As Microsoft no longer supports creating local user accounts on domain machines using GPO, I’ve put together this script below to achieve this. However note that once the account is created it can be modified using GPO.
This script will create a local user account on a remote domain machine, set the account password to never expire and add the account to the local Administrators security group (or which ever other group you desire – just change variable).
Run this script on a domain controller server using a domain administrator account, before executing the script, create a txt or csv file containing all the names of the computers on which you wish to create the local user account on (and place it in the root of the C drive), and define the user account variables (such as username, password, description) in the variables section of the script.
#Define variables
$computers = Get-Content C:\Computers.txt
#$computers = Import-CSV C:\Computers.csv | select Computer
$username = "Username"
$password = "Password"
$fullname = "Fullname"
$local_security_group = "Administrators"
$description = "Description"
Foreach ($computer in $computers) {
$users = $null
$comp = [ADSI]"WinNT://$computer"
#Check if username exists
Try {
$users = $comp.psbase.children | select -expand name
if ($users -like $username) {
Write-Host "$username already exists on $computer"
} else {
#Create the account
$user = $comp.Create("User","$username")
$user.SetPassword("$password")
$user.Put("Description","$description")
$user.Put("Fullname","$fullname")
$user.SetInfo()
#Set password to never expire
#And set user cannot change password
$ADS_UF_DONT_EXPIRE_PASSWD = 0x10000
$ADS_UF_PASSWD_CANT_CHANGE = 0x40
$user.userflags = $ADS_UF_DONT_EXPIRE_PASSWD + $ADS_UF_PASSWD_CANT_CHANGE
$user.SetInfo()
#Add the account to the local admins group
$group = [ADSI]"WinNT://$computer/$local_security_group,group"
$group.add("WinNT://$computer/$username")
#Validate whether user account has been created or not
$users = $comp.psbase.children | select -expand name
if ($users -like $username) {
Write-Host "$username has been created on $computer"
} else {
Write-Host "$username has not been created on $computer"
}
}
}
Catch {
Write-Host "Error creating $username on $($computer.path): $($Error[0].Exception.Message)"
}
}
How to get output file like .csv or txt.
Yeah, how can we create a logfile?
Try adding the following function for logging at the beginning of script.
Function Write-Log
{
Param ([string]$logstring)
$stamp = (Get-Date).toString(“yyyy/MM/dd HH:mm:ss”)
$line = “$stamp $logstring”
Add-content $logfile -value $line
}
Then under variable line – $description = “Description” add:
$logfile = “PATH TO YOUR LOG FILE”
And finally replace all Write-Hosts with:
Write-Log
Awesome Script…. Thank you Soo Much
Hi How to run the script. need command
Pingback: Windows: Remotely Add a new Admin user. – IHNI.uk
How to create a local admin account on remote computer ?
remote computer is workgroup with their firewall setting is default and on.
have about 100 computer that need to be set.
please help, thanks.
Sorry for late reply… if the remote computer is on a workgroup, you have no way of applying a group policy to it which will allow you to turn off the Windows firewall (unless you have some sort of third-party management tool). You will have to turn off firewall on each machine manually before you can apply the script.
Error creating testadmin on : Exception calling “add” with “1” argument(s): “A member could not be added to or removed from the local group because the member does not exist.
i am getting above error.
Hi, the script works flawlessly, thanks! But my local users cannot login; I’m wondering if it is because I have multiple dollar signs in the passwords?
File with computer names is saved as a txt on the c:\drive on a domain controller.
I am getting this error:
At C:\Create-LocalAdmin.ps1: 10 char:35
+ Foreach ($computer in $computers) {
+ ~
Missing closing ‘}’ in statement block or type definition.
+ CategoryInfo : ParserError: (:) [], ParseException
+ FullyQualifiedErrorId : MissingEndCurlyBrace
Thank you
I was able to resolve the curly bracket issue and now I ran into this error:
It creates the local admin account but do not add to the local admin group.
Error creating localadm on : Exception calling “add” with “1” argument(s): “A member could not be added to or removed from the local group because the member does not exist.
Help is very much appreciated!
Thank you Mate !
This does not seem to work on windows update 1909. It creates the user but the script never finishes and does not add the user to the administrators group.
I got the script to run in my environment.
I was able to verify the local accts are created but it appears that the password never actually set to those accounts.
Any ideas?
Yeah, The script is working as expected. But I want to know how to export the output
This is all nice and good, but why on earth would ANYBODY need to run this ON a domain controller? If we have access to, for example, all servers, domain-wide, there should be no need to be ON an actual “domain controller;” or, am I missing something; or maybe you did that for simplicity sake? Many people now are “role-based” (myself included), no longer a DA, but I do have domain-wide access to all servers; and I manage those. So, the question is: Can’t I run this with my appropriate admin account, and get the same job done? Bottom line: it’s best to avoid logging onto DCs, unless absolutely needed. So, if done properly, and i have a list of servers, I should not need to logon to a DC. Sound right? Nice script! Thanks!
Hey Joe, I really can’t remember why I suggested script is run on a DC – keep in mind I wrote this post like 4 years ago and don’t deal with Windows that much anymore. You right, most likely with the correct access rights this can be run on any machine – just give it ago.
Awesome script, but how can I make it to reconfirm that the password, the never expire option and that it does belong to the adm group when it finds out the account exists? Sorry if it doesn’t make senses I’m not much into srcipting but I need this to work.
Hi @Cengiz Ulusahin, In phase of using your script.
Is there a way to define a username by hostname + local or admin?
so that username would be ws-134-local ?