Run a VBS script to create a local admin account and change password through Configuration Manager 2012

Hi,

We are running CM2012 and I was looking for some direction how to get the following task configured. We have a vbs script that will complete the following tasks:

1.) Delete an existing local account named USER1

2.) Create a new local account and set the password

3.) Promote the account to be local administrator

We wanted to get this configured through configuration manager since we can't use group policy preferences anymore. Has anyone run into this before or has any suggestions on how to get this efficiently accomplished?

Thank you.
llaravaAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

McKnifeCommented:
Please consider: Microsoft has stopped offering this functionality for security reasons. It is absolutely not advisable to use the same pw on more than one machine. And with such a script, that any computer account may read, you empower users that have local admin rights to read that script, get the password and own a lot of computers. Why is that - because local admins can impersonate the system account and therefore read scripts that are being deployed.

Use something else: https://support.microsoft.com/en-us/kb/3062591 is what Microsoft offers instead of group policy preferences. Also look at my article that has another approach even more comfortable, if you ask me: http://www.experts-exchange.com/articles/18180/A-concept-for-safe-user-support.html?searchSuccess=true&searchTop10=true
Nathan HawkinsTechnical Lead - Network SecurityCommented:
This is what I use to enable the local administrator account; http://www.eightforums.com/tutorials/9650-built-administrator-account-enable-disable-windows-8-a.html

Option 3 allows you to use the Local Users MMC but there are some qualifications in order to use it.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
llaravaAuthor Commented:
The built-in local administrator account is disabled via GPO.

We have an unmanaged (local admin account staged in the OS image) we want to get rid off that and create a new one, promote the account to be local admin and reset the password.

Moving forward we will simply change the password through CM. The users don't have admin rights.
McKnifeCommented:
Do whatever you like, but the decision is not advisable and MS has offered a new method of doing this, why not use it, if I may ask? You can never be sure, they don't get admin some day using exploits.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.