Create Local Admin account on Remote Windows Server without Admin rights

Tagged: 

Viewing 3 reply threads
  • Author
    Posts
    • #1287522
      Mark
      Participant
      Member Points: 692
      Rank: 2

      This script runs with an account that already has administrator rights on the remote systems. But how to create and add user to local admin group without administrator rights on remote system ?

      #Define variables
      $computers = Get-Content C:\Computers.txt
      $username = “test_user”
      $password = “xyz”
      $fullname = “local admin account”
      $local_security_group = “Administrators”
      $description = “Description”

      Foreach ($computer in $computers) {
      $users = $null
      $comp = [ADSI]”WinNT://$computer”

      #Check if username exists
      Try {
      $users = $comp.psbase.children | select -expand name
      if ($users -like $username) {
      Write-Host “$username already exists on $computer”

      }

      else {
      #Create the account
      $user = $comp.Create(“User”,”$username”)
      $user.SetPassword(“$password”)
      $user.Put(“Description”,”$description”)
      $user.Put(“Fullname”,”$fullname”)
      $user.SetInfo()

      #Set password to never expire
      #And set user cannot change password
      $ADS_UF_DONT_EXPIRE_PASSWD = 0x10000
      $ADS_UF_PASSWD_CANT_CHANGE = 0x40
      $user.userflags = $ADS_UF_DONT_EXPIRE_PASSWD + $ADS_UF_PASSWD_CANT_CHANGE
      $user.SetInfo()

      #Add the account to the local admins group
      $group = [ADSI]”WinNT://$computer/$local_security_group,group”
      $group.add(“WinNT://$computer/$username”)

      #Validate whether user account has been created or not
      $users = $comp.psbase.children | select -expand name
      if ($users -like $username) {
      Write-Host “$username has been created on $computer”
      }
      else {
      Write-Host “$username has not been created on $computer”
      }
      }
      }

      Catch {
      Write-Host “Error creating $username on $($computer.path): $($Error[0].Exception.Message)”
      }
      }

      • This topic was modified 2 years, 6 months ago by Mark.
    • #1287528
      Swapnil Kambli
      Moderator
      Member Points: 4,895
      Rank: 3

      Hi Nick,
      For user creation and related operations, you/script would need administrator rights.

      • #1287534
        Mark
        Participant
        Member Points: 692
        Rank: 2

        I need to create an local admin account on remote machine without any admin rights. How is that possible ? @swapnilkambli

        • #1287541
          Swapnil Kambli
          Moderator
          Member Points: 4,895
          Rank: 3

          Hi Nick,
          For performing local user administration activities you need to have local admin rights. Without local admin rights, you can not perform any user management operations.

        • #1287707
          Leos Marek
          Moderator
          Member Points: 23,163
          Author of Year 2020Author of the Year 2021
          Rank: 4

          Hi guys,
          well the statement is not entirely correct. If the PC in question is in domain and you have rights to control Group Policy, you can create local account with GPO even if you dont have rights on the PC itself.

          As a second option, assuming you have authorization for such operation and you have physical access to that machine, you can use this guide from Michael about how to reset local admin password and gain access.

          RG Leos

        • #1287743
          Mark
          Participant
          Member Points: 692
          Rank: 2

          @gibon @swapnilkambli The PC is not in domain. It’s a workgroup server.

        • #1287769
          Swapnil Kambli
          Moderator
          Member Points: 4,895
          Rank: 3

          Hi Leos, Even with Group Policy method GP would use local System (Admin) account to perform any operation. There are some solutions available to impersonate System Account. But again these implementations would require admin rights to acquire system token.

        • #1287774
          Leos Marek
          Moderator
          Member Points: 23,163
          Author of Year 2020Author of the Year 2021
          Rank: 4

          Hi,
          well the question was if its possible to create local account without actually being Administrator on the system. And this is possible if the PC is in domain. Even if the owner will remove all members of the Administrators group, me as Domain Admin (or with enough delegated permissions) can create a GPO and apply it to the OU where the PC is located. And in max 90 minutes its done 🙂

        • #1287798
          Swapnil Kambli
          Moderator
          Member Points: 4,895
          Rank: 3

          Hi Leos,
          Looking closely, Group policy would use local admin system account ‘NT AUTHORITY\SYSTEM’ to implement the change. So the user can perform user administration either by getting local admin rights(administrator group) or by impersonating the local admin ‘NT AUTHORITY\SYSTEM’ using group policy/runas/psexec.

        • #1290838
          Leos Marek
          Moderator
          Member Points: 23,163
          Author of Year 2020Author of the Year 2021
          Rank: 4

          Hey Swapnil,
          my only point was, as Nick asked to gain access to computer where he do not have Administrator rights, is that this can be done via GPO. If I have computer in domain, even tho I remove everyone from Administrators group, meaning I loose access to this computer, I can still create a GPO to make me new local administrative account, or add any domain account to Administrators group very easily.

          Ofc GPO is started under local system account thus have full permissions to do so.

          Your statements are correct, but that was not my point 🙂

          cheers

          • This reply was modified 2 years, 6 months ago by Leos Marek.
    • #1287752
      Leos Marek
      Moderator
      Member Points: 23,163
      Author of Year 2020Author of the Year 2021
      Rank: 4

      Then you can only do the “hack” way.

      • #1287756
        Mark
        Participant
        Member Points: 692
        Rank: 2

        @gibon Please let me know What does it mean.

        • #1287763
          Leos Marek
          Moderator
          Member Points: 23,163
          Author of Year 2020Author of the Year 2021
          Rank: 4

          I posted the link for you 2 answers above 🙂

        • #1287778
          Mark
          Participant
          Member Points: 692
          Rank: 2

          @gibon @swapnilkambli We don’t have physical access. We have to access the server remotely and then create local admin account on the server

        • #1287787
          Leos Marek
          Moderator
          Member Points: 23,163
          Author of Year 2020Author of the Year 2021
          Rank: 4

          Nick, if you want to access the server you either need already existing account with proper permissions, or you need physical (or remote console) access.
          If you dont have any of those, nor the person who knows the access credentials, you cant accomplish what you want.

        • #1287793
          Swapnil Kambli
          Moderator
          Member Points: 4,895
          Rank: 3

          Hi Nick, The logic is simple. If you are able to create an admin user using a normal user, It is a security issue.
          There might be methods available exploiting some loophole/bug, but it should be used for emergency conditions. It should not be used as IT administration practice.

    • #1290888
      Steven
      Participant
      Member Points: 1,114
      Rank: 3

      If you are trying to launch a PS command onto a remote system, you have two choice: Start a PS Remote session, use Invoke-Command. If you do not have admin rights, then forget about it. Also, make sure that the system allows you to run script – check Get-ExecutionPolicy.

      Also, what is the PowerShell version on the remote destination ? You may enter commands that aren’t yet on the PS version.

      Links

      https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-6
      https://www.howtogeek.com/117192/how-to-run-powershell-commands-on-remote-computers/

      • This reply was modified 2 years, 6 months ago by Steven. Reason: Typo
Viewing 3 reply threads
  • You must be logged in to reply to this topic.
© 4sysops 2006 - 2022

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account