Create local admin account with rotating credentials

[Kyle_Sanders]

I am looking fo a script that I can deploy where Pulseway can check to see if a specific local admin account has been created.  If not have it create it.  With that local admin account, there is a rotating password, which is recorded in a report per computer.

[WYE]

Kyle, 

It's not Pulseway, but have a look at LAPS from Microsoft. 

If you have an AD Environment, it works a treat, and meets the requirement of recording password "relatively" securely, and allows for password rotation. 

[Nexusphreez]

So here is a script that I use and just set it up on a schedule.  What it does is create a local and/or domain account with the specified user name and password.  I can run it manually, on an individual system basis or through a workflow.   The only minor drawback is that the password is listed in plain text.  But my justification for this is that anyone internal to my organization is going to have access to this anyway.  Its not visible to the client or anyone else.

 

# Inputs
$SetPassword = "Password Here"
$SetUserName = "User Name Here"
$group = "Administrators"

$adsi = [ADSI]"WinNT://$env:COMPUTERNAME"
$existing = $adsi.Children | where {$_.SchemaClassName -eq 'user' -and $_.Name -eq $SetUsername }

if ($existing -eq $null) {

    & NET USER $SetUsername $SetPassword /add /y /expires:never
    
    & NET LOCALGROUP $group $SetUsername /add

}
else {
    $existing.SetPassword($SetPassword)
}

& WMIC USERACCOUNT WHERE "Name='$SetUsername'" SET PasswordExpires=FALSE