As it turns out, versions of PowerShell before v5.1, which is included in Windows Server 2016, there was no PowerShell-native way to create local user accounts. If you need to create a local user in a script on Server 2012R2 or earlier, you will need to use either the ADSI (Active Directory Services Interfaces) or net user commands.
ADSI
ADSI is the Active Directory Services Interface, which provides a COM interface to Active Directory objects and services. Although it sounds like this is only for working with AD, it can also be used to create local accounts by treating the local computer as its own domain. You can use a snippet like this to create a local account using the ADSI PowerShell interface:
$computer = [ADSI]"WinNT://$Env:COMPUTERNAME,Computer"
$account = $computer.Create("User", "username")
$account.SetPassword("password") #or $( Read-Host -Prompt "Password" ) if interactive
$account.SetInfo()
$account.UserFlags = 64 #ADS_UF_PASSWD_CANT_CHANGE
$account.SetInfo()
There are a number of flags that can be set on the new account using the .UserFlags attribute. The MSDN documents don't give numeric values for these flags (though you could calculate them yourself, given knowledge of how binary flags work); thankfully, these can be found online, as in this post from Will Steele on the TechNet forums. You can add flags together either by directly adding their numeric values, or by binary-ORing them together. Be sure to call .SetInfo() on your new local account object to save these changes.
Net User
The net command, or more specifically its subcommand net user, is an older way of creating user accounts from the Windows command line. net user is simple to use by hand, and simple to embed in a script. This command can be called either directly from cmd.exe, or in a PowerShell (or even batch) script with a snippet like this:
net user username password /add [options]
And that's it. This creates the new user, assigns its password, and adds it to the Users group on the local computer. There are various options for this command that can be placed after the final "/add", including /expires, which allows you to specify the date on which the account should expire, and /times, which lets you dictate within what time ranges the account is allowed to log on.
Unfortunately, net user does not have options for everything. For example, you cannot use the net user command to set the account's password to never expire; this must be done using the wmic command, like so:
Unfortunately, net user does not have options for everything. For example, you cannot use the net user command to set the account's password to never expire; this must be done using the wmic command, like so:
WMIC USERACCOUNT WHERE Name="username" SET PasswordExpires=FALSE
Putting it together
So, say that you want to write one script that will create local user accounts on servers running Windows Server 2012R2 and 2016, and you want to use the "best" way available on each platform. You can use a snippet like this to detect which version of PowerShell is running, and take the appropriate actions:
if($PSVersionTable.PSVersion.Major < 5 -or ($PSVersionTable.PSVersion.Major >= 5 -and $PSVersionTable.PSVersion.Minor < 1)){
# New-LocalUser not supported!
$computer = [ADSI]"WinNT://$Env:COMPUTERNAME,Computer"
$account = $computer.Create("User", "username")
$account.SetPassword("password") #or $( Read-Host -Prompt "Password" ) if interactive
$account.SetInfo()
$account.UserFlags = 64 #ADS_UF_PASSWD_CANT_CHANGE
$account.SetInfo()
#etc.
}
else{
$password = ConvertTo-SecureString -String "password" #or Read-Host -AsSecureString if interactive
New-LocalUser -Name "username" -Password $password -PasswordNeverExpires
#etc.
}
No comments:
Post a Comment