Kaseya Community

Create a local admin account

  • Should you have an agent on a machine, but not have a user name that you can log on with, this script will create an with and add it to the local adminstrator group.

    Script Name: Create Patch Admin
    Script Description: creates a local admin account called with password
    IF True
    THEN
    Execute Shell Command
    Parameter 1 : net user /add
    Parameter 2 : 1
    OS Type : 0
    Execute Shell Command
    Parameter 1 : net localgroup administrators /add
    Parameter 2 : 1
    OS Type : 0
    ELSE




    Legacy Forum Name: Create a local admin account,
    Legacy Posted By Username: jnuttall
  • This is great, but do you have anything that will work? Maybe I am doing something wrong, but I can not use this script or the Set Password in Kaseya Successfully. I get a failure everytime weather creating an account or just trying to reset an existing pasword.

    Legacy Forum Name: System Administration Scripts,
    Legacy Posted By Username: MSWEBS
  • I figured it out. I was using a pasword that started with a "/", which is believed by NET USER to be the begainning of a command. I changed the password to not include that in the password and it work perfectly. Thanks!

    Legacy Forum Name: System Administration Scripts,
    Legacy Posted By Username: MSWEBS
  • Getting hung on this line:

    net localgroup administrators /add


    It is not adding the user to the Administrator group unless it is in DOMAIN\user format.

    Is there a set variable to use for the local DOMAIN or does this have to be created in Kaseya? Where can we read this value from? (I'm sure that it is in 1000 places in the registry but if there is already a variable it would just save a script step).

    Thank you in advance!


    Legacy Forum Name: System Administration Scripts,
    Legacy Posted By Username: mogulbumm
  • I get the value from here: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName

    However, once I have it, I create a Kaseya Variable and use that in my scripts for the domains. I found it to just be a little easier with the scripts I run to have it in the system.


    Legacy Forum Name: System Administration Scripts,
    Legacy Posted By Username: MSWEBS
  • Reference:

    http://support.microsoft.com/?KBID=251394



    Legacy Forum Name: System Administration Scripts,
    Legacy Posted By Username: shickey
  • And to remove the account:

    Script Name: Delete A Patch Admin
    Script Description: RemovePatch Administrator on local machine

    IF True
    THEN
    Execute Shell Command
    Parameter 1 : net user /delete
    Parameter 2 : 0
    OS Type : 0
    ELSE







    Legacy Forum Name: System Administration Scripts,
    Legacy Posted By Username: shickey
  • Does anyone know how to add the user to the domain admins group? I can add to local groups but not domain groups.



    Thanks


    Legacy Forum Name: System Administration Scripts,
    Legacy Posted By Username: twurm
  • We have a few users that have local admin rights to thier pc's but would like to remove this for security reasons. Can we use net localgroup administrators /delete keep the account but remove the rights?, also would command %user% be able to replaceindividual users accounts?


    Legacy Forum Name: System Administration Scripts,
    Legacy Posted By Username: philippearson
  • You might want to add the /expires:never to this command, otherwise it can stop working without notice which will intefere with patch management, scripts, backup etc.

    Legacy Forum Name: System Administration Scripts,
    Legacy Posted By Username: raybarber
  • Here's a sample script of what I've put together and it works well enough. I have two sections one for an administrator in the english language, and one for a swedish "administratör" group- based on the sLanguage setting in HKCU. We have a mixture of languages for some of our clients. It gets even uglier when you try to add admin accounts for Norwegian, Finnish, Estonian and Danish users.

    :-?

    Script Name: Create Admin account for Administratör
    Script Description: Creates a local administrator account on all machines for use with Source Server - check for English language and if not, then create for Swedish users

    IF Check Registry Value
    Parameter 1 : HKEY_CURRENT_USER\Control Panel\International\sLanguage
    = :ENU
    THEN
    Get Variable
    Parameter 1 : 6
    Parameter 2 :
    Parameter 3 : machineid
    OS Type : 0
    Get Variable
    Parameter 1 : 10
    Parameter 2 :
    Parameter 3 : agentTemp
    OS Type : 0
    Execute Shell Command - (Continue on Fail)
    Parameter 1 : net user systemetadmin /delete
    Parameter 2 : 1
    OS Type : 0
    Execute Shell Command
    Parameter 1 : net user systemetadmin(password) /add
    Parameter 2 : 1
    OS Type : 0
    Execute Shell Command
    Parameter 1 : net user systemetadmin(password) /expires:never
    Parameter 2 : 1
    OS Type : 0
    Execute Shell Command
    Parameter 1 : net user systemetadmin(password) /passwordchg:no
    Parameter 2 : 1
    OS Type : 0
    Execute Shell Command
    Parameter 1 : net localgroup administrators systemetadmin /add
    Parameter 2 : 1
    OS Type : 0
    Set Registry Value
    Parameter 1 : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\systemetadmin
    Parameter 2 : 0
    Parameter 3 : REG_DWORD
    OS Type : 0
    Execute Shell Command
    Parameter 1 : net user >> #agentTemp#\users.txt
    Parameter 2 : 1
    OS Type : 0
    Execute Shell Command
    Parameter 1 : net user systemetadmin >> #agentTemp#\users.txt
    Parameter 2 : 1
    OS Type : 0
    Get Variable
    Parameter 1 : 1
    Parameter 2 : #agentTemp#\users.txt
    Parameter 3 : users
    OS Type : 0
    Write Script Log Entry
    Parameter 1 : LOG: English language OnGuard admin account created: Output User list from #machineid#: #users#
    OS Type : 0
    ELSE
    Get Variable
    Parameter 1 : 6
    Parameter 2 :
    Parameter 3 : machineid
    OS Type : 0
    Get Variable
    Parameter 1 : 10
    Parameter 2 :
    Parameter 3 : agentTemp
    OS Type : 0
    Execute Shell Command - (Continue on Fail)
    Parameter 1 : net user systemetadmin /delete
    Parameter 2 : 1
    OS Type : 0
    Execute Shell Command
    Parameter 1 : net user systemetadmin(password) /add
    Parameter 2 : 1
    OS Type : 0
    Execute Shell Command
    Parameter 1 : net user systemetadmin(password) /expires:never
    Parameter 2 : 1
    OS Type : 0
    Execute Shell Command
    Parameter 1 : net user systemetadmin(password) /passwordchg:no
    Parameter 2 : 1
    OS Type : 0
    Execute Shell Command
    Parameter 1 : net localgroup Administratörer systemetadmin /add
    Parameter 2 : 1
    OS Type : 0
    Set Registry Value
    Parameter 1 : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\systemetadmin
    Parameter 2 : 0
    Parameter 3 : REG_DWORD
    OS Type : 0
    Execute Shell Command
    Parameter 1 : net user >> #agentTemp#\users.txt
    Parameter 2 : 1
    OS Type : 0
    Execute Shell Command
    Parameter 1 : net user systemetadmin >> #agentTemp#\users.txt
    Parameter 2 : 0
    OS Type : 0
    Get Variable
    Parameter 1 : 1
    Parameter 2 : #agentTemp#\users.txt
    Parameter 3 : users
    OS Type : 0
    Write Script Log Entry
    Parameter 1 : LOG: Swedish language OnGuard admin account created: Output User list from #machineid#: #users#
    OS Type : 0




    Legacy Forum Name: System Administration Scripts,
    Legacy Posted By Username: systemet
  • I used to set the admin account for patches under the remote tab where you can reset password. It has the option to create an account on the local machine as an admin.

    I've noticed that my patches are failing regularly with "invalid credential". Even after resetting that account password and verifying on the set credential function. Why is this script here? Is that function not working?

    I may have to use this script as I've not found what is blocking my patches from working. Ideas?

    EDIT: I just checked a machine where patches have failed and the account we use does not have an expired password.



    Legacy Forum Name: System Administration Scripts,
    Legacy Posted By Username: nvelocity
  • I get this too on a couple of my devices. Has Kaseya Support been able to assist you in fixing this problem?

    Thanks!


    Legacy Forum Name: System Administration Scripts,
    Legacy Posted By Username: billmccl
  • Same problem here, haven't gotten around to submitting a ticket for it yet.

    Legacy Forum Name: System Administration Scripts,
    Legacy Posted By Username: nateg
  • I can't get any "add local administrator account" scripts to run on any of my machines. I can add local admin accounts through the Remote Control->Reset password function, or going to the command prompt for in the agent menu and manually typing the commands, but I can't run a script that creates the account. I tried adding the account manually, then running the script command

    Execute shell command

    net user ITAdmin (password) /expires:never

    Execute as the system account

    Run on all operating systems

    and that failed as well.

    Any suggestions?

    P.S. I'd add the code for my add local admin script in plain text, but I can't get Kaseya to export scriupts in anything but XML format

    <?xml version="1.0" encoding="utf-8"?>

    <ScriptExport xmlns:xsi="www.w3.org/.../XMLSchema-instance" xmlns:xsd="www.w3.org/.../XMLSchema" xmlns="www.kaseya.com/.../Scripting">

     <Procedure name="Create Local Administrator Account" treePres="3" id="1612396020">

       <Body description="Creates a local Administrator named "ITAdmin" and makes it so that that user is hidden from the logon list. The Password can be changed by replaceing the fourth word from the first net use command.&#xD;&#xA;">

         <If description="Creates a local Administrator named "KaseyAdmin" and makes it so that that users is hidden from the logon list. The Password can be changed by replaceing the forth word the first net use command.&#xD;&#xA;">

           <Condition name="True" />

           <Then>

             <Statement description="Execute the given command as if it were typed in at a command prompt." name="ExecuteShellCommand" continueOnFail="false">

               <Parameter xsi:type="StringParameter" name="Command" value="net user ITAdmin password /add" />

               <Parameter xsi:type="EnumParameter" name="ExecuteAccount" value="System" />

               <Parameter xsi:type="BooleanParameter" name="Is64Bit" value="False" />

             </Statement>

             <Statement description="" name="ExecuteShellCommand" continueOnFail="false" osType="NT4|2000|XP|2003|Vista|2008">

               <Parameter xsi:type="StringParameter" name="Command" value="net localgroup Administrators ITAdmin /add" />

               <Parameter xsi:type="EnumParameter" name="ExecuteAccount" value="System" />

               <Parameter xsi:type="BooleanParameter" name="Is64Bit" value="False" />

             </Statement>

             <Statement description="" name="SetRegistryValue" continueOnFail="false" osType="NT4|2000|XP|2003|Vista|2008">

               <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\SpecialAccounts\UserList" />

               <Parameter xsi:type="StringParameter" name="Value" value="ITAdmin" />

               <Parameter xsi:type="EnumParameter" name="DataType" value="Integer" />

             </Statement>

             <Statement description="" name="WriteScriptLogEntry" continueOnFail="false" osType="NT4|2000|XP|2003|Vista|2008">

               <Parameter xsi:type="StringParameter" name="Comment" value="User Account "ITAdmin" has been created and hidden from the logon page." />

             </Statement>

           </Then>

         </If>

       </Body>

     </Procedure>

    </ScriptExport>