
If you are looking to find out if the current user is elevated, here are two ways in PowerShell:
Use #requires -RunAsAdministrator. This will prevent your script from running if the current user is not elevated. This requires PowerShell 3.0 or later.
Ask the system at runtime if the current user is elevated; e.g.:
$elevated = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
If you are looking for a way to manage the membership of the Administrators group, then that is a different question. Usually I recommend Group Policy for that.

Looping through all my domains an changing pwd- access denied SET-QADUSER

I have several domains and one admin account in each one. It is a great pain to log into each domain to change password every month..
I have therefore written a script that will connect to all domains and check to see if I have already changed the password or if I am still using the old one.
If I am using the old one the script should update it.
I connect to the domains (sequentially) with
$oldPassword = Read-Host "Enter old password" -AsSecureString
$newPassword = Read-Host "Enter new password" -AsSecureString
$oldCredentials = new-object -typename System.Management.Automation.PSCredential -argumentlist "$domain\$adminusername",$oldPassword
Connect-QADService -Service $domain -Credential $oldCredentials
and if I get a successfull connection with $oldcredentials I try to change pwd with
GET-QADUSER $adminusername | SET-QADUSER -UserPassword $newPassword
I am guessing that I am not passing the secure string correctly to SET-QADUSER but I've found no documentation on another way to do it.
Please advice:)
SET-QADUSER -UserPassword accept [string] type not [System.Security.SecureString].
Try to pass just a string as password.

PowerShell: Create Local User Account

I need to create a new local user account, and then add them to the local Administrators group. Can this be done in PowerShell?
EDIT:
# Create new local Admin user for script purposes
$Computer = [ADSI]"WinNT://$Env:COMPUTERNAME,Computer"
$LocalAdmin = $Computer.Create("User", "LocalAdmin")
$LocalAdmin.SetPassword("Password01")
$LocalAdmin.SetInfo()
$LocalAdmin.FullName = "Local Admin by Powershell"
$LocalAdmin.SetInfo()
$LocalAdmin.UserFlags = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$LocalAdmin.SetInfo()
I have this, but was wondering if there is anything more PowerShell-esque.
Another alternative is the old school NET USER commands:
NET USER username "password" /ADD
OK - you can't set all the options but it's a lot less convoluted for simple user creation & easy to script up in Powershell.
NET LOCALGROUP "group" "user" /add to set group membership.
As of PowerShell 5.1 there cmdlet New-LocalUser which could create local user account.
Example of usage:
Create a user account
New-LocalUser -Name "User02" -Description "Description of this account." -NoPassword
or Create a user account that has a password
$Password = Read-Host -AsSecureString
New-LocalUser "User03" -Password $Password -FullName "Third User" -Description "Description of this account."
or Create a user account that is connected to a Microsoft account
New-LocalUser -Name "MicrosoftAccount\usr name#Outlook.com" -Description "Description of this account."
Try using Carbon's Install-User and Add-GroupMember functions:
Install-User -Username "User" -Description "LocalAdmin" -FullName "Local Admin by Powershell" -Password "Password01"
Add-GroupMember -Name 'Administrators' -Member 'User'
Disclaimer: I am the creator/maintainer of the Carbon project.
As of 2014, here is a statement from a Microsoft representative (the Scripting Guy):
As much as we might hate to admit it, there are still no Windows
PowerShell cmdlets from Microsoft that permit creating local user
accounts or local user groups. We finally have a Desired State
Configuration (DSC ) provider that can do this—but to date, no
cmdlets.
Import-Csv C:\test.csv |
Foreach-Object {
NET USER $ _.username $ _.password /ADD
NET LOCALGROUP "group" $_.username /ADD
}
edit csv as username,password
and change "group" for your groupname
:) worked on 2012 R2
$sec_pass = ConvertTo-SecureString -String "SomePasword" -AsPlainText -Force
New-LocalUser -Name username -FullName username -PasswordNeverExpires -Password $sec_pass
Add-LocalGroupMember -Group Administrators -Member username