How to Create Local Admin account on Remote Windows Server 2003 and 2008

Share
Viewing 6 reply threads
  • Author
    Posts
    • #1322647
      Nick
      Participant
      Post count: 7
      Member Points: 592
      Rank: Level 2

      I am trying to create a local administrator account on a Remote Windows Server 2003 and 2008. I am trying to list all the remote servers in a text-file and then trying to run a powershell script which executes on each server in the text-file and creates local administrator account. Currently, my script runs with an account that already has administrator rights on the remote systems.

      I am not able to create local admin account remotely on Windows 2003 and 2008 servers. How can I accomplish this ?

      Below is the script:

      #Define variables
      $computers = Get-Content C:\Computers.txt
      $username = “test_user”
      $password = “xyz”
      $fullname = “local admin account”
      $local_security_group = “Administrators”
      $description = “Description”

      Foreach ($computer in $computers) {
      $users = $null
      $comp = [ADSI]”WinNT://$computer”

      #Check if username exists
      Try {
      $users = $comp.psbase.children | select -expand name
      if ($users -like $username) {
      Write-Host “$username already exists on $computer”}
      else {
      #Create the account

      $user = $comp.Create(“User”,”$username”)
      $user.SetPassword(“$password”)
      $user.Put(“Description”,”$description”)
      $user.Put(“Fullname”,”$fullname”)
      $user.SetInfo()
      #Set password to never expire
      #And set user cannot change password
      $ADS_UF_DONT_EXPIRE_PASSWD = 0x10000
      $ADS_UF_PASSWD_CANT_CHANGE = 0x40
      $user.userflags = $ADS_UF_DONT_EXPIRE_PASSWD + $ADS_UF_PASSWD_CANT_CHANGE
      $user.SetInfo()

      #Add the account to the local admins group
      $group = [ADSI]”WinNT://$computer/$local_security_group,group”
      $group.add(“WinNT://$computer/$username”)

      #Validate whether user account has been created or not
      $users = $comp.psbase.children | select -expand name
      if ($users -like $username) {
      Write-Host “$username has been created on $computer”
      }
      else {
      Write-Host “$username has not been created on $computer”
      }
      }
      }Catch {
      Write-Host “Error creating $username on $($computer.path): $($Error[0].Exception.Message)”
      }
      }

      • This topic was modified 8 months, 1 week ago by Nick.
      0
    • #1323624
      Mike Kanakos
      Participant
      Member Points: 2,201
      Author of the Year 2019
      Rank: Level 3

      Hi Nick,

      I have some scripts you can use for Server 2008 and above. You can browse to https://github.com/compwiz32/PowerShell/tree/master/Active-Directory and look for:
      Add-MKLocalGroupMember
      Get-MKLocalGroupMember
      Remove-MKLocalGroupMember

      The above scripts are functions, so you’ll need to load them into memory first in order to use them.

      For Server 2003, PowerShell isn’t installed by default so you would have to install it to use PowerShell cmdlets. Even then, you’ll be very limited. For 2003 you can always fall back to the old school commands:
      net localgroup administrators username /add

      2+

      Users who have liked this topic:

      • avatar
      • avatar
      • #1326336
        Nick
        Participant
        Post count: 7
        Member Points: 592
        Rank: Level 2

        @mkanakos @michael-pietroforte @paolo The user I am trying to create is not an AD user. I have to create a new user and add the user to local administrators group

        0
        • #1326343
          Mike Kanakos
          Participant
          Member Points: 2,201
          Author of the Year 2019
          Rank: Level 3

          I think you would need to use the NET USER command to create the account.

           

          Then you could run the command I mentioned the first time:

          to add the new user to the local admins group.

          I believe you can still use PowerShell to do this:

          However, you might need to do it in multiple passes.

           

          3+

          Users who have liked this topic:

          • avatar
          • avatar
          • avatar
        • #1327764
          Paolo Maffezzoli
          Participant
          Post count: 446
          Member Points: 41,075
          4sysops member of the year 2018Member of the Year 2019
          Rank: Level 4

          Old school commands for a local new user with local administrative permissions:

          net user username password /ADD /fullname:”User description”
          net localgroup administrators username /add

          1+

          Users who have liked this topic:

          • avatar
    • #1327773
      Paolo Maffezzoli
      Participant
      Post count: 446
      Member Points: 41,075
      4sysops member of the year 2018Member of the Year 2019
      Rank: Level 4

      Otherwise use Powershell commands as suggested by Mike…

      0
    • #1328949
      Nick
      Participant
      Post count: 7
      Member Points: 592
      Rank: Level 2

      @paolo @mkanakos How to remotely execute the commands in a secure way from one server onto another server which are not on same domain as well as on same domain ?

      I have Windows 2003 and 2008 servers to deal with.

      0
      • #1328955
        Paolo Maffezzoli
        Participant
        Post count: 446
        Member Points: 41,075
        4sysops member of the year 2018Member of the Year 2019
        Rank: Level 4

        A possibile solution could be first of all create a batch script then use with target admin credentials.

        0
    • #1329007
      David Figueroa
      Participant
      Post count: 12
      Member Points: 2,622
      Rank: Level 3

      @nikhilb There are few ways to do this between the machines.. This all assumes they are on the same network.. (can speak to each other over SMB).

      Assuming they are on the same physical network, you can use psexec.exe and pass the credentials into it.

      I’d create the batch file to handle both steps together.. (it will require the password to be embedded in the file for the new user).

      So, assuming your computer text list is just that..  this should work.

      You may need to prepend \\ in front of each computername in the file (Its been a long time, I just don’t remember).. If you don’t want to bother, then you could do it this way:

       

      Another way would be to use your account to copy the batch file on to each of the systems and create a scheduled task to run the batch file with the system account.

      The 14:00 would be whatever time you want it to run, maybe 2-3 minutes after you start it? and then when complete, delete the batch file so you don’t leave the stored password out there.

      If you want to make this more secure.. then you could add randomized passwords to your text file, and make it comma delimited.  If you go that route, you won’t need the batch file to copy, just 2 passes with psexec.

      This is the most secure version since you won’t be leaving the password in plaintext to the accounts on the servers themselves.

       

      David F.

      1+

      Users who have liked this topic:

      • avatar
      • #1331667
        Nick
        Participant
        Post count: 7
        Member Points: 592
        Rank: Level 2

        @figueroa2david @michael-pietroforte Here in this command, for /f “tokens=1,2 delims=,” %f in (computerlist.txt) do psexec -h \\%f -u <username> -p <password> net user <username> %g /add /description “local user or whatever text”

        <username> and <password> are still given as plain text in the above command even though the computer and passwords are given in computerlist.txt, how can we give without plain-text ?

        I would like to eliminate all the plain-text passwords in my psexec commands.

        Please elaborate.

        0
    • #1334687
      David Figueroa
      Participant
      Post count: 12
      Member Points: 2,622
      Rank: Level 3

      The problem is you can’t.  The restriction of dealing with Windows 2003/2008 severely limits your ability to do this.  You end up having to rely on the PS tools and they require that you put in the password.  In the last segment of what I was suggesting, I am suggesting you do this interactively from your system.  That significantly limits your exposure of the passwords.

      You can increase your security by forcing IPSec policies which will provide you with the best protection across the network, however, IPSec security is not that simple to set up.

      Now, on that last setup using psexec, the -u is your username on that system, and the -p is your password on that system.  The %g token is the password that is stored in that text file on your system, which hopefully isn’t accessible to anyone else.  (If you want them all to have the same password, you can skip the tokens part and just supply that password yourself.. the whole point of this is that the only place the password is sitting in plain text is on your system.. the rest is purely network activity.

      The only other possibility and this is a significant hassle to set up and only provides slightly better security is to create the batch file with the embedded password (either 1 per system, or the same for all of them).  Compile it into  self-extracting and self-executing zip file (as exe), copy it to the system in a secure location, then create a scheduled task to run it automatically with the system account, and then delete the file.

      But my main question given all of this — is the security requirement really that high?  if the answer is yes, then you are better off logging into each system’s  console and manually running the steps to create the account.  But if you have enough systems, this could turn into a massive task, which would bely the use of a script to handle this.  Your ADSI script uses the same security as the PSTools, so it does not provide better security..

      The absolute last possibility I can think of, would be to install something like openSSH server on the systems, and then use SSH to execute those commands.  But that much work will likely take as long as hitting up each server individually.

      Coralon

      1+

      Users who have liked this topic:

      • avatar
    • #1410912
      David Figueroa
      Participant
      Post count: 12
      Member Points: 2,622
      Rank: Level 3

      My apologies, I had missed the reply..

      With psexec and using the net user commands you don’t have a way to have your password in plain text.  It’s the nature of the net.exe command itself.  You can make it less obvious, but ultimately, it does get done in plain text.

      A lot depends on how critical the security is.  You can create an elaborate system of encrypted passwords or pscredential objects and then use those, but when the psexec command is run, that password has to be decrypted and sent as plain text. There is no way around that given the limitations here.

      David F.

      0
Viewing 6 reply threads
  • You must be logged in to reply to this topic.
© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account