Help with handle local accounts

This topic contains 22 replies, has 4 voices, and was last updated by Profile photo of ertuu85 ertuu85 3 months, 2 weeks ago.

  • Author
    Posts
  • #45444
    Profile photo of ohlssrog
    ohlssrog
    Participant

    Hi.

    I need to disable the local administrator account on servals servers for security policy. I hope and i think there must be a simple way to do this with PS so i dont have to login into each server and disable the account?

    • This topic was modified 5 months, 1 week ago by Profile photo of ohlssrog ohlssrog.
  • #45455
    Profile photo of Jonathan Warnken
    Jonathan Warnken
    Participant
  • #45457
    Profile photo of ohlssrog
    ohlssrog
    Participant

    Yes i saw this too when i did a google on this, but im pretty new on PS and just wanna one command that disable the ,\Administator account, think this script/solution do much more than that?

  • #45467
    Profile photo of Jonathan Warnken
    Jonathan Warnken
    Participant
  • #45483
    Profile photo of ohlssrog
    ohlssrog
    Participant

    yes i read it but dont understand much of it, am i right that i must know the password for the local account i want to disable?

  • #45561
    Profile photo of Jonathan Warnken
    Jonathan Warnken
    Participant

    the script in the blog was written to have you set the password when you enable a user but it is not a requirement.

    At a very basic level this is what you need

    $user = "TestUser" 
    $computer = "."
    $EnableUser = 512
    $DisableUser = 2 
    $ObjUser = [ADSI]”WinNT://$computer/$user”
    $objUser.userflags = $DisableUser # This set the disabled flag. To Enable the user change to $objUser.userflags = $EnableUser 
    $objUser.setinfo() # The writes the changes to the user account
    
    
    
  • #45640
    Profile photo of ohlssrog
    ohlssrog
    Participant

    OK, thanks alote, i will test this and get back 🙂

  • #45642
    Profile photo of ohlssrog
    ohlssrog
    Participant

    It works fine for one computer but i cannot add in servals computernames ex
    $computername = "serve1,server2,server3"

    Is where any way this can be solved?

    • This reply was modified 5 months ago by Profile photo of ohlssrog ohlssrog.
  • #45728
    Profile photo of Jonathan Warnken
    Jonathan Warnken
    Participant

    To do this for multiple computers you will need to use a for each loop to process all the computers.

    $user = "TestUser" 
    $computers = ".","localhost"
    $EnableUser = 512
    $DisableUser = 2 
    Foreach ($computer in $computers){
      $ObjUser = [ADSI]”WinNT://$computer/$user”
      $objUser.userflags = $DisableUser # This set the disabled flag. To Enable the user change to $objUser.userflags = $EnableUser 
      $objUser.setinfo() # The writes the changes to the user account
    }
    
  • #45734
    Profile photo of ohlssrog
    ohlssrog
    Participant

    that doesnt work, the script looking for a host called "," if i set this

    $computer = "server1","server2","server3" . Or have i misunderstand this?

    • #45745
      Profile photo of rintke
      rintke
      Participant

      It should work if you set it like this:

      $computers = "Server01", "Server02", "Server03"

      Also take a look at this:

      $ObjUser = [ADSI]”WinNT://$computer/$user”

      Replace those ” quotes with this "

      $ObjUser = [ADSI]"WinNT://$computer/$user"

  • #45749
    Profile photo of ohlssrog
    ohlssrog
    Participant

    Still same error. As soon i put in 2 servers with "server01","server02" it cannot find name called "," . Works fine with one "server01". I have installed PS 5 on this machine if that should make any differens?
    Exception setting "userflags": "The following exception occurred while retrieving member "userflags": "The network path was not found.
    ""
    At G:\PS_Scripts\disablelocaladmin.ps1:6 char:1
    + $objUser.userflags = $DisableUser # This set the disabled flag. To En ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [], SetValueInvocationException
    + FullyQualifiedErrorId : ExceptionWhenSetting

    The following exception occurred while retrieving member "setinfo": "The network path was not found.
    "
    At G:\PS_Scripts\disablelocaladmin.ps1:7 char:1
    + $objUser.setinfo() # The writes the changes to the user account
    + ~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [], ExtendedTypeSystemException
    + FullyQualifiedErrorId : CatchFromBaseGetMember

    • This reply was modified 5 months ago by Profile photo of ohlssrog ohlssrog.
    • This reply was modified 5 months ago by Profile photo of ohlssrog ohlssrog.
  • #45775
    Profile photo of rintke
    rintke
    Participant

    Post the whole code you are running and the output with errors here.

  • #45912
    Profile photo of ohlssrog
    ohlssrog
    Participant

    The output from the script that is exact like Jonathan have deliver above with change that i have put in.
    $computer = "server01","server02"

    Exception setting "userflags": "The following exception occurred while retrieving member "userflags": "The network path was not found.
    ""
    At G:\PS_Scripts\disablelocaladmin.ps1:6 char:1
    + $objUser.userflags = $DisableUser # This set the disabled flag. To En ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [], SetValueInvocationException
    + FullyQualifiedErrorId : ExceptionWhenSetting

    The following exception occurred while retrieving member "setinfo": "The network path was not found.
    "
    At G:\PS_Scripts\disablelocaladmin.ps1:7 char:1
    + $objUser.setinfo() # The writes the changes to the user account
    + ~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [], ExtendedTypeSystemException
    + FullyQualifiedErrorId : CatchFromBaseGetMember

  • #45926
    Profile photo of ohlssrog
    ohlssrog
    Participant

    I put in the script anyway.
    $user = "NTAdmin"
    $computer = "server01","server02"
    $EnableUser = 512
    $DisableUser = 2
    $ObjUser = [ADSI]”WinNT://$computer/$user”
    $objUser.userflags = $DisableUser # This set the disabled flag. To Enable the user change to $objUser.userflags = $EnableUser
    $objUser.setinfo() # The writes the changes to the user account

  • #45932
    Profile photo of ohlssrog
    ohlssrog
    Participant

    HMmm sorry 🙁 i havent run the change Jonathan have add in with each computer part. Will be back

  • #45934
    Profile photo of ohlssrog
    ohlssrog
    Participant

    Hmm sorry guys with all trouble and time you have to spend on this. I didnt add the part Jonathan put in with the for each computers.

    It works fine now

    🙁

    • This reply was modified 5 months ago by Profile photo of ohlssrog ohlssrog.
  • #45944
    Profile photo of Jonathan Warnken
    Jonathan Warnken
    Participant
    $user = "NTAdmin"
    $computers = "server01","server02"
    $EnableUser = 512
    $DisableUser = 2
    Foreach($computer in $computers){
      $ObjUser = [ADSI]”WinNT://$computer/$user”
      $objUser.userflags = $DisableUser # This set the disabled flag. To Enable the user change to $objUser.userflags = $EnableUser
      $objUser.setinfo() # The writes the changes to the user account
    }
    
  • #46057
    Profile photo of ohlssrog
    ohlssrog
    Participant

    Hi.

    Can i please get your help to extend this, its hard time to put in all servers in the script, its about 90 servers i have to do this on. Is it possible to import a txt or csv file with all servernames?

  • #46070
    Profile photo of Jonathan Warnken
    Jonathan Warnken
    Participant

    That is very easily done just create a text file with a server name on each line

    $user = "NTAdmin"
    $computers = get-content -path .\Serverlist.txt 
    $EnableUser = 512
    $DisableUser = 2
    Foreach($computer in $computers){
      $ObjUser = [ADSI]”WinNT://$computer/$user”
      $objUser.userflags = $DisableUser # This set the disabled flag. To Enable the user change to $objUser.userflags = $EnableUser
      $objUser.setinfo() # The writes the changes to the user account
    }
    
  • #46072
    Profile photo of ohlssrog
    ohlssrog
    Participant

    🙂 Very nice work Jonathan, now im done with this work, all server have disable NtAdmin account ..

  • #50927
    Profile photo of ohlssrog
    ohlssrog
    Participant

    Hi!

    Can i reopen this and add some more questions to this??

    Is it possible to make the script to rename the local "Administrator" account to NTAdmin and then disable, i have found some more servers that still have local administrator account enable. Want to the script if it find any server with Administrator name to rename it and disable. Or is it better to create a new script that just rename "Administrator" to NTAdmin adn after that run the disable script?
    To the disable NTAdmin script, is it possible to add so it generate a log file so i can see what have gone wrong or what is success?

    Can you help me how this rename script should look like. And have the same get-content = xxx.txt file

    Thanks

    • This reply was modified 3 months, 2 weeks ago by Profile photo of ohlssrog ohlssrog.
  • #50941
    Profile photo of ertuu85
    ertuu85
    Participant

    $servers = get-content .\servers.txt

    foreach($server in $servers)
    {
    ##code here##

    #rename admin
    $admin=[adsi]"WinNT://$server/Administrator,user"
    $admin.psbase.rename("NTadmin")
    }

You must be logged in to reply to this topic.