none
Creat Batch File RRS feed

  • Question

  • hi

    i need to run a batch file on start up over GPO to create local admin. i run this codes in batch file but not work . do you now why?

    @echo off
    setlocal
    set NewAdmin=Super
    set NewPassword=fLocal#AdminS@1991
    set NewComment=Local Admin
    echo Creating user account '%NewAdmin%' ...
    net.exe user "%NewAdmin%" "%NewPassword%" /add /comment:"%NewComment%"
    echo Adding '%NewAdmin%' to local administrators ...
    net.exe localgroup Administrators "%NewAdmin%" /add
    REM *** If the "wmic.exe" line is executed, it will disable the "Must change password" option ("/logonpasswordchg:YES" in "net user /add"), because these two are mutually exclusive.
    echo Setting password of '%NewAdmin%' to never expire ...
    wmic.exe useraccount WHERE "Name='%NewAdmin%'" SET PasswordExpires=FALSE


    • Edited by Hbita Monday, May 28, 2018 6:12 AM
    • Moved by Bill_Stewart Friday, July 27, 2018 8:40 PM User should not be doing this
    Monday, May 28, 2018 6:10 AM

All replies

  • Hi,

    the batch file is working fine for me.

    Is the batch file not working or the GPO? Is the GPO really applied?

    While testing I had to "run as admin".

    You can also do everything in 2 lines. We use it like this:

     net user "%NewAdmin%" "%NewPassword%" /add  /active:yes /comment:"%NewComment%" /expires:never /passwordchg:no /passwordreq:yes
     net localgroup "%group%" "%Netadmin%" /add

    Regards

    Monday, May 28, 2018 1:38 PM
  • Here is the correct and safe way to create local accounts using GP (GPP):

    https://www.petri.com/forums/forum/microsoft-networking-services/active-directory/68767-create-local-admin-account-through-gpo

    It takes only a couple of simple steps.


    \_(ツ)_/

    Monday, May 28, 2018 1:42 PM
  • Actually, I don't think creating local accounts with GPP is possible (or at least not recommended) anymore. Any password you set in GPP will be possible to extract from the XML-files on SYSVOL because the encryption key was leaked.

    You should look into LAPS.

    Local Administrator Password Solution


    Monday, May 28, 2018 7:36 PM
  • Yes - LAPS is the best way.  The GPP method is good for initial creation but we must immediately reset the password which can be done remotely.

    We can also set no password and set GP to refuse all logons with  no password which should be done anyway.  A simple script run once will create the desired password.

    Overall LAPS is the easiest and preferred method.

    I offered GPP because the user was already including the password in the batch file.  Another bad thing to do.


    \_(ツ)_/


    • Edited by jrv Monday, May 28, 2018 7:46 PM
    Monday, May 28, 2018 7:45 PM
  • Also we can use PwoerShell to create and administer local accounts and groups with the local account module on PSGallery.

    find-module Localacc*,localuser*,localmac*

    Take your pick.


    \_(ツ)_/

    Monday, May 28, 2018 7:52 PM