Help with handle local accounts

Welcome Forums General PowerShell Q&A Help with handle local accounts

This topic contains 22 replies, has 4 voices, and was last updated by

 
Participant
2 years, 5 months ago.

  • Author
    Posts
  • #45444

    Participant
    Points: 0
    Rank: Member

    Hi.

    I need to disable the local administrator account on servals servers for security policy. I hope and i think there must be a simple way to do this with PS so i dont have to login into each server and disable the account?

  • #45455

    Participant
    Points: 0
    Rank: Member
  • #45457

    Participant
    Points: 0
    Rank: Member

    Yes i saw this too when i did a google on this, but im pretty new on PS and just wanna one command that disable the ,\Administator account, think this script/solution do much more than that?

  • #45467

    Participant
    Points: 0
    Rank: Member
  • #45483

    Participant
    Points: 0
    Rank: Member

    yes i read it but dont understand much of it, am i right that i must know the password for the local account i want to disable?

  • #45561

    Participant
    Points: 0
    Rank: Member

    the script in the blog was written to have you set the password when you enable a user but it is not a requirement.

    At a very basic level this is what you need

    $user = "TestUser" 
    $computer = "."
    $EnableUser = 512
    $DisableUser = 2 
    $ObjUser = [ADSI]”WinNT://$computer/$user”
    $objUser.userflags = $DisableUser # This set the disabled flag. To Enable the user change to $objUser.userflags = $EnableUser 
    $objUser.setinfo() # The writes the changes to the user account
    
    
    
  • #45640

    Participant
    Points: 0
    Rank: Member

    OK, thanks alote, i will test this and get back 🙂

  • #45642

    Participant
    Points: 0
    Rank: Member

    It works fine for one computer but i cannot add in servals computernames ex
    $computername = "serve1,server2,server3"

    Is where any way this can be solved?

  • #45728

    Participant
    Points: 0
    Rank: Member

    To do this for multiple computers you will need to use a for each loop to process all the computers.

    $user = "TestUser" 
    $computers = ".","localhost"
    $EnableUser = 512
    $DisableUser = 2 
    Foreach ($computer in $computers){
      $ObjUser = [ADSI]”WinNT://$computer/$user”
      $objUser.userflags = $DisableUser # This set the disabled flag. To Enable the user change to $objUser.userflags = $EnableUser 
      $objUser.setinfo() # The writes the changes to the user account
    }
    
  • #45734

    Participant
    Points: 0
    Rank: Member

    that doesnt work, the script looking for a host called "," if i set this

    $computer = "server1","server2","server3" . Or have i misunderstand this?

    • #45745

      Participant
      Points: 0
      Rank: Member

      It should work if you set it like this:

      $computers = "Server01", "Server02", "Server03"

      Also take a look at this:

      $ObjUser = [ADSI]”WinNT://$computer/$user”

      Replace those ” quotes with this "

      $ObjUser = [ADSI]"WinNT://$computer/$user"

  • #45749

    Participant
    Points: 0
    Rank: Member

    Still same error. As soon i put in 2 servers with "server01","server02" it cannot find name called "," . Works fine with one "server01". I have installed PS 5 on this machine if that should make any differens?
    Exception setting "userflags": "The following exception occurred while retrieving member "userflags": "The network path was not found.
    ""
    At G:\PS_Scripts\disablelocaladmin.ps1:6 char:1
    + $objUser.userflags = $DisableUser # This set the disabled flag. To En ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [], SetValueInvocationException
    + FullyQualifiedErrorId : ExceptionWhenSetting

    The following exception occurred while retrieving member "setinfo": "The network path was not found.
    "
    At G:\PS_Scripts\disablelocaladmin.ps1:7 char:1
    + $objUser.setinfo() # The writes the changes to the user account
    + ~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [], ExtendedTypeSystemException
    + FullyQualifiedErrorId : CatchFromBaseGetMember

  • #45775

    Participant
    Points: 0
    Rank: Member

    Post the whole code you are running and the output with errors here.

  • #45912

    Participant
    Points: 0
    Rank: Member

    The output from the script that is exact like Jonathan have deliver above with change that i have put in.
    $computer = "server01","server02"

    Exception setting "userflags": "The following exception occurred while retrieving member "userflags": "The network path was not found.
    ""
    At G:\PS_Scripts\disablelocaladmin.ps1:6 char:1
    + $objUser.userflags = $DisableUser # This set the disabled flag. To En ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [], SetValueInvocationException
    + FullyQualifiedErrorId : ExceptionWhenSetting

    The following exception occurred while retrieving member "setinfo": "The network path was not found.
    "
    At G:\PS_Scripts\disablelocaladmin.ps1:7 char:1
    + $objUser.setinfo() # The writes the changes to the user account
    + ~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [], ExtendedTypeSystemException
    + FullyQualifiedErrorId : CatchFromBaseGetMember

  • #45926

    Participant
    Points: 0
    Rank: Member

    I put in the script anyway.
    $user = "NTAdmin"
    $computer = "server01","server02"
    $EnableUser = 512
    $DisableUser = 2
    $ObjUser = [ADSI]”WinNT://$computer/$user”
    $objUser.userflags = $DisableUser # This set the disabled flag. To Enable the user change to $objUser.userflags = $EnableUser
    $objUser.setinfo() # The writes the changes to the user account

  • #45932

    Participant
    Points: 0
    Rank: Member

    HMmm sorry 🙁 i havent run the change Jonathan have add in with each computer part. Will be back

  • #45934

    Participant
    Points: 0
    Rank: Member

    Hmm sorry guys with all trouble and time you have to spend on this. I didnt add the part Jonathan put in with the for each computers.

    It works fine now

    🙁

  • #45944

    Participant
    Points: 0
    Rank: Member
    $user = "NTAdmin"
    $computers = "server01","server02"
    $EnableUser = 512
    $DisableUser = 2
    Foreach($computer in $computers){
      $ObjUser = [ADSI]”WinNT://$computer/$user”
      $objUser.userflags = $DisableUser # This set the disabled flag. To Enable the user change to $objUser.userflags = $EnableUser
      $objUser.setinfo() # The writes the changes to the user account
    }
    
  • #46057

    Participant
    Points: 0
    Rank: Member

    Hi.

    Can i please get your help to extend this, its hard time to put in all servers in the script, its about 90 servers i have to do this on. Is it possible to import a txt or csv file with all servernames?

  • #46070

    Participant
    Points: 0
    Rank: Member

    That is very easily done just create a text file with a server name on each line

    $user = "NTAdmin"
    $computers = get-content -path .\Serverlist.txt 
    $EnableUser = 512
    $DisableUser = 2
    Foreach($computer in $computers){
      $ObjUser = [ADSI]”WinNT://$computer/$user”
      $objUser.userflags = $DisableUser # This set the disabled flag. To Enable the user change to $objUser.userflags = $EnableUser
      $objUser.setinfo() # The writes the changes to the user account
    }
    
  • #46072

    Participant
    Points: 0
    Rank: Member

    🙂 Very nice work Jonathan, now im done with this work, all server have disable NtAdmin account ..

  • #50927

    Participant
    Points: 0
    Rank: Member

    Hi!

    Can i reopen this and add some more questions to this??

    Is it possible to make the script to rename the local "Administrator" account to NTAdmin and then disable, i have found some more servers that still have local administrator account enable. Want to the script if it find any server with Administrator name to rename it and disable. Or is it better to create a new script that just rename "Administrator" to NTAdmin adn after that run the disable script?
    To the disable NTAdmin script, is it possible to add so it generate a log file so i can see what have gone wrong or what is success?

    Can you help me how this rename script should look like. And have the same get-content = xxx.txt file

    Thanks

  • #50941

    Participant
    Points: 0
    Rank: Member

    $servers = get-content .\servers.txt

    foreach($server in $servers)
    {
    ##code here##

    #rename admin
    $admin=[adsi]"WinNT://$server/Administrator,user"
    $admin.psbase.rename("NTadmin")
    }

The topic ‘Help with handle local accounts’ is closed to new replies.