Changing properties of a local account

It’s super easy to add a new local user account by typing in command prompt

net user test Sup3rP@ssW0rD /add

However, it’s much more complicated to change its properties. Usually, you may want people to avoid changing its password and avoid its password expiring.
To achieve this task on multiple computers, I’ve written the following function based on the idea of the following post. This also allowed me to stop using some old vbscript lines embedded in batch files.

Function Set-LocalUserAttributes            
{            
[CmdletBinding()]            
param(            
            
    [Parameter(Mandatory=$false,ValueFromPipeline=$true)]            
    [System.String[]]$ComputerName = $env:COMPUTERNAME,            
            
    [parameter(Mandatory=$true,Position=0)]            
    [System.String]$UserName = $null,            
            
    [parameter(Mandatory=$true,Position=1)]            
    [ValidateSet('Add','Remove')]            
    [System.String]$Action = $null,            
            
    [parameter(Mandatory=$true,Position=2)]            
    [System.String[]]$Attributes = $null            
)            
            
Begin {}            
Process            
{            
    $UserFlag = $null            
    Write-Verbose -Message "Building the array of flags to be set"            
    $Attributes | ForEach-Object -Process {            
            
        Write-Verbose "Processing flag parameter $_"            
        # ADS_USER_FLAG_ENUM Enumeration http://msdn.microsoft.com/en-us/library/aa772300(VS.85).aspx            
        switch($_)            
        {            
            ADS_UF_SCRIPT                          { $UserFlag += 1 } # 0x1            
            ADS_UF_ACCOUNTDISABLE                  { $UserFlag += 2 } # 0x2            
            ADS_UF_HOMEDIR_REQUIRED                { $UserFlag += 8 } # 0x8            
            ADS_UF_LOCKOUT                         { $UserFlag += 16 } # 0x10            
            ADS_UF_PASSWD_NOTREQD                  { $UserFlag += 32 } # 0x20            
            ADS_UF_PASSWD_CANT_CHANGE              { $UserFlag += 64 } # 0x40            
            ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED { $UserFlag += 128 } # 0x80            
            ADS_UF_TEMP_DUPLICATE_ACCOUNT          { $UserFlag += 256 } # 0x100            
            ADS_UF_NORMAL_ACCOUNT                  { $UserFlag += 512 } # 0x200            
            ADS_UF_INTERDOMAIN_TRUST_ACCOUNT       { $UserFlag += 2048 } # 0x800            
            ADS_UF_WORKSTATION_TRUST_ACCOUNT       { $UserFlag += 4096 } # 0x1000            
            ADS_UF_SERVER_TRUST_ACCOUNT            { $UserFlag += 8192 } # 0x2000            
            ADS_UF_DONT_EXPIRE_PASSWD              { $UserFlag += 65536 } # 0x10000            
            ADS_UF_MNS_LOGON_ACCOUNT               { $UserFlag += 131072 } # 0x20000            
            ADS_UF_SMARTCARD_REQUIRED              { $UserFlag += 262144 } # 0x40000            
            ADS_UF_TRUSTED_FOR_DELEGATION          { $UserFlag += 524288 } # 0x80000            
            ADS_UF_NOT_DELEGATED                   { $UserFlag += 1048576 } # 0x100000            
            ADS_UF_USE_DES_KEY_ONLY                { $UserFlag += 2097152 } # 0x200000            
            ADS_UF_DONT_REQUIRE_PREAUTH            { $UserFlag += 4194304 } # 0x400000            
            ADS_UF_PASSWORD_EXPIRED                { $UserFlag += 8388608 } # 0x800000            
            ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION { $UserFlag += 16777216 } # 0x1000000            
            default {            
                Write-Warning -Message "Unknown flag $_ not being added"            
            }            
        }            
    }            
    Write-Verbose -Message "Final flag being set $UserFlag"            
    $ComputerName | ForEach-Object -Process {            
        $Computer = $_            
        if (Test-Connection -ComputerName $Computer -Count 1 -Quiet)            
        {            
            try            
            {            
                $u = [adsi]"WinNT://$Computer/$UserName,user"            
                Switch ($Action)            
                {            
                    add {            
                        Write-Verbose -Message "Adding flag on user $UserName on computer $Computer"            
                        $u.invokeSet("userFlags", ($u.userFlags[0] -BOR $UserFlag))            
                    }            
                    remove {            
                        if ($u.UserFlags[0] -BAND $UserFlag)            
                        {            
                            Write-Verbose -Message "Removing flag on user $UserName on computer $Computer"            
                            $u.invokeSet("userFlags", ($u.userFlags[0] -BXOR $UserFlag))            
                        } else {            
                            Write-Verbose -Message "Already removed flag on user $UserName on computer $Computer"            
                        }            
                    }            
                }            
                $u.commitChanges()            
            } catch {            
                Write-Warning -Message "Couldn't do action $Action on $UserName on computer $Computer because $($_.Exception.Message)"            
            }            
        } else {            
            Write-Warning -Message "Computer $_ seems unreachable"            
        }            
    }            
}            
End {}            
            
            
} # end of function
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s