Unix Server Tech Knowledge Base

User Tools

Site Tools

Trace:
microsoft_windows:adduser_powershell

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
microsoft_windows:adduser_powershell [2025/05/15 18:39] – created rodolicomicrosoft_windows:adduser_powershell [2025/05/16 01:18] (current) rodolico
Line 1: Line 1:
 ====== Add/Update User with PowerShell ====== ====== Add/Update User with PowerShell ======
  
 +===== Discussion =====
 We needed a way to automatically update a local user on a bunch of systems which were not on an Active Directory configuration. We had remote access, and the ability to run PowerShell scripts as an administrator. We needed a way to automatically update a local user on a bunch of systems which were not on an Active Directory configuration. We had remote access, and the ability to run PowerShell scripts as an administrator.
  
 It should not be interactive at all. It should not be interactive at all.
  
-The first step is to generate a password hash (what Windows callas a SecureString) so we are not passing around passwords in plaintext.+===== Generate password hash =====
  
-<code powershell genPass.ps>+The first step is to generate a password hash (what Windows calls a SecureString) so we are not passing around passwords in plaintext.  
 + 
 +<code powershell genPass.ps1>
 $password = ConvertTo-SecureString -String "password" -AsPlainText -Force $password = ConvertTo-SecureString -String "password" -AsPlainText -Force
 $plain = convertFrom-securestring -securestring $password $plain = convertFrom-securestring -securestring $password
Line 13: Line 16:
 </code> </code>
  
-The final line will give a very long hex number, which is the hash of the password ("password" in first line). Paste that where the script has "Very Long Hex String from above" (keep the quotes around it). Adjust username and/or group, then simply run the script in powershell with admin rights.+The final line will give a very long hex number, which is the hash of the password ("password" in first line)
 + 
 +===== Download and Modify script ===== 
 + 
 +Download the following Powershell file and edit in your favorite text editor. Paste the output of the previouss code into this script where the script has "Very Long Hex String from above" (keep the quotes around it). 
 + 
 +Adjust the following to your needs 
 +  * $password: Replace //Very Long Hex String from above// with the hash from the previous step 
 +  * $user: This will be the username you log in as 
 +  * $group: The group to add the user to 
 +  * $fullname: The display name of the user (optional) 
 +  * $description: A description of the user (optional)
  
-<code powershell adduser.ps>+<code powershell adduser.ps1>
 # script to add a local user with admin privileges on a Windows machine # script to add a local user with admin privileges on a Windows machine
 # Generate the password hash with the following three lines (after changing "password" # Generate the password hash with the following three lines (after changing "password"
Line 30: Line 44:
  
 $password = ConvertTo-SecureString -String "Very Long Hex String from above" $password = ConvertTo-SecureString -String "Very Long Hex String from above"
- 
 $user = 'test' $user = 'test'
 $group = "Administrators" $group = "Administrators"
 +$fullname = "Test Account"
 +$description = 'Test Account'
  
 # Check if user exists # Check if user exists
 if (-not (Get-LocalUser -Name $user -ErrorAction SilentlyContinue)) { if (-not (Get-LocalUser -Name $user -ErrorAction SilentlyContinue)) {
     try {     try {
-        New-LocalUser -Name $user  -Password $password -FullName 'Test Account' -Description 'Test Account' -PasswordNeverExpires+        New-LocalUser -Name $user  -Password $password -FullName $fullname -Description $description -PasswordNeverExpires
         Write-Host "User '$user' created."         Write-Host "User '$user' created."
     } catch {     } catch {
Line 65: Line 80:
     Write-Warning "Failed to add user '$user' to group '$group': $_"     Write-Warning "Failed to add user '$user' to group '$group': $_"
 } }
- 
 </code> </code>
 +
 +===== Run the code =====
 +
 +You can run the code by opening PowerShell as Administrator, then copying/pasting directly into the window. This avoids the need to specifically allow power shell script execution. The same code can be used on multiple machines.
 +
 +===== Enhancements =====
 +
 +Note, if the password hash is to be transported over public media (e-mail, ftp, chat), you may want add the -Key or -SecureKey parameters to the encoding (ConvertTo-SecureString) and decoding (ConvertTo-SecureString) commands.
 +
 +-SecureKey appearantly uses single pad encryption to further secure the key. See https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring for details.
 +
 +===== Links =====
 +  * https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/set-localuser?view=powershell-5.1
 +  * https://www.danielengberg.com/powershell-script-add-user-to-local-admin-group/
 +  * https://stackoverflow.com/questions/49595003/checking-if-a-local-user-account-group-exists-or-not-with-powershell
 +  * https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.5
 +  * https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/get-localuser?view=powershell-5.1
 +  * https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring
 +
 +Also, thanks to DavidN for tightening it up a little for me.
microsoft_windows/adduser_powershell.1747352374.txt.gz · Last modified: 2025/05/15 18:39 by rodolico