top of page

PowerShell | Create Local Accounts

Backup Administrator Accounts and Auto Login Service Accounts

Remotely creating new local accounts on machines within your network can be essential for various operational, security, and administrative reasons. Two common scenarios where this capability is particularly valuable include setting up backup administrator accounts and creating auto login service accounts. Below are the detailed reasons and benefits for each scenario.

1. Backup Administrator Accounts

Rationale:

  • Redundancy and Reliability: Having a backup administrator account ensures that you have a fallback option if the primary administrator account becomes inaccessible due to forgotten passwords, account lockouts, or corruption.

  • Business Continuity: In critical situations, such as system failures or security incidents, a backup administrator account ensures that access to essential administrative functions is maintained, minimizing downtime and enabling prompt response.

  • Security and Compliance: Regularly rotating backup administrator accounts as part of a security protocol can help meet compliance requirements and reduce the risk of a single point of failure in user access control.

Benefits:

  • Emergency Access: Provides a secure way to regain administrative access without physical presence, which is crucial for remote or distributed environments.

  • Minimizes Downtime: Ensures that administrative tasks and system maintenance can continue uninterrupted if the primary account is compromised.

  • Improved Security Posture: Allows for better management of privileged accounts by distributing administrative rights and reducing the risk of insider threats.

2. Auto Login Service Accounts

Rationale:

  • Automated Processes: Certain services or applications might require an auto login capability to start up automatically after a system reboot. Creating service accounts with auto login ensures these services are always running as needed without manual intervention.

  • Maintenance and Updates: Scheduled maintenance tasks, updates, and system reboots can be streamlined when critical services are set to auto-start, reducing the need for manual logins and potential human error.

  • Isolated Access: By using dedicated service accounts for auto login, you can isolate access and privileges, minimizing security risks and ensuring that service accounts have only the permissions they need.

Benefits:

  • Operational Efficiency: Enhances the reliability and efficiency of systems by ensuring that necessary services are always running, even after reboots or crashes.

  • Security and Segregation of Duties: Provides a clear separation of roles by using dedicated service accounts, enhancing security and auditability.

  • Simplified Management: Reduces the administrative overhead associated with managing service startups, especially in large-scale environments with multiple services and applications.

How to Remotely Create Local Accounts Using PowerShell

Creating local accounts remotely using PowerShell is straightforward with the appropriate cmdlets and WinRM configured for remote management. Below are examples for creating backup administrator accounts and auto login service accounts.

Create Local Accounts on Remote Systems

<#

.SYNOPSIS
    Creates local user account on remote systems
    Requires WinRM 
    Requires Administrative Access
.DESCRIPTION

    Used to create a local user account on remote systems with the same
    user name and password. This can be for a auto logon account, backup
    local admin account
.INPUTS
    You need to update the script to meet your needs.
    Input script should be a list of your computers
    and should reside in C:\temp on the system you
    run the script.

.OUTPUTS
    Export WinRM Failures to txt
    $WinRMErrorVar | Out-File C:\temp\WinRMFailures.txt
    Export Ping Failures to txt
    $Array_PingFailed | Out-File C:\temp\PingFailed.txt
    Sum on inaccessible systems are not getting processed
    C:\Temp\SumOfSystemsNotProcessed.txt
    Script Results Output
    C:\temp\ScriptOutput.csv
    script Error Output
    C:\temp\FinalScriptErrors.txt

.LINK
    Https://www.scriptsbyscott.com
#>

#Get Computers from File
$ArrayofComputers = Get-Content C:\temp\MyComputers.txt
#Summary of Ping Failures
$Array_PingFailed = @()
#Summary of Systems Pass Ping and WinRM
$Array_Passed = @()
#Summary of errors when tryin to connect to online system via WinRM
$WinRMErrorVar = @()
#Connection Testing
Foreach ($Computer in $ArrayofComputers) {
    $Checker = Test-Connection $Computer.Trim() -Count 1 -Quiet
    If ($Checker) { $Array_Passed += Invoke-Command -ErrorVariable MyErr -ErrorAction SilentlyContinue -ComputerName $Computer.Trim() -ScriptBlock { $Env:COMPUTERNAME } }Else { $Array_PingFailed += $Computer.trim()}
    $WinRMErrorVar += $MyErr
}
#Export WinRM Failures to txt
$WinRMErrorVar | Out-File C:\temp\WinRMFailures.txt
#Export Ping Failures to txt
$Array_PingFailed | Out-File C:\temp\PingFailed.txt
#Sum on inaccessible systems are not getting processed
Compare-Object -ReferenceObject $Array_Passed -DifferenceObject $ArrayofComputers | Select -ExpandProperty inputobject | Out-File C:\Temp\SumOfSystemsNotProcessed.txt
#Script Command to Create Account
$MyScript = {
    $MyPassword = "P@ssword1" | ConvertTo-SecureString -AsPlainText -Force
    New-LocalUser -Name "BackupAdmin1" -Password $MyPassword -FullName "Scott Head" -Description "Backup Admin Account"
}
Invoke-Command -ErrorVariable My2ndErr -ErrorAction SilentlyContinue -ComputerName $Array_Passed -ScriptBlock $MyScript `
| Select FullName, Enabled, PasswordChangeableDate, PasswordExpires, UserMayChangePassword, PasswordLastSet, Name, SID | Export-csv C:\temp\ScriptOutput.csv -NoTypeInformation
if ($My2ndErr -ne $null) { $My2ndErr | Out-File C:\temp\FinalScriptErrors.txt }

bottom of page