We needed a way to automatically update a local user on a bunch of systems which were not on an Active Directory configuration. We had remote access, and the ability to run PowerShell scripts as an administrator.
It should not be interactive at all.
The first step is to generate a password hash (what Windows calls a SecureString) so we are not passing around passwords in plaintext.
$password = ConvertTo-SecureString -String "password" -AsPlainText -Force $plain = convertFrom-securestring -securestring $password $plain
The final line will give a very long hex number, which is the hash of the password (“password” in first line).
Download the following Powershell file and edit in your favorite text editor. Paste the output of the previouss code into this script where the script has “Very Long Hex String from above” (keep the quotes around it).
Adjust the following to your needs
# script to add a local user with admin privileges on a Windows machine # Generate the password hash with the following three lines (after changing "password" # # $password = ConvertTo-SecureString -String "password" -AsPlainText -Force # $plain = convertFrom-securestring -securestring $password # $plain # # paste the output into -String below # adjust the user and which group to add them to. # if user already exists, will ignore (with message. # password is updated no matter what # if user is already in group, will ignore (with message) $password = ConvertTo-SecureString -String "Very Long Hex String from above" $user = 'test' $group = "Administrators" $fullname = "Test Account" $description = 'Test Account' # Check if user exists if (-not (Get-LocalUser -Name $user -ErrorAction SilentlyContinue)) { try { New-LocalUser -Name $user -Password $password -FullName $fullname -Description $description -PasswordNeverExpires Write-Host "User '$user' created." } catch { Write-Warning "Failed to create user '$user': $_" } } else { Write-Host "User '$user' already exists." } # Set (or reset) the password try { Set-LocalUser -Name $user -Password $password Write-Host "Password updated for user '$user'." } catch { Write-Warning "Failed to update password: $_" } # Add to local group if not already a member try { if (-not (Get-LocalGroupMember -Group $group -Member $user -ErrorAction SilentlyContinue)) { Add-LocalGroupMember -Group $group -Member $user Write-Host "User '$user' added to group '$group'." } else { Write-Host "User '$user' is already in group '$group'." } } catch { Write-Warning "Failed to add user '$user' to group '$group': $_" }
You can run the code by opening PowerShell as Administrator, then copying/pasting directly into the window. This avoids the need to specifically allow power shell script execution. The same code can be used on multiple machines.
Note, if the password hash is to be transported over public media (e-mail, ftp, chat), you may want add the -Key or -SecureKey parameters to the encoding (ConvertTo-SecureString) and decoding (ConvertTo-SecureString) commands.
-SecureKey appearantly uses single pad encryption to further secure the key. See https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring for details.
Also, thanks to DavidN for tightening it up a little for me.