Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 8655
  • Last Modified:

Need a batch file to create local admin account and place that account is the Administrators group.

Would like this batch created in notepad, and then to rename with the extension .bat, so that it will become a batch file. Need it to do the following:

1. Create local admin account, and place in the Administrator group.
2. Password must be set to never expire.
3. Need a description added to the account as "Local Admin"
4. Need to prompt the local admin to change password, upon initial login with the default password.
2
rtangaccurate
Asked:
rtangaccurate
  • 5
  • 4
1 Solution
 
oBdACommented:
Not fully possible, sorry. "Must change password at logon" and "Password never expires" are mutually exclusive. You can either force the new admin to change his password on the logon and then set the "Password never expires" option himself, or set the "Password never expires" option in the script and tell the new admin to change his password after logon.
@echo off
setlocal
set NewAdmin=LocalAdmin
set NewPassword=Password123
set NewComment=Local Admin
net.exe user "%NewAdmin%" "%NewPassword%" /add /comment:"%NewComment%" /logonpasswordchg:YES
net.exe localgroup Administrators "%NewAdmin%" /add
REM *** If the next line is executed, it will disable the "Must change password" option ("/logonpasswordchg:YES"), because these two are mutually exclusive.
REM wmic.exe useraccount WHERE "Name='LocalAdmin'" SET PasswordExpires=FALSE

Open in new window

1
 
rtangaccurateAuthor Commented:
i ran the script but it did not work. so lets just have it run without prompting to change password, but rather set the password to never expire. please write the batch script and attach it back to me.

set the admin to be Randy Wang
Password, set to P@ssw0rd
set the description to be Local Admin

Giving you max point for doing this. Please attach notepad file back. Thank you.
0
 
oBdACommented:
@echo off
setlocal
set NewAdmin=RandyWang
set NewPassword=P@ssw0rd
set NewComment=Local Admin
echo Creating user account '%NewAdmin%' ...
net.exe user "%NewAdmin%" "%NewPassword%" /add /comment:"%NewComment%"
echo Adding '%NewAdmin%' to local administrators ...
net.exe localgroup Administrators "%NewAdmin%" /add
REM *** If the "wmic.exe" line is executed, it will disable the "Must change password" option ("/logonpasswordchg:YES" in "net user /add"), because these two are mutually exclusive.
echo Setting password of '%NewAdmin%' to never expire ...
wmic.exe useraccount WHERE "Name='%NewAdmin%'" SET PasswordExpires=FALSE

Open in new window

0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
rtangaccurateAuthor Commented:
This is great! I like the fact that it leaves existing accounts "As-is", and does not overwrite them. How can I push this out to all servers in my environment through GPO? Or can I push it out to all my servers without using GPO?
0
 
oBdACommented:
You can use a GPO startup script (http://technet.microsoft.com/en-us/library/cc779329(v=ws.10).aspx), which means the account will only be available once the server has rebooted), or use psexec (http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx). Create a list "Computernames.txt" (with a test computer in it first, and the server names if everything works OK) and use tis script (adjust "C:\Temp" and "NewUser.cmd" to whatever you're using):
@echo off
setlocal
for /f %%a in ('type "C:\Temp\Computernames.txt"') do (
	echo Processing %%a ...
	copy "C:\Temp\NewUser.cmd" "\\%%a\Admin$"
	psexec.exe \\%%a "C:\Windows\NewUser.cmd"
	del "\\%%a\Admin$\NewUser.cmd"
)

Open in new window

0
 
rtangaccurateAuthor Commented:
Can you modify the batch file to include Randy Wang under "Full Name"? I wont bother you anymore, after this. I will give the points you deserve. Thanks again.
0
 
oBdACommented:
@echo off
setlocal
set NewAdmin=RandyWang
set NewPassword=P@ssw0rd
set NewComment=Local Admin
set NewFullName=Randy Wang
echo Creating user account '%NewAdmin%' ...
net.exe user "%NewAdmin%" "%NewPassword%" /add /comment:"%NewComment%" /fullname:"%NewFullName%"
echo Adding '%NewAdmin%' to local administrators ...
net.exe localgroup Administrators "%NewAdmin%" /add
REM *** If the "wmic.exe" line is executed, it will disable the "Must change password" option ("/logonpasswordchg:YES" in "net user /add"), because these two are mutually exclusive.
echo Setting password of '%NewAdmin%' to never expire ...
wmic.exe useraccount WHERE "Name='%NewAdmin%'" SET PasswordExpires=FALSE

Open in new window

1
 
rtangaccurateAuthor Commented:
It did not add the Full Name.
0
 
oBdACommented:
Which error(s) did show up?
Note that the script will not add the full name to an existing account, it will just set the full name when a new account is created. To add the full name to an existing account, all you need is
@echo off
setlocal
set NewAdmin=RandyWang
set NewFullName=Randy Wang
echo Adding full name 'NewFullName' to user account '%NewAdmin%' ...
net.exe user "%NewAdmin%" /fullname:"%NewFullName%" 

Open in new window

0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now