PowerShell: Add Local User as an Administrator on All Servers in Domain

# addLocalAccountOnAllServers.ps1
# Feature: using only legacy commands for maximum compatibility

# Set variables
$newUserFullName="Local System Admin"
$newUserDesc="Standardized local admin user"

function addLocalAccount{
        $newUserFullName="Systems Admin",
        $newUserDesc="Standardized local admin user",
    $psSessionOptions=New-PSSessionOption -SkipCNCheck -OpenTimeOut 60
    foreach ($server in $servers){
        $pssession=new-pssession $server -SessionOption $psSessionOptions -EA Ignore
        $progress=if($pssession.State -eq 'Opened'){
                Invoke-command -session $pssession -ScriptBlock {
                    # Check whether username exists and proceed accordingly
                    $usernameExists=$(net user $newUsername)[0] -match $newUsername
                            # Using legacy commands for maximum compatibility
                            $null=NET USER $newUsername $newUserPass /fullname:"$newUserFullName" /comment:"$newUserDesc" /Active:Yes /ADD /Y
                            write-host "$newUserName has been created on $env:computername successfully"
                            # if user exists, ensure that its password is matching the intended value
                            $null=invoke-expression "net user $newUsername $newUserPass" 2>&1
                            write-host "$newUserName exists on $env:computername and its password has been reset"
                        $isMembershipValid=$(net localgroup $newUserGroup) -match $newUsername
                            $null=invoke-expression "NET LOCALGROUP $newUserGroup $newUsername /ADD /Y" 2>&1
                            write-host "$newUserName has been added to group $newUserGroup on $env:computername successfully"
                            write-host "$newUserName is already a member of group $newUserGroup on $env:computername"
                        $null=Net user $newUsername /active:yes
                        write-warning $_
                        return $false
                    # Validation
                    $userEnabled=$(net user $newUsername)[5] -match 'Yes'
                    return $userEnabled
                    # These lines only work in PowerShell 5.1+; hence, they are skipped
                    # New-LocalUser $newUsername -Password $newUserPass -FullName $newUserFullName -Description $newUserDesc
                    # Add-LocalGroupMember -Group $newUserGroup -Member $newUsername
                } -Args $newUsername,$newUserPass,$newUserFullName,$newUserDesc,$newUserGroup
                remove-pssession $pssession
                write-warning "$env:computername is unable to connect to $server via WinRM"
        write-host $result
    return $results

# Get all servers, excluding domain controllers
$memberServers=Get-ADComputer -Filter 'operatingsystem -like "*server*" -and enabled -eq "true" -and primarygroupid -ne "516"' -Properties Name,Operatingsystem,OperatingSystemVersion,IPv4Address | Sort-Object -Property Operatingsystem | Select-Object -Property Name,Operatingsystem,OperatingSystemVersion,IPv4Address

$results=addLocalAccount $servers $newUsername $newUserPass $newUserFullName $newUserDesc $newUserGroup

write-host $results

Leave a Reply

Your email address will not be published. Required fields are marked *