Powershell:远程创建本地管理员
Powershell: Create local administrators remotely
我正在考虑在几台机器 (>30) 上创建本地管理员。如果可以的话,我真的不想使用 GPO。 LAPS 对我的需要来说有点矫枉过正。
我找到了 nice script online,但它只创建了用户,并没有将他们添加到管理员组。谁能看到错误?
#Define variables
$computers = Get-Content C:\Computers.txt
#$computers = Import-CSV C:\Computers.txt | select Computer
$username = "Admin"
$password = "Password99"
$fullname = "Admin"
$local_security_group = "Administrators"
$description = "Description"
Foreach ($computer in $computers) {
$users = $null
$comp = [ADSI]"WinNT://$computer"
#Check if username exists
Try {
$users = $comp.psbase.children | select -expand name
if ($users -like $username) {
Write-Host "$username already exists on $computer"
} else {
#Create the account
$user = $comp.Create("User", "$username")
$user.SetPassword("$password")
$user.Put("Description", "$description")
$user.Put("Fullname", "$fullname")
$user.SetInfo()
#Set password to never expire
#And set user cannot change password
$ADS_UF_DONT_EXPIRE_PASSWD = 0x10000
$ADS_UF_PASSWD_CANT_CHANGE = 0x40
$user.userflags = $ADS_UF_DONT_EXPIRE_PASSWD + $ADS_UF_PASSWD_CANT_CHANGE
$user.SetInfo()
#Add the account to the local admins group
$group = ([ADSI]"WinNT://$computer/$local_security_group,group")
$username = [ADSI]"WinNT://$Computer/$username,user"
#Validate whether user account has been created or not
$users = $comp.psbase.children | select -expand name
if ($users -like $username) {
Write-Host "$username has been created on $computer"
} else {
Write-Host "$username has not been created on $computer"
}
}
}
Catch {
Write-Host "Error creating $username on $($computer.path): $($Error[0].Exception.Message)"
}
}
在您的代码中,您实际上并未将用户添加到组中。
这里您实际上是在检索一个组对象,但您没有对其进行任何操作。
#Add the account to the local admins group
$group = ([ADSI]"WinNT://$computer/$local_security_group,group")
$username = [ADSI]"WinNT://$Computer/$username,user"
首先,您必须删除对 $username 的分配。然后您必须调用 $group 对象上的方法来添加用户:
#Add the account to the local admins group
$group = ([ADSI]"WinNT://$computer/$local_security_group,group")
$computerHostName = (Get-WmiObject -ComputerName $computer Win32_ComputerSystem).Name
$group.Add([ADSI]"WinNT://$computerHostName/$username,user")
这里有一个问题。请注意,我使用 Get-WmiObject 从计算机获取主机名。使用 Add() 方法时,计算机名称必须是不合格的主机名。例如 server-01,而不是 server-01.domain.lan
如果以后要为用户检索 ADSI 对象,我建议将其分配给不同的变量名,如下所示:
$adsiUser = [ADSI]"WinNT://$Computer/$username,user"
我正在考虑在几台机器 (>30) 上创建本地管理员。如果可以的话,我真的不想使用 GPO。 LAPS 对我的需要来说有点矫枉过正。
我找到了 nice script online,但它只创建了用户,并没有将他们添加到管理员组。谁能看到错误?
#Define variables
$computers = Get-Content C:\Computers.txt
#$computers = Import-CSV C:\Computers.txt | select Computer
$username = "Admin"
$password = "Password99"
$fullname = "Admin"
$local_security_group = "Administrators"
$description = "Description"
Foreach ($computer in $computers) {
$users = $null
$comp = [ADSI]"WinNT://$computer"
#Check if username exists
Try {
$users = $comp.psbase.children | select -expand name
if ($users -like $username) {
Write-Host "$username already exists on $computer"
} else {
#Create the account
$user = $comp.Create("User", "$username")
$user.SetPassword("$password")
$user.Put("Description", "$description")
$user.Put("Fullname", "$fullname")
$user.SetInfo()
#Set password to never expire
#And set user cannot change password
$ADS_UF_DONT_EXPIRE_PASSWD = 0x10000
$ADS_UF_PASSWD_CANT_CHANGE = 0x40
$user.userflags = $ADS_UF_DONT_EXPIRE_PASSWD + $ADS_UF_PASSWD_CANT_CHANGE
$user.SetInfo()
#Add the account to the local admins group
$group = ([ADSI]"WinNT://$computer/$local_security_group,group")
$username = [ADSI]"WinNT://$Computer/$username,user"
#Validate whether user account has been created or not
$users = $comp.psbase.children | select -expand name
if ($users -like $username) {
Write-Host "$username has been created on $computer"
} else {
Write-Host "$username has not been created on $computer"
}
}
}
Catch {
Write-Host "Error creating $username on $($computer.path): $($Error[0].Exception.Message)"
}
}
在您的代码中,您实际上并未将用户添加到组中。
这里您实际上是在检索一个组对象,但您没有对其进行任何操作。
#Add the account to the local admins group
$group = ([ADSI]"WinNT://$computer/$local_security_group,group")
$username = [ADSI]"WinNT://$Computer/$username,user"
首先,您必须删除对 $username 的分配。然后您必须调用 $group 对象上的方法来添加用户:
#Add the account to the local admins group
$group = ([ADSI]"WinNT://$computer/$local_security_group,group")
$computerHostName = (Get-WmiObject -ComputerName $computer Win32_ComputerSystem).Name
$group.Add([ADSI]"WinNT://$computerHostName/$username,user")
这里有一个问题。请注意,我使用 Get-WmiObject 从计算机获取主机名。使用 Add() 方法时,计算机名称必须是不合格的主机名。例如 server-01,而不是 server-01.domain.lan
如果以后要为用户检索 ADSI 对象,我建议将其分配给不同的变量名,如下所示:
$adsiUser = [ADSI]"WinNT://$Computer/$username,user"