轮换本地管理员密码 - Gorelo Documentation

1

创建自定义资产字段。

导航到 Settings > Assets > Custom Fields。
添加自定义字段，详细信息如下：
- Name：Local Admin Password
- Variable：localadminpassword
- Type：Text
- 打开 Show on Asset Detail 和 Blue value 开关。
点击 Save。

2

创建脚本。

导航到 Scripts。
创建一个新脚本，详细信息如下：
- Name：🔐 Set-LocalAdminPassword
- Platform：Windows
- Content：[复制下面提供的 PowerShell 脚本]
点击 Save。

# =========================================================================
# Simple Local Admin Password Management Script for Gorelo RMM
# =========================================================================

# Configuration variables - change as needed
$localAdminAccount = "localadmin"
$accountFullName = "Local Administrator"
$accountDescription = ""
$hideFromLogonScreen = $true  # Set to $false to show the account on logon screen

try {
    # Generate a strong random password
    $CharSet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_=+[]{}|;:,.<>?"
    $Password = ""
    $Random = New-Object System.Random
    
    # Create a 16-character random password
    1..16 | ForEach-Object { $Password += $CharSet[$Random.Next(0, $CharSet.Length)] }
    
    # Check if the account exists
    $userExists = Get-LocalUser -Name $localAdminAccount -ErrorAction SilentlyContinue
    
    if (-not $userExists) {
        # Create the account if it doesn't exist
        $securePassword = $Password | ConvertTo-SecureString -AsPlainText -Force
        New-LocalUser -Name $localAdminAccount -Password $securePassword -FullName $accountFullName -Description $accountDescription -AccountNeverExpires | Out-Null
        Add-LocalGroupMember -Group "Administrators" -Member $localAdminAccount
        Write-Output "Created local admin account: $localAdminAccount"
    } else {
        # Update password if account exists
        $securePassword = $Password | ConvertTo-SecureString -AsPlainText -Force
        Set-LocalUser -Name $localAdminAccount -Password $securePassword -FullName $accountFullName -Description $accountDescription
        Write-Output "Updated password for: $localAdminAccount"
        
        # Check if user is already in Administrators group, add if not
        $adminGroup = Get-LocalGroupMember -Group "Administrators" -ErrorAction SilentlyContinue
        $isAdmin = $adminGroup | Where-Object { $_.Name -like "*\$localAdminAccount" -or $_.Name -eq $localAdminAccount }
        
        if (-not $isAdmin) {
            Add-LocalGroupMember -Group "Administrators" -Member $localAdminAccount
            Write-Output "Added $localAdminAccount to Administrators group"
        }
    }
    
    # Configure account visibility on logon screen
    if ($hideFromLogonScreen) {
        # Hide the account from logon screen
        $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList"
        if (-not (Test-Path $registryPath)) {
            New-Item -Path $registryPath -Force | Out-Null
        }
        Set-ItemProperty -Path $registryPath -Name $localAdminAccount -Value 0 -Type DWORD -Force
        Write-Output "Account hidden from logon screen"
    } else {
        # Show the account on logon screen (by removing the registry entry if it exists)
        $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList"
        if (Test-Path $registryPath) {
            if (Get-ItemProperty -Path $registryPath -Name $localAdminAccount -ErrorAction SilentlyContinue) {
                Remove-ItemProperty -Path $registryPath -Name $localAdminAccount -Force
            }
        }
        Write-Output "Account visible on logon screen"
    }
    
    # Store the password in Gorelo RMM
    GoreloAction -SetCustomField -Name "asset.localadminpassword" -Value $Password
    Write-Output "Password stored in custom field"
    
} catch {
    # Output error to console for on-demand runs
    Write-Error "Error managing local admin account: $_"
    exit 1
}

3

通过策略部署脚本。

导航到 Assets。
选择运行了脚本的任何资产。
查看 Custom Fields 部分以查看存储的 Local Admin Password。
在需要时点击显示图标以显示密码。

​自定义脚本

自定义脚本