How to Create Local Admin account on Remote Windows Server 2003 and 2008

Viewing 6 reply threads
  • Author
    Posts
    • #1322647
      Mark
      Participant
      Member Points: 692
      Rank: 2

      I am trying to create a local administrator account on a Remote Windows Server 2003 and 2008. I am trying to list all the remote servers in a text-file and then trying to run a powershell script which executes on each server in the text-file and creates local administrator account. Currently, my script runs with an account that already has administrator rights on the remote systems.

      I am not able to create local admin account remotely on Windows 2003 and 2008 servers. How can I accomplish this ?

      Below is the script:

      #Define variables
      $computers = Get-Content C:\Computers.txt
      $username = “test_user”
      $password = “xyz”
      $fullname = “local admin account”
      $local_security_group = “Administrators”
      $description = “Description”

      Foreach ($computer in $computers) {
      $users = $null
      $comp = [ADSI]”WinNT://$computer”

      #Check if username exists
      Try {
      $users = $comp.psbase.children | select -expand name
      if ($users -like $username) {
      Write-Host “$username already exists on $computer”}
      else {
      #Create the account

      $user = $comp.Create(“User”,”$username”)
      $user.SetPassword(“$password”)
      $user.Put(“Description”,”$description”)
      $user.Put(“Fullname”,”$fullname”)
      $user.SetInfo()
      #Set password to never expire
      #And set user cannot change password
      $ADS_UF_DONT_EXPIRE_PASSWD = 0x10000
      $ADS_UF_PASSWD_CANT_CHANGE = 0x40
      $user.userflags = $ADS_UF_DONT_EXPIRE_PASSWD + $ADS_UF_PASSWD_CANT_CHANGE
      $user.SetInfo()

      #Add the account to the local admins group
      $group = [ADSI]”WinNT://$computer/$local_security_group,group”
      $group.add(“WinNT://$computer/$username”)

      #Validate whether user account has been created or not
      $users = $comp.psbase.children | select -expand name
      if ($users -like $username) {
      Write-Host “$username has been created on $computer”
      }
      else {
      Write-Host “$username has not been created on $computer”
      }
      }
      }Catch {
      Write-Host “Error creating $username on $($computer.path): $($Error[0].Exception.Message)”
      }
      }

    • #1323624
      Mike Kanakos
      Participant
      Member Points: 2,605
      Author of the Year 2019
      Rank: 3

      Hi Nick,

      I have some scripts you can use for Server 2008 and above. You can browse to https://github.com/compwiz32/PowerShell/tree/master/Active-Directory and look for:
      Add-MKLocalGroupMember
      Get-MKLocalGroupMember
      Remove-MKLocalGroupMember

      The above scripts are functions, so you’ll need to load them into memory first in order to use them.

      For Server 2003, PowerShell isn’t installed by default so you would have to install it to use PowerShell cmdlets. Even then, you’ll be very limited. For 2003 you can always fall back to the old school commands:
      net localgroup administrators username /add

      avataravatar
      • #1326336
        Mark
        Participant
        Member Points: 692
        Rank: 2

        @mkanakos @michael-pietroforte @paolo The user I am trying to create is not an AD user. I have to create a new user and add the user to local administrators group

        • #1326343
          Mike Kanakos
          Participant
          Member Points: 2,605
          Author of the Year 2019
          Rank: 3

          I think you would need to use the NET USER command to create the account.

          NET USER
           username [password | *] [options]] [/DOMAIN]
           username {password | *} /ADD [options] [/DOMAIN]
           username [/DELETE] [/DOMAIN]
           username [/TIMES:{times | ALL}]
           username [/ACTIVE: {YES | NO}]

           

          Then you could run the command I mentioned the first time:

          net localgroup administrators username /add

          to add the new user to the local admins group.

          I believe you can still use PowerShell to do this:

          Invoke-Command -computername -Scriptblock { CODE GOES HERE}

          However, you might need to do it in multiple passes.

           

          avataravataravatar
        • #1327764
          Paolo Maffezzoli
          Participant
          Member Points: 67,119
          4sysops member of the year 2018Member of the Year 2019Member of the Year 2020Member of the Year 2021
          Rank: 4

          Old school commands for a local new user with local administrative permissions:

          net user username password /ADD /fullname:”User description”
          net localgroup administrators username /add

          avatar
    • #1327773
      Paolo Maffezzoli
      Participant
      Member Points: 67,119
      4sysops member of the year 2018Member of the Year 2019Member of the Year 2020Member of the Year 2021
      Rank: 4

      Otherwise use Powershell commands as suggested by Mike…

    • #1328949
      Mark
      Participant
      Member Points: 692
      Rank: 2

      @paolo @mkanakos How to remotely execute the commands in a secure way from one server onto another server which are not on same domain as well as on same domain ?

      I have Windows 2003 and 2008 servers to deal with.

      • #1328955
        Paolo Maffezzoli
        Participant
        Member Points: 67,119
        4sysops member of the year 2018Member of the Year 2019Member of the Year 2020Member of the Year 2021
        Rank: 4

        A possibile solution could be first of all create a batch script then use with target admin credentials.

    • #1329007
      David Figueroa
      Participant
      Member Points: 4,161
      Rank: 3

      @nikhilb There are few ways to do this between the machines.. This all assumes they are on the same network.. (can speak to each other over SMB).

      Assuming they are on the same physical network, you can use psexec.exe and pass the credentials into it.

      I’d create the batch file to handle both steps together.. (it will require the password to be embedded in the file for the new user).

      ::NewLocalUser.cmd
      net user <username> <password> /add /description "local user"
      net localgroup administrators <username> /add

      So, assuming your computer text list is just that..  this should work.

      psexec.exe @computerlist.txt -u <username> -p <password> -c newlocaluser.cmd -accepteula

      You may need to prepend \\ in front of each computername in the file (Its been a long time, I just don’t remember).. If you don’t want to bother, then you could do it this way:

      for /f %f in (computerlist.txt) do psexec \\%f -u <username> -p <password> -c newlocaluser.cmd -accepteula

       

      Another way would be to use your account to copy the batch file on to each of the systems and create a scheduled task to run the batch file with the system account.

      for /f %f in (computerlist.txt) do schtasks.exe /create /tn CreateLocalUser /tr c:\newlocaluser.cmd /s %f /ru "NT Authority\System" /z /st 14:00

      The 14:00 would be whatever time you want it to run, maybe 2-3 minutes after you start it? and then when complete, delete the batch file so you don’t leave the stored password out there.

      If you want to make this more secure.. then you could add randomized passwords to your text file, and make it comma delimited.  If you go that route, you won’t need the batch file to copy, just 2 passes with psexec.

      computer1,password1
      computer2,password2
      for /f "tokens=1,2 delims=," %f in (computerlist.txt) do psexec -h \\%f -u <username> -p <password> net user <username> %g /add /description "local user or whatever text"
      for /f "tokens=1,2 delims=," %f in (computerlist.txt) do psexec -h \\%f -u <username> -p <password> net localgroup administrators <username> /add

      This is the most secure version since you won’t be leaving the password in plaintext to the accounts on the servers themselves.

       

      David F.

      avatar
      • #1331667
        Mark
        Participant
        Member Points: 692
        Rank: 2

        @figueroa2david @michael-pietroforte Here in this command, for /f “tokens=1,2 delims=,” %f in (computerlist.txt) do psexec -h \\%f -u <username> -p <password> net user <username> %g /add /description “local user or whatever text”

        <username> and <password> are still given as plain text in the above command even though the computer and passwords are given in computerlist.txt, how can we give without plain-text ?

        I would like to eliminate all the plain-text passwords in my psexec commands.

        Please elaborate.

    • #1334687
      David Figueroa
      Participant
      Member Points: 4,161
      Rank: 3

      The problem is you can’t.  The restriction of dealing with Windows 2003/2008 severely limits your ability to do this.  You end up having to rely on the PS tools and they require that you put in the password.  In the last segment of what I was suggesting, I am suggesting you do this interactively from your system.  That significantly limits your exposure of the passwords.

      You can increase your security by forcing IPSec policies which will provide you with the best protection across the network, however, IPSec security is not that simple to set up.

      Now, on that last setup using psexec, the -u is your username on that system, and the -p is your password on that system.  The %g token is the password that is stored in that text file on your system, which hopefully isn’t accessible to anyone else.  (If you want them all to have the same password, you can skip the tokens part and just supply that password yourself.. the whole point of this is that the only place the password is sitting in plain text is on your system.. the rest is purely network activity.

      The only other possibility and this is a significant hassle to set up and only provides slightly better security is to create the batch file with the embedded password (either 1 per system, or the same for all of them).  Compile it into  self-extracting and self-executing zip file (as exe), copy it to the system in a secure location, then create a scheduled task to run it automatically with the system account, and then delete the file.

      But my main question given all of this — is the security requirement really that high?  if the answer is yes, then you are better off logging into each system’s  console and manually running the steps to create the account.  But if you have enough systems, this could turn into a massive task, which would bely the use of a script to handle this.  Your ADSI script uses the same security as the PSTools, so it does not provide better security..

      The absolute last possibility I can think of, would be to install something like openSSH server on the systems, and then use SSH to execute those commands.  But that much work will likely take as long as hitting up each server individually.

      Coralon

      avatar
    • #1410912
      David Figueroa
      Participant
      Member Points: 4,161
      Rank: 3

      My apologies, I had missed the reply..

      With psexec and using the net user commands you don’t have a way to have your password in plain text.  It’s the nature of the net.exe command itself.  You can make it less obvious, but ultimately, it does get done in plain text.

      A lot depends on how critical the security is.  You can create an elaborate system of encrypted passwords or pscredential objects and then use those, but when the psexec command is run, that password has to be decrypted and sent as plain text. There is no way around that given the limitations here.

      David F.

Viewing 6 reply threads
  • You must be logged in to reply to this topic.
© 4sysops 2006 - 2022

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account