[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Use VBScript to create admin user

Posted on 2011-03-01
18
Medium Priority
?
1,019 Views
Last Modified: 2013-12-26
I'm working on a common utility install script for my clients that, among other things, creates a new user with admin privileges. My .cmd script works perfectly as far as it goes but... 1) it doesn't set the password expiration flag and 2) it's not very attractive. So, I'm trying to figure out the best way to do it with VBScript. Here's what I've cobbled together so far:
Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
strComputer = "."
Set colAccounts = GetObject("WinNT://" & strComputer & "")
Set objUser = colAccounts.Create("user", "TestUser")
objUser.SetPassword "password"
objPasswordExpirationFlag = ADS_UF_DONT_EXPIRE_PASSWD
objUser.Put "userFlags", objPasswordExpirationFlag
objUser.SetInfo

Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators,group")
objGroup.Add(ObjUser.ADsPath)
set objGroup = Nothing

Open in new window

I'm obviously just learning vbs and don't full understand what I've put together or whether or not it will do what is needed which is:
Run on any XP, Vista or Win7 machine;
Create a new user with administrative privileges whose password won't expire; and
Done most efficiently with NO unintended consequences!
Note: The last item is of great concern so advice and explanations from those with experience will be most appreciated.
0
Comment
Question by:ProTek2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
  • 4
  • +1
18 Comments
 
LVL 37

Expert Comment

by:Neil Russell
ID: 35008349
Why not just use the NET USER /ADD command ina cmd file?

C:\> NET USER testUser password /ADD /EXPIRES NEVER
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 35008401
Sorry, pressed return too early!

Then use NET LOACALGROUP to add the user to the administrators group

Or of course just use a GPO if your in an ADS Domain
0
 

Author Comment

by:ProTek2
ID: 35008506
Neilsr -

As I said, my .cmd file works perfectly for everything except the password expiration flag. I was not aware of the /expires [option] parameter and I thank you for that. However, that doesn't address the fact that I would prefer the GUI capability of VBScript.

Also, my clients are all individuals or small companies so group policies are not an option.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:ProTek2
ID: 35009350
FYI - Testing the command line password flag parameter shows that the format must be exactly  "/expires:never" WITH the colon and WITHOUT any space.
0
 
LVL 6

Expert Comment

by:judgeking
ID: 35014065
Here's a nice little VBScript I wrote for this:
Dim oNetwork, oShell, oUser, oUserFlag, oUserFlags, oUserGroup
Dim sComputerName, sUser, sPassword

Set oNetwork = CreateObject("WScript.Network")
Set oShell = CreateObject("WScript.Shell")

sUser = "MyAdminAccount"
sPassword = "password"
sComputerName = oNetwork.UserDomain

Set oUser = GetObject("WinNT://" & sComputerName & "/" & sUser)

If oUser Is Nothing Then
  'Create account only if it doesn't already exist
  oShell.Run "net USER " & sUser & " " & sPassword & " /ADD /ACTIVE:YES /EXPIRES:NEVER /PASSWORDCHG:YES /PASSWORDREQ:YES", 0, True
End If

'Add user to Administrators group
Set oUser = GetObject("WinNT://" & sComputerName & "/" & sUser)
Set oUserGroup = GetObject("WinNT://" & sComputerName & "/Administrators")
oUserGroup.Add oUser.ADsPath

'Set user flag Password Never Expires
oUserFlags = oUser.Get("UserFlags")
oUserFlag = oUserFlags OR ADS_UF_DONT_EXPIRE_PASSWD
oUser.Put "UserFlags", oUserFlag 
oUser.SetInfo

Open in new window

0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 35024469
If your trying to do this on Win7 as a startup script you will need to set a GPO for allowing scripts to act in a automated batch/script administrative function. No acceptions. XP is the only system you do not need to do this for as far as I know without creating a custom hack to do so. This only relates of course if your trying to automate this kind of script. If your just trying to use this one manually you will have no troubles.
0
 

Author Comment

by:ProTek2
ID: 35026229
This script will be initiated by the client on his/her local machine.
0
 
LVL 6

Expert Comment

by:judgeking
ID: 35028843
ProTek, did you try my solution?
0
 

Author Comment

by:ProTek2
ID: 35029050
judgeking -

Since you didn't provide the rationale for WHY you did WHAT you did, I will have to test each part of the script to figure that out and I haven't had time to do that yet. At first glance (from the perspective of a VBScript novice), it appears bloated for what I requested but, I am not familiar enough with VBScript yet to render that as an informed opinion. However, I appreciate your input and will get to a more detailed analysis of it in a day or so. Thank you.
0
 
LVL 15

Accepted Solution

by:
Russell_Venable earned 1000 total points
ID: 35031806
Heavily edited Judgeking's script to work on a ADSI Domain. Also to include console arguments, Cleanup Resources, better appearance w/ Help menu/Structure. To show you a better implementation.

You wanted your script 2) To be Atrractive, So I did not include a "Array" and "For Each" for variables to show you what is used and is more understandable. Once you get passed that part and understand it fully you can add the variables to a array like so.

Dim SomeArray = Array("oObject1", "oObject2", "oObject3")

'Delcaring each like so.
' Starting from 0 to 2 = 3 items in array.
Set SomeArray(0) =  GetObject("WinNT://" & sComputerName & "/" & sUser) ' Etc

Releasing Resources after
' Go through array and release resource taken for each object.
For Each Object in SomeArray
  Set Object = Nothing
Next

You can chop this up as you like. Just remember it was written so you have a better understanding of how this works.

'Declare required variables.
Dim oNetwork, oShell, oUser, oUserFlag, oUserFlags, oPasswordExpirationFlag, oUserGroup
Dim sDomain, sComputerName, sUser, sPassword


'Set Required Userspaces
Set oArgs = WScript.Arguments
Set oNetwork = CreateObject("WScript.Network")
Set oShell = CreateObject("WScript.Shell")

'Raise error flag to user if they have not entered required information to run ;)
If WScript.Arguments.Count = 3 Then
 sUser = oArgs.Item(0)
 sPassword = oArgs.Item(1)
 sComputerName = oArgs.Item(2)
 sDomain = oArgs.Item(3)
Else
 Wscript.Echo "Usage: CreateAdmin.vbs [User] [Password] [Computer] [Domain]"
 Wscript.Quit
End If

'Hard coded solution's aren't safe...
'sUser = "MyAdminAccount"
'sPassword = "password"
'sComputerName = oNetwork.UserDomain

'Query for user
Set oUser = GetObject("WinNT://" & sDomain & "/" & sComputerName & "/" & sUser & ",User")

'This will check if the user already exists if not then create with non-expiring account
'(Not password expiration just no user expiration)
If oUser Is Nothing Then

  Set colAccounts = GetObject("WinNT://" & sDomain & "/" & strComputer & "")
  Set objUser = colAccounts.Create(sUser, TestUser)
  objUser.SetPassword sPassword

  'Create account only if it doesn't already exist
  'oShell.Run "net USER " & sUser & " " & sPassword & " /ADD /DOMAIN /ACTIVE:YES /EXPIRES:NEVER /PASSWORDCHG:YES /PASSWORDREQ:YES", 0, True
  'Set Active Directory flag Password Never Expires for user
  oUserFlags = oUser.Get("UserFlags")
  oPasswordExpirationFlag = oUserFlags OR ADS_UF_DONT_EXPIRE_PASSWD
  oUser.Put "UserFlags", oPasswordExpirationFlag 
  oUser.SetInfo
Else 
  'If user exists, Set Active Directory flag Password Never Expires for user
  oUserFlags = oUser.Get("UserFlags")
  oPasswordExpirationFlag = oUserFlags OR ADS_UF_DONT_EXPIRE_PASSWD
  'Set IADS Flags
  oUser.Put "UserFlags", oPasswordExpirationFlag 
  oUser.Put "Description", "Non Expire Password set"
  oUser.SetInfo
End If

'Add user to Administrators group
Set oGroupUser = GetObject("WinNT://" & sDomain & "/" & sComputerName & "/" & sUser & ",User")
Set oUserGroup = GetObject("WinNT://" & sDomain & "/" & sComputerName & "/Administrators")
oUserGroup.Add(oGroupUser.ADsPath)


'Cleanup Resources and exit nicely
set oUser = Nothing
set objUser = Nothing
set oGroupUser = Nothing
set oUserGroup = Nothing
set oArgs = Nothing
set oNetwork = Nothing
set oShell = Nothing
Set colAccounts = Nothing

Open in new window

0
 
LVL 6

Expert Comment

by:judgeking
ID: 35032705
ProTek, not sure what you were confused about or why you'd need to test each part, but I included comments in the scripts main parts.  I've modified the script to use objects more familiar to you.  I've tested this and it works perfectly and does exactly what you want.

If you need an explanation of any part of the script, just let me know.
On Error Resume Next

Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000
Dim oAccounts, oNetwork, oUser, oUserFlag, oUserFlags, oUserGroup
Dim sComputerName, sUser, sPassword

Set oShell = CreateObject("WScript.Shell")
sUser = "TestUser"
sPassword = "password"
sComputerName = oNetwork.UserDomain
Set oUser = GetObject("WinNT://" & sComputerName & "/" & sUser)

If IsEmpty(oUser) Then
  'Create account only if it doesn't already exist
  Set oAccounts = GetObject("WinNT://" & sComputerName & "")
  Set oUser = oAccounts.Create("user", sUser)
  oUser.SetPassword "password"
  oUser.SetInfo
End If

'Add user to Administrators group
Set oUserGroup = GetObject("WinNT://" & sComputerName & "/Administrators")
oUserGroup.Add oUser.ADsPath

'Set user flag Password Never Expires
oUserFlags = oUser.Get("UserFlags")
oUserFlag = oUserFlags OR ADS_UF_DONT_EXPIRE_PASSWD
oUser.Put "UserFlags", oUserFlag 
oUser.SetInfo

Open in new window

0
 
LVL 6

Assisted Solution

by:judgeking
judgeking earned 1000 total points
ID: 35032713
Sorry, deleted the wrong line in the above code, should be:
On Error Resume Next

Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000
Dim oAccounts, oNetwork, oUser, oUserFlag, oUserFlags, oUserGroup
Dim sComputerName, sUser, sPassword

Set oNetwork = CreateObject("WScript.Network")
sUser = "TestUser"
sPassword = "password"
sComputerName = oNetwork.UserDomain
Set oUser = GetObject("WinNT://" & sComputerName & "/" & sUser)

If IsEmpty(oUser) Then
  'Create account only if it doesn't already exist
  Set oAccounts = GetObject("WinNT://" & sComputerName & "")
  Set oUser = oAccounts.Create("user", sUser)
  oUser.SetPassword "password"
  oUser.SetInfo
End If

'Add user to Administrators group
Set oUserGroup = GetObject("WinNT://" & sComputerName & "/Administrators")
oUserGroup.Add oUser.ADsPath

'Set user flag Password Never Expires
oUserFlags = oUser.Get("UserFlags")
oUserFlag = oUserFlags OR ADS_UF_DONT_EXPIRE_PASSWD
oUser.Put "UserFlags", oUserFlag 
oUser.SetInfo

Open in new window

0
 
LVL 6

Expert Comment

by:judgeking
ID: 35072227
Protek, any response?
0
 

Author Comment

by:ProTek2
ID: 35136935
Sorry guys, got hammered on another project and haven't had time to return to this. Going to award points on assumption that solutions work and for appreciation of input.
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 35137249
I know how that goes. Good luck!
0
 
LVL 6

Expert Comment

by:judgeking
ID: 35139903
Russell, congratulations on getting points for my solution.  Answer your own questions next time, don't interupt an ongoing dialogue when a solution has already been provided.
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 35144820
I answered the question with a ADSI domain rewrite. It works for a whole domain where yours does not... That was not your answer... Mine is also console ready as yours is not. Yours is hard coded and insecure, and does not release resources. If you really wrote that script yourself you wrote a poorly coded script that will cause more problems for the user and shows poor programming practices. I am not attacking you either I am just stating the truth. I also stated earlier that I was explaining the script, proper practices, and how to fix them according to the OP Specifications, How it works, also added a help menu among other things to make it look attractive. This is in no way interrupting dialog. its paying attention to detail. You need to respond to the OP's specifications on the dot if possible. Which you did not do. Your script has side effects as the one I heavily rewrote does not(most important point the OP noted!!!). It's not a one way conversation either... It's a discussion amongst professionals to find an answer for the OP by ALL experts not just you. So I would truly think about your situation and step back. No one trying to jumping you.
0
 
LVL 6

Expert Comment

by:judgeking
ID: 35145078
Russell, you're a thief, plain and simple.  The code you posted is my code, cut-and-pasted to look different, and adding arguments, which is probably not what the user wanted.  He probably wanted an admin user for some app function, and wouldn't want the user picking the name and password, never mind domain.  But we don't know, since ProTek didn't even try 'either'/my solution.

BTW, releasing resources is very nice attempt at an 'addition', but not an issue in a one-time script; teachers aren't marking our work here.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
The Windows functions GetTickCount and timeGetTime retrieve the number of milliseconds since the system was started. However, the value is stored in a DWORD, which means that it wraps around to zero every 49.7 days. This article shows how to solve t…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question