Ping a Specific Port

Question

Nathan Hartley

Asked: 2009-06-25 07:42:12 +0800 CST2009-06-25 07:42:12 +0800 CST 2009-06-25 07:42:12 +0800 CST

Windows Local Account and Group Maintenance

772

How does one remotely maintain Local Accounts and Groups in a Windows environment?

4 Answers

Voted

Evan Anderson · Answer 1 · 2009-06-25T07:57:32+08:00

You can do this with a variety of means. I'd just use a CMD script calling the NET.EXE command-line utility.

To remove the user:

NET USER <username> /DELETE

To create a new user and add it to the Administrators group:

NET USER <username> <password> /ADD
NET LOCALGROUP Administrators <username> /ADD

Be aware that your script will have the password in it in plaintext and protect it accordingly. If you assign the script as an AD startup script (which is what I would do), alter the security permission on the script to include "Domain Computers - Read and Execute" and remove the "Authenticated Users" permission and you'll go a long way to keeping that plaintext password secure.

The script won't hurt anything if you run it multiple times on the same machine. If, however, you'd like to keep track of which machines it has run on, you might consider the following:

Create a group in AD-- say "User Creation Script Complete".
Modify the permission on the group to include "Domain Computers - Write / Add Self as Member"
In the script, above, add the line:

NET GROUP "User Creation Script Complete" /DOMAIN /ADD %COMPUTERNAME%$

You'll see the group "grow" member computers as it runs on each machine.

If you want to stop the script from running on computers where it's already run, add a permission to the GPO that assigns the startup script "User Creation Script Complete - Deny Apply Group Policy". Then the script will run once on each machine. (I do this kind of "trapdoor" script a lot, actually, for various system administration functions.)

MathewC · Answer 2 · 2009-06-25T10:16:24+08:00

MathewC

2009-06-25T10:16:24+08:002009-06-25T10:16:24+08:00

1. The MS way: http://support.microsoft.com/kb/272530

2. The MS hired a genius way: http://technet.microsoft.com/en-gb/sysinternals/bb897553.aspx

3. The GPO way: http://www.gilham.org/Blog/Lists/Posts/Post.aspx?List=aab85845-88d2-4091-8088-a6bbce0a4304&ID=505

4. The machines are off at times way: Use SMS/SCCM to advertise a cmd to change the pass warning: this leaves the pass in clear text, so script to remove the file when it's done

3

ta.speot.is · Answer 3 · 2010-02-03T14:40:06+08:00

ta.speot.is

2010-02-03T14:40:06+08:002010-02-03T14:40:06+08:00

I recommend using Restricted Groups for adding the user to the Administrators group, as opposed to scripting it. Apply this using a GPO.

Combine it with @MathewC's #3 and you should have a robust solution.

1

Nathan Hartley · Answer 4 · 2010-02-03T14:22:56+08:00

Nathan Hartley

2010-02-03T14:22:56+08:002010-02-03T14:22:56+08:00

Found a post on how to add Domain Accounts to a Local Administrators group via Group Policy.

Found a post with information on how to list/add/remove accounts from a local group with Powershell.

Powershell Change Local User Account Password Example

$userObject = [adsi] 'WinNT://ComputerName/UserName,user'
$userObject.setpassword('NewPassword')

More WinNT / ADSI provider Information

0

Windows Local Account and Group Maintenance

Ping a Specific Port

What port does SFTP use?

Resolve host name from IP address

How can I sort du -h output by size

Command line to list users in a Windows Active Directory group?

What's the command-line utility in Windows to do a reverse DNS look-up?

How to check if a port is blocked on a Windows machine?

What port should I open to allow remote desktop?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?