Pages

Wednesday, October 28, 2009

Create and hide a local admin

It was recommended by Kaseya that you create a local user on your endpoints and set that as the agent credentials.

This script creates a username, makes it a local administrator, makes sure the password never expires, and sets the account so that it doesn't show up on the fast user switching screen for those machines that use the welcome screen.

First, create open notepade and create the following VBS:

' nopwdexp.vbs
' Windows NT/2000/XP/2003 Administration Script
'
' Turns off password expiry for the specified account
'
' Usage: cscript //nologo nopwdexp.vbs /domain:domainname /user:username
'
' Written by Mark Wilson, 10 September 2004
'
' This script is provided as is without warranty of any kind. Mark Wilson
' further disclaims all implied warranties including, without limitation, any
' implied warranties of merchantability or of fitness for a particular purpose.
' The entire risk arising out of the use or performance of the script including
' any associated documentation remains with the user of the script.

Option Explicit
On Error Resume Next
' Set constants
Const ufDONT_EXPIRE_PASSWD = &H10000
' Set variables
Dim colNamedArguments
Dim strDomain, strUser
' Read command line named arguments
Set colNamedArguments = WScript.Arguments.Named
' Report missing domain argument
If colNamedArguments.Exists("domain") Then
strDomain=colNamedArguments.Item("domain")
Else
WScript.Echo "Missing argument: /domain:domainname"
Usage
End If
' Report missing user argument
If colNamedArguments.Exists("user") Then
strUser=colNamedArguments.Item("user")
Else
WScript.Echo "Missing argument: /user:username"
Usage
End If
PasswordNeverExpires strDomain, strUser
Sub PasswordNeverExpires(domainname, username)
' Sets the do not expire password flag if not already set
Dim objUser, objUserFlags
' Read user properties
Set objUser = GetObject("WinNT://" & domainname & "/" & username & ",user")
' Examine flags set against account
objUserFlags = objUser.Get("UserFlags")
' If password expiry is allowed, then set password never to expire.
If (objUserFlags And ufDONT_EXPIRE_PASSWD) = 0 Then
' Password does expire
' WScript.Echo objUserFlags
objUserFlags = objUserFlags Or ufDONT_EXPIRE_PASSWD
' WScript.Echo objUserFlags
objUser.Put "UserFlags", objUserFlags
objUser.SetInfo
WScript.Echo domainname & "\" & username & " password has been set never to expire."
Else
' Password does not expire
' WScript.Echo objUserFlags
WScript.Echo domainname & "\" & username & " password was already set never to expire."
End If
End Sub
Sub Usage()
' Reports the correct command line syntax
Wscript.Echo VbCr
WScript.Echo "nopwdexp.vbs"
Wscript.Echo VbCr
WScript.Echo "Usage: cscript //nologo nopwdexp.vbs /domain:domainname /user:username"
Wscript.Quit
End Sub

Make sure the file is named nopwbexp.vbs, and upload it to your kaseya server.

Then import this scritp, making sure to edit the username and password as applicable:

Script Name: Create and hide local admin


Script Description: This script creates and then hides a local administrator account.


This script should be run on every new Managed Services machine, unless you're using a domain admin credential.

IF True
THEN
Execute Shell Command - (Continue on Fail)
Parameter 1 : net user /add *USERNAME*
Parameter 2 : 1
OS Type : 0
Execute Shell Command - (Continue on Fail)
Parameter 1 : net user *USERNAME* *PASSWORD*
Parameter 2 : 1
OS Type : 0
Execute Shell Command - (Continue on Fail)
Parameter 1 : net localgroup Administrators *USERNAME* /add
Parameter 2 : 1
OS Type : 0
Write File - (Continue on Fail)
Parameter 1 : c:\temp\nopwdexp.vbs
Parameter 2 : VSASharedFiles\nopwdexp.vbs
OS Type : 0
Execute Shell Command - (Continue on Fail)
Parameter 1 : wscript //B c:\temp\nopwdexp.vbs /domain:%computername% /user:peadmin
Parameter 2 : 1
OS Type : 0
Set Registry Value - (Continue on Fail)
Parameter 1 : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\userList\peadmin
Parameter 2 : 0
Parameter 3 : REG_DWORD
OS Type : 0
ELSE

This script runs quickly. After it's run, set the agent credentials in the Agent tab, and you're good to go!