This question already has answers here:
How do I get the result of a command in a variable in windows? [duplicate]
(13 answers)
Closed 6 years ago.
I am deploying Airwatch to my organization. On company-owned laptops, I would like to lock them down if/when the device is ever un-enrolled. There is no built-in method of doing this, so I am looking for a script to do it. My relevant background: I know very little batch, some powershell, a lot of vbscript (for classic ASP).
I would like one or both of the following:
Reset all user passwords on the laptop to something preset
Create a specific local admin and then disable all other local users
I know I can use "net user" to get a list of users, but I do not know how to use that list to actually disable the users or change their passwords. The batch commands to fit this logic would be ideal:
net user NewAdmin Password /add
net localgroup administrators NewAdmin /add
UserList = net user output
For each UserName in UserList
If UserName <> "NewAdmin" Then
net user UserName NewPassword
net user UserName /active:no
End If
Next
If you are using Windows 10 Vs.1607 or newer, you can use something like this PowerShell script:
$AdminPwd = ConvertTo-SecureString -string "foobar2016!" -AsPlainText -Force
$UserPwd = ConvertTo-SecureString -string "foobar2016!" -AsPlainText -Force
$NewAdmin = "NewAdmin"
New-LocalUser -Name $NewAdmin -FullName "New Admin" -Password $AdminPwd
Add-LocalGroupMember -Member $NewAdmin -Group "Administrators"
Get-LocalUser | ForEach-Object {
if ($_.Name -ne $NewAdmin)
{
$_ | Set-LocalUser -Password $UserPwd
$_ | Disable-LocalUser
}
}
Be careful when testing it, it disables all users except the new one.
The LocalUser cmdlets are new in PowerShell Vs. 5.1
Related
The PowerShell script below works fine when I run it manually in a machine, but it won't run when deployed using Intune. It simply shows an error.
I have deployed this script using Intune with these settings -
(1) Run this script using the logged on credentials: No. (2)
Enforce script signature check: No. (3)
Run script in 64 bit PowerShell Host: No
Tested the script in a Windows 10 computer by starting CMD as admin, it works fine. Creates the local account if it does not exists, if it exists it changes the password.
PS> PowerShell -Ex ByPass scriptname.ps1
I am not able to find any event log (under DeviceManagement-Enterprise-Diagnostics-Provider) or error under MDMDiagnostics logs in the Intune enrolled Windows 10 computer.
$ExpectedLocalUser = "SUPERMAN"
$Password = ConvertTo-SecureString "P#ssw0rd" -AsPlainText -Force
Function Create_LocalAdmin
{
New-LocalUser $ExpectedLocalUser -Password $Password -FullName "Local Admin" -Description "Local Administrator account."
Add-LocalGroupMember -Group "Administrators" -Member $ExpectedLocalUser
Set-LocalUser -Name $ExpectedLocalUser -PasswordNeverExpires:$true
}
Try
{
## Catch if not found
$LocaAdminUser = Get-LocalUser -Name $ExpectedLocalUser -ErrorAction Stop
## If an account is found update the password
Set-LocalUser -Name $ExpectedLocalUser -Password $Password -PasswordNeverExpires:$true
}
Catch
{
Create_LocalAdmin
}
#mathias-r-jessen Suggestion worked. Changed to start PS in 64 bit host, and it worked.
This question already has answers here:
Connecting to a network folder with username/password in Powershell
(3 answers)
Closed 4 years ago.
After connecting to remote computer and executing some powershell job, I need to save a text file with output to a remote server using powershell.
My file name is created depending on computer name and date.
$filename = '' + $enddate + '' + $name + ''
Output is:
$output = "\\10.0.50.8\Informatyka\Posnet_raporty"
There is a username and password to connect to folder "Posnet_raporty"
$username = "user"
$password = "pass"
I use 2 functions to create the file and have been trying to use the NET USE command to create a disc on the remote computer to save the file there, but it has failed ;/ (already mapped source from this adress, net use don't like it)
If ([int]$end1 -gt 30) {
$end1, $end2 | Out-File Q:\$filename'.txt'
}
else {
$end1, $end2 | Out-File Q:\'#'$filename'.txt'
}
The output of $end1 is a number (this does not apply to the question, but I prefer to write everything I can)
edit:
net use fail, can not work with this same source what is already mapped on computers. PSDrive is only accessible in PowerShell session.
I'm not totally clear on what you're trying to do, but if you want to map to a specific remote folder, you might want to use a PSDrive. These are like traditional mapped drives, but are by default only accessible in your PowerShell session. You can create one like this:
$userName = "domain\user"
$password = "Password"
$secPassword = ConvertTo-SecureString $password -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ($userName, $secPassword)
New-PSDrive -Name Q `
-PSProvider FileSystem `
-Credential $cred `
-Root \\ServerName\Share\Folder1\Folder2
The credentials are optional - the mapping will work ok if the current user already has permission to access the location.
You can then use it like any other drive:
Get-ChildItem Q: -File -Recurse
Disconnect afterwards, by doing this:
Remove-PSDrive -Name Q
We have a problem with a Service on a Server. So we decided to write a PS-Script that a "normal" User without Admin privileges can start this Service. I have practiced now 2 Day's on this little Script. I'm a newbie (Apprentice) in PS but im glad that it works when I run it as an Admin. But why the heck not as an User?
I have generated the "Secure" Password as follow:
"P#ssword1" | ConvertTo-SecureString -AsPlainText -Force | ConvertFrom-SecureString | Out-File "C:\Temp\Password.txt"
I took the SecureString and pasted it in my Script that looks like this:
$User = "DOMAIN\USER"
$PwHash = "01000000d08c9ddf0....."
$MyCredential=New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, ($PWHash | ConvertTo-SecureString)
Invoke-Command -ComputerName "MyServer" -ScriptBlock {Get-Service -Name "MyService" | Set-Service -Status Running} -Credential ($MyCredential)
The failure pops up by the $MyCredential row:
ConvertTo-SecureString: Key in specific Status is not valid.
I have nowhere read that for an ConvertTo... cmd are Admin rights needed.
Enable-PSRemoting is active on the specific Server.
Thanks for your time and engagement
Dirty.Stone
IMHO, you're going about this all wrong. This is an example of the kind of task you would use JEA (Just Enough Admin) for. Create a constrained, delegated session on the target server, configured with a function for starting or restarting that service and running under a local account that has permission to control the service, and then grant the non-admin users permission to use that session.
I'm trying to make a script, or just find a way, to use a .txt file that has a list of servers, and go through the list connected to each, or try to connect to each to see which servers belong to me. If I can connect, they're mine, if not then I need to send that server name to a file. There are 600+ servers so I can't enter credentials and have been trying to find a way using New-SSHSession that doesn't ask for -Username or -Password. What I have so far is below, I've just started PowerShell so my knowledge is limited, what you see is what I've been trying to get working before finally coming here.
#$pass = Get-Content C:\securestring.txt | ConvertTo-SecureString
$pass = Read-Host -AsSecureString "Enter Password"
$pass2 = [Runtime.InteropServices.Marshal]::PtrToStringAuto(
[Runtime.InteropServices.Marshal]::SecureStringToBSTR($pass))
ForEach ($cname in Get-Content "C:\testingconnections\testconnect.txt")
{
New-SshSession -ComputerName $cname -Username $env:USERNAME -Password $pass2 *>> 'C:\testingconnections\error.txt'
Remove-SshSession $cname
}
I need to create a new local user account, and then add them to the local Administrators group. Can this be done in PowerShell?
EDIT:
# Create new local Admin user for script purposes
$Computer = [ADSI]"WinNT://$Env:COMPUTERNAME,Computer"
$LocalAdmin = $Computer.Create("User", "LocalAdmin")
$LocalAdmin.SetPassword("Password01")
$LocalAdmin.SetInfo()
$LocalAdmin.FullName = "Local Admin by Powershell"
$LocalAdmin.SetInfo()
$LocalAdmin.UserFlags = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$LocalAdmin.SetInfo()
I have this, but was wondering if there is anything more PowerShell-esque.
Another alternative is the old school NET USER commands:
NET USER username "password" /ADD
OK - you can't set all the options but it's a lot less convoluted for simple user creation & easy to script up in Powershell.
NET LOCALGROUP "group" "user" /add to set group membership.
As of PowerShell 5.1 there cmdlet New-LocalUser which could create local user account.
Example of usage:
Create a user account
New-LocalUser -Name "User02" -Description "Description of this account." -NoPassword
or Create a user account that has a password
$Password = Read-Host -AsSecureString
New-LocalUser "User03" -Password $Password -FullName "Third User" -Description "Description of this account."
or Create a user account that is connected to a Microsoft account
New-LocalUser -Name "MicrosoftAccount\usr name#Outlook.com" -Description "Description of this account."
Try using Carbon's Install-User and Add-GroupMember functions:
Install-User -Username "User" -Description "LocalAdmin" -FullName "Local Admin by Powershell" -Password "Password01"
Add-GroupMember -Name 'Administrators' -Member 'User'
Disclaimer: I am the creator/maintainer of the Carbon project.
As of 2014, here is a statement from a Microsoft representative (the Scripting Guy):
As much as we might hate to admit it, there are still no Windows
PowerShell cmdlets from Microsoft that permit creating local user
accounts or local user groups. We finally have a Desired State
Configuration (DSC ) provider that can do this—but to date, no
cmdlets.
Import-Csv C:\test.csv |
Foreach-Object {
NET USER $ _.username $ _.password /ADD
NET LOCALGROUP "group" $_.username /ADD
}
edit csv as username,password
and change "group" for your groupname
:) worked on 2012 R2
$sec_pass = ConvertTo-SecureString -String "SomePasword" -AsPlainText -Force
New-LocalUser -Name username -FullName username -PasswordNeverExpires -Password $sec_pass
Add-LocalGroupMember -Group Administrators -Member username