-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathSet-LocalUser.ps1
171 lines (140 loc) · 6.12 KB
/
Set-LocalUser.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
Function Set-LocalUser {
<#
.SYNOPSIS
Manage local user accounts on a computer or list of computers
.DESCRIPTION
This is a function to be used as a part of managing Local User accounts. It can be called from other scripts so that it is available in the following way:
. ./Set-LocalUser.ps1
Thanks to Reddit /u/Namaha, original author.
https://www.reddit.com/r/PowerShell/comments/2eum4f/function_to_create_andor_manipulate_a_local_user/?st=iwf81nka&sh=14b6a0
.PARAMETER UserName
This field is required and is assumed to be the first argument.
.PARAMETER ComputerName
A single computer name or list of names one per line. It can be populated from Active Directory by importing the proper module and running command as follows:
$Computers = Get-ADComputer -Filter { OperatingSystem -Like '*Server*' } -Properties OperatingSystem | Select -Expand DNSHostName
Then using this $Computers variable as the value of the -ComputerName parameter.
.PARAMETER Password
.PARAMETER Description
What should the user description be set to
.PARAMETER AddGroup
Set the group names that the user should be added to.
.PARAMETER Disable
Disable the account
.PARAMETER Enable
Enable the account
.PARAMETER Unlock
Unlock the account
.PARAMETER Remove
Remove the account
.PARAMETER PasswordNeverExpire
Set no expiration date on the password
.PARAMETER UserMustChangePassword
Force the password to be changed when next logging in.
.PARAMETER Verbose
Provide verbose output of what is happening.
.EXAMPLE Manage the Local Admin account for all servers on your Active Directory Domain
Import-Module ActiveDirectory
. .\Set-LocalUser.ps1
$Computers = Get-ADComputer -Filter { OperatingSystem -Like '*Server*' } -Properties OperatingSystem | Select -Expand DNSHostName
echo $Computers
Set-LocalUser -UserName MyAdmin -Password "S3c437" -PasswordNeverExpire -ComputerName $Computers -AddGroup Administrators -Verbose
.EXAMPLE
Set-LocalUser -UserName MyAdmin -Remove
.EXAMPLE
# USAGE Example:
# Add a "TestAdmin" account to a list of computers and add to the local Administrators group
$serverList = get-content "C:\servers.txt"
Set-LocalUser "TestAdmin" -Password "Password123" -ComputerName $serverList -AddGroup "Administrators"
.EXAMPLE
# Disable local machine's "TestUser" account.
Set-LocalUser "TestUser" -Disable
.NOTES
Must be run with Administrative credentials
#>
[CmdletBinding(SupportsShouldProcess=$true)]
param
(
[Parameter(Mandatory=$True,Position=1)]
[string[]]$UserName,
[Parameter(Mandatory=$False)]
[string[]]$ComputerName,
[Parameter(Mandatory=$False)]
[string]$Password,
[Parameter(Mandatory=$False)]
[string]$Description,
[Parameter(Mandatory=$False)]
[string[]]$AddGroup,
[Switch]$Disable,
[Switch]$Enable,
[Switch]$Unlock,
[Switch]$Remove,
[Switch]$PasswordNeverExpire,
[Switch]$UserMustChangePassword
)
#If the $computerName parameter is omitted, default to the current machine
if(!$ComputerName) {
$ComputerName = $env:COMPUTERNAME
}
foreach($server in $ComputerName) {
Write-Verbose "---------------------------------------"
Write-Output "Starting on $server"
foreach($UID in $UserName) {
Write-Verbose "User: $UID"
#gets computer info for $server
$computer = [ADSI]"WinNT://$server,computer"
#removes the user
if($Remove -and $pscmdlet.ShouldProcess("$Server","Remove user `"$UID`"")) {
$computer.delete("user",$UID)
Write-Verbose "Removed Account"
continue
}
#creates the user if it does not already exist
if(![ADSI]::Exists("WinNT://$server/$UID") -and $pscmdlet.ShouldProcess("$Server","Create user `"$UID`"")){
$user = $computer.Create("user", $UID)
$user.SetPassword($Password)
$user.Setinfo()
}
else {
$user = [ADSI]"WinNT://$server/$UID"
Write-Verbose "Account Already Exists"
}
if($Password -and $pscmdlet.ShouldProcess("$Server","Set Password of `"$UID`"")) {
$user.SetPassword($Password)
$user.Setinfo()
}
if($Description -and $pscmdlet.ShouldProcess("$Server","Set Description `"$Description`" for user `"$UID`"")) {
$user.description = $Description
$user.setinfo()
}
if($UserMustChangePassword -and $pscmdlet.ShouldProcess("$Server","Force user `"$UID`" to change password on next login")) {
$user.PasswordExpired = 1
$user.Setinfo()
}
if($Enable -and $pscmdlet.ShouldProcess("$Server","Enable user `"$UID`"")) {
$user.userflags = 512
$user.SetInfo()
}
if($Disable -and $pscmdlet.ShouldProcess("$Server","Disable user `"$UID`"")) {
#Disables the user
$user.userflags.value = $user_acc.userflags.value -bor "0x0002"
$user.SetInfo()
}
if($Unlock -and $pscmdlet.ShouldProcess("$Server","Unlock user `"$UID`"")) {
$user.IsAccountLocked = $False
$user.SetInfo()
}
if($PasswordNeverExpire -and $pscmdlet.ShouldProcess("$Server","Set password for `"$UID`" to never expire")) {
#sets user's password to never expire
$user.UserFlags.value = $user.UserFlags.value -bor 0x10000
$user.CommitChanges()
}
#adds user to local group(s)
if($AddGroup -and $pscmdlet.ShouldProcess("$Server","Add user `"$UID`" to $AddGroup group")) {
foreach($group in $AddGroup) {
$objGroup = [ADSI]("WinNT://$server/$Group")
$objGroup.PSBase.Invoke("Add",$user.PSBase.Path)
}
}
}
}
}