question

PerserPolis-1732 avatar image
0 Votes"
PerserPolis-1732 asked PerserPolis-1732 edited

Issue with PW script to creating a domain AD user and add that user to the client machine as local Admin user

Hi Guy,

that following script create a local Admin user with Username Suffix on the local client machine.



Is there a way to use that script to create a local admin user on the AD with domain usernaem (for example username+UsernameSuffix) ???
I mean the either I create a new domain username+USernameSufixx or I can add to the existing AD user a usernameSuffix.

For Example:

I have a existing domain AD user called at the time "ayarda" and it should to create a new AD User called "ayardaMaster" and that new created user should be add to the client machine as "local Admin user"

Is that possible?

Regards





windows-serverwindows-server-powershell
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RichMatheisen-8856 avatar image RichMatheisen-8856 ·

I'm assuming you want an account that has total control over the machine.

The "local admin user" would have a well-known SID that ends in "-500". There's probably already a user with that SID in the local Security Account Management database.

0 Votes 0 ·

2 Answers

sdwheeler avatar image
0 Votes"
sdwheeler answered PerserPolis-1732 commented

You can create a user in AD with New-ADUser.


· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PerserPolis-1732 avatar image PerserPolis-1732 ·

I know that, but it is not my question

0 Votes 0 ·
NewbieJones-6218 avatar image
0 Votes"
NewbieJones-6218 answered NewbieJones-6218 commented

I thought best practice for this is to add a domain group into the local administrators group, controlled by group policy. This way you can target certain builds or devices in OU's and avoid having scripts with fairly high level permissions.

You can then add the domain account into the domain group to control the local admin access as part of your standard user setup. Be that via scripts or manually.

I'm not sure exactly what you are trying to do here. So I'm assuming we are talking about domain controlled PC's in this scenario.

I like PowerShell but when you can do something via another (and possibly more secure) method, then it's worth mentioning.

· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PerserPolis-1732 avatar image PerserPolis-1732 ·

Please read my question. I wanna to create a domain username with prefix

0 Votes 0 ·
NewbieJones-6218 avatar image NewbieJones-6218 PerserPolis-1732 ·

I did read the question, but just couldn't work out what you are really trying to achieve, so couldn't give you a decent answer to your problem.

When you say suffix, what do you mean? UPN suffix or some other AD attribute. If it can be set, it will be via Set-ADUser. If you want to create an account, it will be via New-ADUser.

In your example, you ask if its possible. I would say yes, using either Set-ADUser to amend the existing account, or New-ADUser to build a new one using the variables you already have in your script. Still need to confirm what you mean by suffix though. Is that just the logon name, displayName, or some other AD attribute. The account running the script needs the permissions to create\update accounts.

If you want to create or update a domain user from a powershell script, then you will need to use the AD cmdlets. Although you say you know that, and that is not your question. In which case, can you please clarify your question?

Creating local admin accounts this way sounds a like a nightmare to support though.
For example, we disable the local administrator account, create a new local administration account, and add it to the local administrators group. We also add the domain "client admin" group to both the local administrators group and remote desktop group. All of this is done via Group Policy. No scripting involved.

0 Votes 0 ·