Solved

Use VBScript to create admin user

Posted on 2011-03-01
18
988 Views
Last Modified: 2013-12-26
I'm working on a common utility install script for my clients that, among other things, creates a new user with admin privileges. My .cmd script works perfectly as far as it goes but... 1) it doesn't set the password expiration flag and 2) it's not very attractive. So, I'm trying to figure out the best way to do it with VBScript. Here's what I've cobbled together so far:
Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
strComputer = "."
Set colAccounts = GetObject("WinNT://" & strComputer & "")
Set objUser = colAccounts.Create("user", "TestUser")
objUser.SetPassword "password"
objPasswordExpirationFlag = ADS_UF_DONT_EXPIRE_PASSWD
objUser.Put "userFlags", objPasswordExpirationFlag
objUser.SetInfo

Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators,group")
objGroup.Add(ObjUser.ADsPath)
set objGroup = Nothing

Open in new window

I'm obviously just learning vbs and don't full understand what I've put together or whether or not it will do what is needed which is:
Run on any XP, Vista or Win7 machine;
Create a new user with administrative privileges whose password won't expire; and
Done most efficiently with NO unintended consequences!
Note: The last item is of great concern so advice and explanations from those with experience will be most appreciated.
0
Comment
Question by:ProTek2
  • 7
  • 5
  • 4
  • +1
18 Comments
 
LVL 37

Expert Comment

by:Neil Russell
ID: 35008349
Why not just use the NET USER /ADD command ina cmd file?

C:\> NET USER testUser password /ADD /EXPIRES NEVER
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 35008401
Sorry, pressed return too early!

Then use NET LOACALGROUP to add the user to the administrators group

Or of course just use a GPO if your in an ADS Domain
0
 

Author Comment

by:ProTek2
ID: 35008506
Neilsr -

As I said, my .cmd file works perfectly for everything except the password expiration flag. I was not aware of the /expires [option] parameter and I thank you for that. However, that doesn't address the fact that I would prefer the GUI capability of VBScript.

Also, my clients are all individuals or small companies so group policies are not an option.
0
 

Author Comment

by:ProTek2
ID: 35009350
FYI - Testing the command line password flag parameter shows that the format must be exactly  "/expires:never" WITH the colon and WITHOUT any space.
0
 
LVL 6

Expert Comment

by:judgeking
ID: 35014065
Here's a nice little VBScript I wrote for this:
Dim oNetwork, oShell, oUser, oUserFlag, oUserFlags, oUserGroup
Dim sComputerName, sUser, sPassword

Set oNetwork = CreateObject("WScript.Network")
Set oShell = CreateObject("WScript.Shell")

sUser = "MyAdminAccount"
sPassword = "password"
sComputerName = oNetwork.UserDomain

Set oUser = GetObject("WinNT://" & sComputerName & "/" & sUser)

If oUser Is Nothing Then
  'Create account only if it doesn't already exist
  oShell.Run "net USER " & sUser & " " & sPassword & " /ADD /ACTIVE:YES /EXPIRES:NEVER /PASSWORDCHG:YES /PASSWORDREQ:YES", 0, True
End If

'Add user to Administrators group
Set oUser = GetObject("WinNT://" & sComputerName & "/" & sUser)
Set oUserGroup = GetObject("WinNT://" & sComputerName & "/Administrators")
oUserGroup.Add oUser.ADsPath

'Set user flag Password Never Expires
oUserFlags = oUser.Get("UserFlags")
oUserFlag = oUserFlags OR ADS_UF_DONT_EXPIRE_PASSWD
oUser.Put "UserFlags", oUserFlag 
oUser.SetInfo

Open in new window

0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 35024469
If your trying to do this on Win7 as a startup script you will need to set a GPO for allowing scripts to act in a automated batch/script administrative function. No acceptions. XP is the only system you do not need to do this for as far as I know without creating a custom hack to do so. This only relates of course if your trying to automate this kind of script. If your just trying to use this one manually you will have no troubles.
0
 

Author Comment

by:ProTek2
ID: 35026229
This script will be initiated by the client on his/her local machine.
0
 
LVL 6

Expert Comment

by:judgeking
ID: 35028843
ProTek, did you try my solution?
0
 

Author Comment

by:ProTek2
ID: 35029050
judgeking -

Since you didn't provide the rationale for WHY you did WHAT you did, I will have to test each part of the script to figure that out and I haven't had time to do that yet. At first glance (from the perspective of a VBScript novice), it appears bloated for what I requested but, I am not familiar enough with VBScript yet to render that as an informed opinion. However, I appreciate your input and will get to a more detailed analysis of it in a day or so. Thank you.
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 
LVL 15

Accepted Solution

by:
Russell_Venable earned 250 total points
ID: 35031806
Heavily edited Judgeking's script to work on a ADSI Domain. Also to include console arguments, Cleanup Resources, better appearance w/ Help menu/Structure. To show you a better implementation.

You wanted your script 2) To be Atrractive, So I did not include a "Array" and "For Each" for variables to show you what is used and is more understandable. Once you get passed that part and understand it fully you can add the variables to a array like so.

Dim SomeArray = Array("oObject1", "oObject2", "oObject3")

'Delcaring each like so.
' Starting from 0 to 2 = 3 items in array.
Set SomeArray(0) =  GetObject("WinNT://" & sComputerName & "/" & sUser) ' Etc

Releasing Resources after
' Go through array and release resource taken for each object.
For Each Object in SomeArray
  Set Object = Nothing
Next

You can chop this up as you like. Just remember it was written so you have a better understanding of how this works.

'Declare required variables.
Dim oNetwork, oShell, oUser, oUserFlag, oUserFlags, oPasswordExpirationFlag, oUserGroup
Dim sDomain, sComputerName, sUser, sPassword


'Set Required Userspaces
Set oArgs = WScript.Arguments
Set oNetwork = CreateObject("WScript.Network")
Set oShell = CreateObject("WScript.Shell")

'Raise error flag to user if they have not entered required information to run ;)
If WScript.Arguments.Count = 3 Then
 sUser = oArgs.Item(0)
 sPassword = oArgs.Item(1)
 sComputerName = oArgs.Item(2)
 sDomain = oArgs.Item(3)
Else
 Wscript.Echo "Usage: CreateAdmin.vbs [User] [Password] [Computer] [Domain]"
 Wscript.Quit
End If

'Hard coded solution's aren't safe...
'sUser = "MyAdminAccount"
'sPassword = "password"
'sComputerName = oNetwork.UserDomain

'Query for user
Set oUser = GetObject("WinNT://" & sDomain & "/" & sComputerName & "/" & sUser & ",User")

'This will check if the user already exists if not then create with non-expiring account
'(Not password expiration just no user expiration)
If oUser Is Nothing Then

  Set colAccounts = GetObject("WinNT://" & sDomain & "/" & strComputer & "")
  Set objUser = colAccounts.Create(sUser, TestUser)
  objUser.SetPassword sPassword

  'Create account only if it doesn't already exist
  'oShell.Run "net USER " & sUser & " " & sPassword & " /ADD /DOMAIN /ACTIVE:YES /EXPIRES:NEVER /PASSWORDCHG:YES /PASSWORDREQ:YES", 0, True
  'Set Active Directory flag Password Never Expires for user
  oUserFlags = oUser.Get("UserFlags")
  oPasswordExpirationFlag = oUserFlags OR ADS_UF_DONT_EXPIRE_PASSWD
  oUser.Put "UserFlags", oPasswordExpirationFlag 
  oUser.SetInfo
Else 
  'If user exists, Set Active Directory flag Password Never Expires for user
  oUserFlags = oUser.Get("UserFlags")
  oPasswordExpirationFlag = oUserFlags OR ADS_UF_DONT_EXPIRE_PASSWD
  'Set IADS Flags
  oUser.Put "UserFlags", oPasswordExpirationFlag 
  oUser.Put "Description", "Non Expire Password set"
  oUser.SetInfo
End If

'Add user to Administrators group
Set oGroupUser = GetObject("WinNT://" & sDomain & "/" & sComputerName & "/" & sUser & ",User")
Set oUserGroup = GetObject("WinNT://" & sDomain & "/" & sComputerName & "/Administrators")
oUserGroup.Add(oGroupUser.ADsPath)


'Cleanup Resources and exit nicely
set oUser = Nothing
set objUser = Nothing
set oGroupUser = Nothing
set oUserGroup = Nothing
set oArgs = Nothing
set oNetwork = Nothing
set oShell = Nothing
Set colAccounts = Nothing

Open in new window

0
 
LVL 6

Expert Comment

by:judgeking
ID: 35032705
ProTek, not sure what you were confused about or why you'd need to test each part, but I included comments in the scripts main parts.  I've modified the script to use objects more familiar to you.  I've tested this and it works perfectly and does exactly what you want.

If you need an explanation of any part of the script, just let me know.
On Error Resume Next

Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000
Dim oAccounts, oNetwork, oUser, oUserFlag, oUserFlags, oUserGroup
Dim sComputerName, sUser, sPassword

Set oShell = CreateObject("WScript.Shell")
sUser = "TestUser"
sPassword = "password"
sComputerName = oNetwork.UserDomain
Set oUser = GetObject("WinNT://" & sComputerName & "/" & sUser)

If IsEmpty(oUser) Then
  'Create account only if it doesn't already exist
  Set oAccounts = GetObject("WinNT://" & sComputerName & "")
  Set oUser = oAccounts.Create("user", sUser)
  oUser.SetPassword "password"
  oUser.SetInfo
End If

'Add user to Administrators group
Set oUserGroup = GetObject("WinNT://" & sComputerName & "/Administrators")
oUserGroup.Add oUser.ADsPath

'Set user flag Password Never Expires
oUserFlags = oUser.Get("UserFlags")
oUserFlag = oUserFlags OR ADS_UF_DONT_EXPIRE_PASSWD
oUser.Put "UserFlags", oUserFlag 
oUser.SetInfo

Open in new window

0
 
LVL 6

Assisted Solution

by:judgeking
judgeking earned 250 total points
ID: 35032713
Sorry, deleted the wrong line in the above code, should be:
On Error Resume Next

Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000
Dim oAccounts, oNetwork, oUser, oUserFlag, oUserFlags, oUserGroup
Dim sComputerName, sUser, sPassword

Set oNetwork = CreateObject("WScript.Network")
sUser = "TestUser"
sPassword = "password"
sComputerName = oNetwork.UserDomain
Set oUser = GetObject("WinNT://" & sComputerName & "/" & sUser)

If IsEmpty(oUser) Then
  'Create account only if it doesn't already exist
  Set oAccounts = GetObject("WinNT://" & sComputerName & "")
  Set oUser = oAccounts.Create("user", sUser)
  oUser.SetPassword "password"
  oUser.SetInfo
End If

'Add user to Administrators group
Set oUserGroup = GetObject("WinNT://" & sComputerName & "/Administrators")
oUserGroup.Add oUser.ADsPath

'Set user flag Password Never Expires
oUserFlags = oUser.Get("UserFlags")
oUserFlag = oUserFlags OR ADS_UF_DONT_EXPIRE_PASSWD
oUser.Put "UserFlags", oUserFlag 
oUser.SetInfo

Open in new window

0
 
LVL 6

Expert Comment

by:judgeking
ID: 35072227
Protek, any response?
0
 

Author Comment

by:ProTek2
ID: 35136935
Sorry guys, got hammered on another project and haven't had time to return to this. Going to award points on assumption that solutions work and for appreciation of input.
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 35137249
I know how that goes. Good luck!
0
 
LVL 6

Expert Comment

by:judgeking
ID: 35139903
Russell, congratulations on getting points for my solution.  Answer your own questions next time, don't interupt an ongoing dialogue when a solution has already been provided.
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 35144820
I answered the question with a ADSI domain rewrite. It works for a whole domain where yours does not... That was not your answer... Mine is also console ready as yours is not. Yours is hard coded and insecure, and does not release resources. If you really wrote that script yourself you wrote a poorly coded script that will cause more problems for the user and shows poor programming practices. I am not attacking you either I am just stating the truth. I also stated earlier that I was explaining the script, proper practices, and how to fix them according to the OP Specifications, How it works, also added a help menu among other things to make it look attractive. This is in no way interrupting dialog. its paying attention to detail. You need to respond to the OP's specifications on the dot if possible. Which you did not do. Your script has side effects as the one I heavily rewrote does not(most important point the OP noted!!!). It's not a one way conversation either... It's a discussion amongst professionals to find an answer for the OP by ALL experts not just you. So I would truly think about your situation and step back. No one trying to jumping you.
0
 
LVL 6

Expert Comment

by:judgeking
ID: 35145078
Russell, you're a thief, plain and simple.  The code you posted is my code, cut-and-pasted to look different, and adding arguments, which is probably not what the user wanted.  He probably wanted an admin user for some app function, and wouldn't want the user picking the name and password, never mind domain.  But we don't know, since ProTek didn't even try 'either'/my solution.

BTW, releasing resources is very nice attempt at an 'addition', but not an issue in a one-time script; teachers aren't marking our work here.
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

I was working on a PowerPoint add-in the other day and a client asked me "can you implement a feature which processes a chart when it's pasted into a slide from another deck?". It got me wondering how to hook into built-in ribbon events in Office.
If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This Micro Tutorial will give you basic overview of the control panel section on Windows 7. It will depth in Network and Internet, Hardware and Sound, etc. This will be demonstrated using Windows 7 operating system.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now