# script to add a local user with admin privileges on a Windows machine
# Generate the password hash with the following three lines (after changing "password"
#
# $password = ConvertTo-SecureString -String "password" -AsPlainText -Force
# $plain = convertFrom-securestring -securestring $password
# $plain
#
# paste the output into -String below
# adjust the user and which group to add them to.
# if user already exists, will ignore (with message.
# password is updated no matter what
# if user is already in group, will ignore (with message)

$password = ConvertTo-SecureString -String "Very Long Hex String from above"
$user = 'test'
$group = "Administrators"
$fullname = "Test Account"
$description = 'Test Account'

# Check if user exists
if (-not (Get-LocalUser -Name $user -ErrorAction SilentlyContinue)) {
    try {
        New-LocalUser -Name $user  -Password $password -FullName $fullname -Description $description -PasswordNeverExpires
        Write-Host "User '$user' created."
    } catch {
        Write-Warning "Failed to create user '$user': $_"
    }
} else {
    Write-Host "User '$user' already exists."
}

# Set (or reset) the password
try {
    Set-LocalUser -Name $user -Password $password
    Write-Host "Password updated for user '$user'."
} catch {
    Write-Warning "Failed to update password: $_"
}

# Add to local group if not already a member
try {
    if (-not (Get-LocalGroupMember -Group $group -Member $user -ErrorAction SilentlyContinue)) {
        Add-LocalGroupMember -Group $group -Member $user
        Write-Host "User '$user' added to group '$group'."
    } else {
        Write-Host "User '$user' is already in group '$group'."
    }
} catch {
    Write-Warning "Failed to add user '$user' to group '$group': $_"
}