# Script to create or update a local user with a secure password
# This script checks if a local user exists, creates it if not, and sets the password.
# It also ensures the user is part of the Administrators group.
# Requires -Version 5.1
# Requires -RunAsAdministrator

# this is insecure because both the key and the encrypted password are stored in plaintext within the script.
# and can be reversed to obtain the original password.
# This script is intended to be used with the makepass.ps1 script, which generates a secure password and key
# and saves it encrypted.

# For security, consider this password to be obscured, NOT secured.

# Define variables
# you must define $username, $key, and $securePassword variables before running this script.


# Ensure the username is valid and does not contain special characters
$userName = "Enter Username Here" # Replace with the actual username you want to create or update

# Replace with your actual key, contents of aes.key file
# The keyfile has 32 bytes, newline separated. Replace newlines with commas,
# and paste below.
# Example key: 96,255,122,11,73,230,146,112,214,11,216,253,111,225,240,99,181,82,26,48,245,158,216,219,236,151,62,127,98,155,136,68
# Ensure the key is a byte array of 32 bytes
# Note: The key must be exactly 32 bytes for AES-256 encryption
$key = [Byte[]](1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32) 

# Enter the contents of the file encrypted_password.txt here, within quotes.
# This should be the output from ConvertFrom-SecureString using the same key.
# Example: '76492d1116743f0423413b.....16050a5345AzADgANQBjAA==' (the dots indicate a truncated string)
# Note: The encrypted key will end with '==' if it is base64 encoded.
$securePassword = 'contents of encrypted_password.txt' | ConvertTo-SecureString -Key $key

$fullName = "" # Full name for the user, defaults to username if empty
$description = "" # Description for the user, defaults to "User created by script" if empty
$localGroup = "" # Group to add the user to, defaults to "Users" if empty. Use Administrators for admin access.

# if $fullName is empty or null
if (-not $fullName) {
    $fullName = $userName
}

# if $description is empty or null
if (-not $description) {
    $description = "User created by script"
}

# if $localGroup is empty or null
if (-not $localGroup) {
    $localGroup = "Users" # Default group if not specified
}

# Check if user exists, create if not
if (-not (Get-LocalUser -Name $userName -ErrorAction SilentlyContinue)) {
    try {
        New-LocalUser -Name $userName -Password $securePassword -FullName $fullName -Description $description -ErrorAction Stop
    } catch {
        Write-Error "Failed to create user '$userName': $_"
        exit 1
    }
}

# Set the password (update if user exists)
try {
    Set-LocalUser -Name $userName -Password $securePassword
} catch {
    Write-Error "Failed to set password for user '$userName': $_"
    exit 1
}

# Ensure user is in correct group
if (-not (Get-LocalGroupMember -Group $localGroup -Member $userName -ErrorAction SilentlyContinue)) {
    try {
        Add-LocalGroupMember -Group $localGroup -Member $userName -ErrorAction Stop
    } catch {
        Write-Error "Failed to add user '$userName' to group '$localGroup': $_"
        exit 1
    }
}
# Output success message
Write-Host "User '$userName' has been created or updated successfully with the specified password." -ForegroundColor Green