asked on

Use VBScript to create admin user

I'm working on a common utility install script for my clients that, among other things, creates a new user with admin privileges. My .cmd script works perfectly as far as it goes but... 1) it doesn't set the password expiration flag and 2) it's not very attractive. So, I'm trying to figure out the best way to do it with VBScript. Here's what I've cobbled together so far:

Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
strComputer = "."
Set colAccounts = GetObject("WinNT://" & strComputer & "")
Set objUser = colAccounts.Create("user", "TestUser")
objUser.SetPassword "password"
objPasswordExpirationFlag = ADS_UF_DONT_EXPIRE_PASSWD
objUser.Put "userFlags", objPasswordExpirationFlag
objUser.SetInfo

Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators,group")
objGroup.Add(ObjUser.ADsPath)
set objGroup = Nothing

Open in new window

I'm obviously just learning vbs and don't full understand what I've put together or whether or not it will do what is needed which is:

Run on any XP, Vista or Win7 machine;

Create a new user with administrative privileges whose password won't expire; and

Done most efficiently with NO unintended consequences!

Note: The last item is of great concern so advice and explanations from those with experience will be most appreciated.

Neil Russell

Why not just use the NET USER /ADD command ina cmd file?

C:\> NET USER testUser password /ADD /EXPIRES NEVER

Neil Russell

Sorry, pressed return too early!

Then use NET LOACALGROUP to add the user to the administrators group

Or of course just use a GPO if your in an ADS Domain

ProTek2

ASKER

Neilsr -

As I said, my .cmd file works perfectly for everything except the password expiration flag. I was not aware of the /expires [option] parameter and I thank you for that. However, that doesn't address the fact that I would prefer the GUI capability of VBScript.

Also, my clients are all individuals or small companies so group policies are not an option.

ProTek2

ASKER

FYI - Testing the command line password flag parameter shows that the format must be exactly "/expires:never" WITH the colon and WITHOUT any space.

judgeking

Here's a nice little VBScript I wrote for this:

Dim oNetwork, oShell, oUser, oUserFlag, oUserFlags, oUserGroup
Dim sComputerName, sUser, sPassword

Set oNetwork = CreateObject("WScript.Network")
Set oShell = CreateObject("WScript.Shell")

sUser = "MyAdminAccount"
sPassword = "password"
sComputerName = oNetwork.UserDomain

Set oUser = GetObject("WinNT://" & sComputerName & "/" & sUser)

If oUser Is Nothing Then
  'Create account only if it doesn't already exist
  oShell.Run "net USER " & sUser & " " & sPassword & " /ADD /ACTIVE:YES /EXPIRES:NEVER /PASSWORDCHG:YES /PASSWORDREQ:YES", 0, True
End If

'Add user to Administrators group
Set oUser = GetObject("WinNT://" & sComputerName & "/" & sUser)
Set oUserGroup = GetObject("WinNT://" & sComputerName & "/Administrators")
oUserGroup.Add oUser.ADsPath

'Set user flag Password Never Expires
oUserFlags = oUser.Get("UserFlags")
oUserFlag = oUserFlags OR ADS_UF_DONT_EXPIRE_PASSWD
oUser.Put "UserFlags", oUserFlag 
oUser.SetInfo

Open in new window

Russell_Venable

If your trying to do this on Win7 as a startup script you will need to set a GPO for allowing scripts to act in a automated batch/script administrative function. No acceptions. XP is the only system you do not need to do this for as far as I know without creating a custom hack to do so. This only relates of course if your trying to automate this kind of script. If your just trying to use this one manually you will have no troubles.

ProTek2

ASKER

This script will be initiated by the client on his/her local machine.

judgeking

ProTek, did you try my solution?

ProTek2

ASKER

judgeking -

Since you didn't provide the rationale for WHY you did WHAT you did, I will have to test each part of the script to figure that out and I haven't had time to do that yet. At first glance (from the perspective of a VBScript novice), it appears bloated for what I requested but, I am not familiar enough with VBScript yet to render that as an informed opinion. However, I appreciate your input and will get to a more detailed analysis of it in a day or so. Thank you.

ASKER CERTIFIED SOLUTION

Russell_Venable

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

judgeking

ProTek, not sure what you were confused about or why you'd need to test each part, but I included comments in the scripts main parts. I've modified the script to use objects more familiar to you. I've tested this and it works perfectly and does exactly what you want.

If you need an explanation of any part of the script, just let me know.

On Error Resume Next

Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000
Dim oAccounts, oNetwork, oUser, oUserFlag, oUserFlags, oUserGroup
Dim sComputerName, sUser, sPassword

Set oShell = CreateObject("WScript.Shell")
sUser = "TestUser"
sPassword = "password"
sComputerName = oNetwork.UserDomain
Set oUser = GetObject("WinNT://" & sComputerName & "/" & sUser)

If IsEmpty(oUser) Then
  'Create account only if it doesn't already exist
  Set oAccounts = GetObject("WinNT://" & sComputerName & "")
  Set oUser = oAccounts.Create("user", sUser)
  oUser.SetPassword "password"
  oUser.SetInfo
End If

'Add user to Administrators group
Set oUserGroup = GetObject("WinNT://" & sComputerName & "/Administrators")
oUserGroup.Add oUser.ADsPath

'Set user flag Password Never Expires
oUserFlags = oUser.Get("UserFlags")
oUserFlag = oUserFlags OR ADS_UF_DONT_EXPIRE_PASSWD
oUser.Put "UserFlags", oUserFlag 
oUser.SetInfo

Open in new window

SOLUTION

judgeking

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

judgeking

Protek, any response?

ProTek2

ASKER

Sorry guys, got hammered on another project and haven't had time to return to this. Going to award points on assumption that solutions work and for appreciation of input.

Russell_Venable

I know how that goes. Good luck!

judgeking

Russell, congratulations on getting points for my solution. Answer your own questions next time, don't interupt an ongoing dialogue when a solution has already been provided.

Russell_Venable

I answered the question with a ADSI domain rewrite. It works for a whole domain where yours does not... That was not your answer... Mine is also console ready as yours is not. Yours is hard coded and insecure, and does not release resources. If you really wrote that script yourself you wrote a poorly coded script that will cause more problems for the user and shows poor programming practices. I am not attacking you either I am just stating the truth. I also stated earlier that I was explaining the script, proper practices, and how to fix them according to the OP Specifications, How it works, also added a help menu among other things to make it look attractive. This is in no way interrupting dialog. its paying attention to detail. You need to respond to the OP's specifications on the dot if possible. Which you did not do. Your script has side effects as the one I heavily rewrote does not(most important point the OP noted!!!). It's not a one way conversation either... It's a discussion amongst professionals to find an answer for the OP by ALL experts not just you. So I would truly think about your situation and step back. No one trying to jumping you.

judgeking

Russell, you're a thief, plain and simple. The code you posted is my code, cut-and-pasted to look different, and adding arguments, which is probably not what the user wanted. He probably wanted an admin user for some app function, and wouldn't want the user picking the name and password, never mind domain. But we don't know, since ProTek didn't even try 'either'/my solution.

BTW, releasing resources is very nice attempt at an 'addition', but not an issue in a one-time script; teachers aren't marking our work here.