Featured image of post Documenting with PowerShell Chapter 3: Local Administrator Passwords solution

Documenting with PowerShell Chapter 3: Local Administrator Passwords solution

As a good administrator does we always try to change the local administrator password on computers that we hand-out to clients, and disable it, so we only have to enable it when it’s required. Unfortunately changing it is sometimes forgotten during any process. Microsoft makes this easy when implementing LAPS. LAPS is a solution by Microsoft that helps you in randomizing Local Administrator Passwords, unfortunately LAPS relies on a domain environment. With more and more clients going Cloud-only this is not something we can use.

To resolve this issue you can use the script below as a LAPS alternative. Included are two versions as always: one for IT-Glue, and one to modify in any way you see fit.

The script generates a random password via Powershell of 24 alphanumeric characters, sets it for the local administrator called “Administrator”. There is also an option to rename this user to something else, as I strongly advise. We run the script at the end of our installation sequence or at initialisation of our RMM tool, whichever comes first.

IT-Glue version

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
#####################################################################
$APIKEy = "ITGLUEAPIKEYHERE"
$APIEndpoint = "https://api.eu.itglue.com"
$orgID = "ORGIDHERE"
$ChangeAdminUsername = $true
$NewAdminUsername = "its"
#####################################################################
#Grabbing ITGlue Module and installing.
If(Get-Module -ListAvailable -Name "ITGlueAPI") {Import-module ITGlueAPI} Else { install-module ITGlueAPI -Force; import-module ITGlueAPI}
#Settings IT-Glue logon information
Add-ITGlueBaseURI -base_uri $APIEndpoint
Add-ITGlueAPIKey $APIKEy
add-type -AssemblyName System.Web
#This is the process we'll be perfoming to set the admin account.
$LocalAdminPassword = [System.Web.Security.Membership]::GeneratePassword(24,5)
If($ChangeAdminUsername -eq $false) {
Set-LocalUser -name "Administrator" -Password ($LocalAdminPassword | ConvertTo-SecureString -AsPlainText -Force) -PasswordNeverExpires:$true
} else {
$ExistingNewAdmin = get-localuser | Where-Object {$_.Name -eq $NewAdminUsername}
if(!$ExistingNewAdmin){
write-host "Creating new user" -ForegroundColor Yellow
New-LocalUser -Name $NewAdminUsername -Password ($LocalAdminPassword | ConvertTo-SecureString -AsPlainText -Force) -PasswordNeverExpires:$true
Add-LocalGroupMember -Group Administrators -Member $NewAdminUsername
Disable-LocalUser -Name "Administrator"
}
else{
    write-host "Updating admin password" -ForegroundColor Yellow
   set-localuser -name $NewAdminUsername -Password ($LocalAdminPassword | ConvertTo-SecureString -AsPlainText -Force)
}
}
if($ChangeAdminUsername -eq $false ) { $username = "Administrator" } else { $Username = $NewAdminUsername }
#The script uses the following line to find the correct asset by serialnumber, match it, and connect it if found. Don't want it to tag at all? Comment it out by adding #
$TaggedResource = (Get-ITGlueConfigurations -organization_id $orgID -filter_serial_number (get-ciminstance win32_bios).serialnumber).data | Select-Object -Last 1
$PasswordObjectName = "$($Env:COMPUTERNAME) - Local Administrator Account"
$PasswordObject = @{
    type = 'passwords'
    attributes = @{
            name = $PasswordObjectName
            username = $username
            password = $LocalAdminPassword
            notes = "Local Admin Password for $($Env:COMPUTERNAME)"
    }
}
if($TaggedResource){
    $Passwordobject.attributes.Add("resource_id",$TaggedResource.Id)
    $Passwordobject.attributes.Add("resource_type","Configuration")
}

#Now we'll check if it already exists, if not. We'll create a new one.
$ExistingPasswordAsset = (Get-ITGluePasswords -filter_organization_id $orgID -filter_name $PasswordObjectName).data
#If the Asset does not exist, we edit the body to be in the form of a new asset, if not, we just upload.
if(!$ExistingPasswordAsset){
Write-Host "Creating new Local Administrator Password" -ForegroundColor yellow
$ITGNewPassword = New-ITGluePasswords -organization_id $orgID -data $PasswordObject
} else {
Write-Host "Updating Local Administrator Password" -ForegroundColor Yellow
$ITGNewPassword = Set-ITGluePasswords -id $ExistingPasswordAsset.id -data $PasswordObject
}

So this uploads the password object and tags it to the correct device. if the device is not found, it still uploads the password but as an untagged password.

Note: updated at 28/02 as matching could fail in some circumstances causing an error when tagging the password.

General version

The generalised version is located below. Please remember my warning as with previous blogs: This script prints the plain-text version of the password to the console. Modify this to upload the script to any general environment but be careful with this, as storing plaintext is just bad practice.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

<pre class="wp-code-highlight prettyprint">#####################################################################
$ChangeAdminUsername = $false
$NewAdminUsername = "CompanyAdmin"
#####################################################################
add-type -AssemblyName System.Web
#This is the process we'll be perfoming to set the admin account.
$LocalAdminPassword = [System.Web.Security.Membership]::GeneratePassword(24,5)
If($ChangeAdminUsername -eq $false) {
Set-LocalUser -name "Administrator" -Password ($LocalAdminPassword | ConvertTo-SecureString -AsPlainText -Force) -PasswordNeverExpires:$true
} else {
New-LocalUser -Name $NewAdminUsername -Password ($LocalAdminPassword | ConvertTo-SecureString -AsPlainText -Force) -PasswordNeverExpires:$true
Add-LocalGroupMember -Group Administrators -Member $NewAdminUsername
Disable-LocalUser -Name "Administrator"
}
if($ChangeAdminUsername -eq $false ) { $username = "Administrator" } else { $Username = $NewAdminUsername }
write-host "$($Username) now has password $($LocalAdminPassword)"

And that’s it for today! The AMP can be found here, and as always, Happy PowerShelling.

Note on AMP file: It has come to my attention that the IT-Glue API key is too long for the Script Runner in N-Central to handle. The file now has the IT-Glue API integrated in the script itself. Please enter the key there. Remember: Right-click->Save Link as to download the file.

All blogs are posted under AGPL3.0 unless stated otherwise
comments powered by Disqus
Built with Hugo
Theme Stack designed by Jimmy