Author Posts

July 1, 2016 at 8:25 am

Hi.

I need to disable the local administrator account on servals servers for security policy. I hope and i think there must be a simple way to do this with PS so i dont have to login into each server and disable the account?

  • This topic was modified 2 years, 2 months ago by  ohlssrog.

July 1, 2016 at 10:18 am

Yes i saw this too when i did a google on this, but im pretty new on PS and just wanna one command that disable the ,\Administator account, think this script/solution do much more than that?

July 1, 2016 at 1:13 pm

yes i read it but dont understand much of it, am i right that i must know the password for the local account i want to disable?

July 2, 2016 at 1:29 am

the script in the blog was written to have you set the password when you enable a user but it is not a requirement.

At a very basic level this is what you need

$user = "TestUser" 
$computer = "."
$EnableUser = 512
$DisableUser = 2 
$ObjUser = [ADSI]”WinNT://$computer/$user”
$objUser.userflags = $DisableUser # This set the disabled flag. To Enable the user change to $objUser.userflags = $EnableUser 
$objUser.setinfo() # The writes the changes to the user account


July 4, 2016 at 10:03 am

OK, thanks alote, i will test this and get back 🙂

July 4, 2016 at 10:17 am

It works fine for one computer but i cannot add in servals computernames ex
$computername = "serve1,server2,server3"

Is where any way this can be solved?

  • This reply was modified 2 years, 2 months ago by  ohlssrog.

July 5, 2016 at 12:45 am

To do this for multiple computers you will need to use a for each loop to process all the computers.

$user = "TestUser" 
$computers = ".","localhost"
$EnableUser = 512
$DisableUser = 2 
Foreach ($computer in $computers){
  $ObjUser = [ADSI]”WinNT://$computer/$user”
  $objUser.userflags = $DisableUser # This set the disabled flag. To Enable the user change to $objUser.userflags = $EnableUser 
  $objUser.setinfo() # The writes the changes to the user account
}

July 5, 2016 at 6:37 am

that doesnt work, the script looking for a host called "," if i set this

$computer = "server1","server2","server3" . Or have i misunderstand this?

July 5, 2016 at 10:37 am

It should work if you set it like this:

$computers = "Server01", "Server02", "Server03"

Also take a look at this:

$ObjUser = [ADSI]”WinNT://$computer/$user”

Replace those ” quotes with this "

$ObjUser = [ADSI]"WinNT://$computer/$user"

July 5, 2016 at 11:05 am

Still same error. As soon i put in 2 servers with "server01","server02" it cannot find name called "," . Works fine with one "server01". I have installed PS 5 on this machine if that should make any differens?
Exception setting "userflags": "The following exception occurred while retrieving member "userflags": "The network path was not found.
""
At G:\PS_Scripts\disablelocaladmin.ps1:6 char:1
+ $objUser.userflags = $DisableUser # This set the disabled flag. To En ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], SetValueInvocationException
+ FullyQualifiedErrorId : ExceptionWhenSetting

The following exception occurred while retrieving member "setinfo": "The network path was not found.
"
At G:\PS_Scripts\disablelocaladmin.ps1:7 char:1
+ $objUser.setinfo() # The writes the changes to the user account
+ ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], ExtendedTypeSystemException
+ FullyQualifiedErrorId : CatchFromBaseGetMember

  • This reply was modified 2 years, 2 months ago by  ohlssrog.
  • This reply was modified 2 years, 2 months ago by  ohlssrog.

July 5, 2016 at 2:02 pm

Post the whole code you are running and the output with errors here.

July 6, 2016 at 6:51 am

The output from the script that is exact like Jonathan have deliver above with change that i have put in.
$computer = "server01","server02"

Exception setting "userflags": "The following exception occurred while retrieving member "userflags": "The network path was not found.
""
At G:\PS_Scripts\disablelocaladmin.ps1:6 char:1
+ $objUser.userflags = $DisableUser # This set the disabled flag. To En ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], SetValueInvocationException
+ FullyQualifiedErrorId : ExceptionWhenSetting

The following exception occurred while retrieving member "setinfo": "The network path was not found.
"
At G:\PS_Scripts\disablelocaladmin.ps1:7 char:1
+ $objUser.setinfo() # The writes the changes to the user account
+ ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], ExtendedTypeSystemException
+ FullyQualifiedErrorId : CatchFromBaseGetMember

July 6, 2016 at 7:04 am

I put in the script anyway.
$user = "NTAdmin"
$computer = "server01","server02"
$EnableUser = 512
$DisableUser = 2
$ObjUser = [ADSI]”WinNT://$computer/$user”
$objUser.userflags = $DisableUser # This set the disabled flag. To Enable the user change to $objUser.userflags = $EnableUser
$objUser.setinfo() # The writes the changes to the user account

July 6, 2016 at 7:07 am

HMmm sorry 🙁 i havent run the change Jonathan have add in with each computer part. Will be back

July 6, 2016 at 7:12 am

Hmm sorry guys with all trouble and time you have to spend on this. I didnt add the part Jonathan put in with the for each computers.

It works fine now

🙁

  • This reply was modified 2 years, 2 months ago by  ohlssrog.

July 6, 2016 at 10:23 am

$user = "NTAdmin"
$computers = "server01","server02"
$EnableUser = 512
$DisableUser = 2
Foreach($computer in $computers){
  $ObjUser = [ADSI]”WinNT://$computer/$user”
  $objUser.userflags = $DisableUser # This set the disabled flag. To Enable the user change to $objUser.userflags = $EnableUser
  $objUser.setinfo() # The writes the changes to the user account
}

July 7, 2016 at 6:40 am

Hi.

Can i please get your help to extend this, its hard time to put in all servers in the script, its about 90 servers i have to do this on. Is it possible to import a txt or csv file with all servernames?

July 7, 2016 at 9:10 am

That is very easily done just create a text file with a server name on each line

$user = "NTAdmin"
$computers = get-content -path .\Serverlist.txt 
$EnableUser = 512
$DisableUser = 2
Foreach($computer in $computers){
  $ObjUser = [ADSI]”WinNT://$computer/$user”
  $objUser.userflags = $DisableUser # This set the disabled flag. To Enable the user change to $objUser.userflags = $EnableUser
  $objUser.setinfo() # The writes the changes to the user account
}

July 7, 2016 at 10:41 am

🙂 Very nice work Jonathan, now im done with this work, all server have disable NtAdmin account ..

August 18, 2016 at 11:59 am

Hi!

Can i reopen this and add some more questions to this??

Is it possible to make the script to rename the local "Administrator" account to NTAdmin and then disable, i have found some more servers that still have local administrator account enable. Want to the script if it find any server with Administrator name to rename it and disable. Or is it better to create a new script that just rename "Administrator" to NTAdmin adn after that run the disable script?
To the disable NTAdmin script, is it possible to add so it generate a log file so i can see what have gone wrong or what is success?

Can you help me how this rename script should look like. And have the same get-content = xxx.txt file

Thanks

  • This reply was modified 2 years, 1 month ago by  ohlssrog.

August 18, 2016 at 3:50 pm

$servers = get-content .\servers.txt

foreach($server in $servers)
{
##code here##

#rename admin
$admin=[adsi]"WinNT://$server/Administrator,user"
$admin.psbase.rename("NTadmin")
}