by: Talking BytesPosted on:

Powershell script to create local user account on windows devices

Table Of Contents
  1. Introduction
  2. The Script
  3. After This…

Note, If you’re running Windows 11 24H2 and intending using the new LAPS implementation then this will nolonger be required. Check Microsoft article for more details but screenshot below of the key points

LAPS Changes in Win 11 24H2

Introduction

For those familiar with Microsoft Autopilot for deploying new machines, Microsoft Autopilot doesn’t create a local user account by default. This isn’t a problem for many admins, most of the time since Global Administrators, and members of the Microsoft Entra Joined Device Local Administrator groups will have admin access to these devices.

It is however an issue should the device lose it’s trust relationship, or in cases where the device loses network access and the administrator hasn’t signed into the machine recently. For these cases it’s useful to have a local account with administrator priviledges, Ideally setup in LAPS (Local Administrator Password Solution).

The Script

The script I’ve created below will check if the local account exists, If it doesn’t then it will create it. This script does have to set a password which is included in plain text, However in my environment this isn’t of concern as LAPS is setup and it can use this to request an immediate password change.

$date = get-date -format yy-MM-dd-hh-mm-ss
new-item c:\temp\$date
$username
Try {
$account = get-localuser -name $username | Select-Object -expandproperty enabled
}
Catch {
}
$accountnoexist = $error
if ( $accountnoexist = "get-localuser : User was not found." )
{
write-output "Account doesn't exist, Creating..."
Try {
$password = "DSSdsdefsadsa!ef" # Temporary password - This should be changed in your enviornment
}
Catch {
}
Try {
net user /add $username $password
}
Catch {
}
Try {
Reset-LapsPassword # Calls on the LAPS solution to reset the password.
}
Catch {
}
}

After This…

After this you may wish to add this account to the local administrators group. Now of course this can be done Powershell, but I prefer doing this in Microsoft Endpoint Manager

Microsoft Endpoint Manager will do a couple of things, most importantly for me it will confirm then provide a Success / Failure report which will confirm both the above User Creation script was successful, And the account was successfully added to the group.

Please see the below article to do this.

Leave a Reply