Skip to main content
This guide will help you set up automatic local admin password rotation in Gorelo. The script will create a local admin account (if it doesn’t exist), assign it to the local administrators group, set a secure random password, and store that password in Gorelo for easy retrieval.
1

Create the custom asset field

  1. Navigate to SettingsAssetsCustom Fields
  2. Add a custom field with the following details:
    • Name: Local Admin Password
    • Variable: localadminpassword
    • Type: Text
    • Toggle on ‘Show on Asset Detail’ and ‘Blue value’
  3. Click Save
2

Create the script

  1. Navigate to Scripts
  2. Create a new script with the following details:
    • Name: 🔐 Set-LocalAdminPassword
    • Platform: Windows
    • Content: [Copy the PowerShell script provided below]
  3. Click Save
# =========================================================================
# Simple Local Admin Password Management Script for Gorelo RMM
# =========================================================================

# Configuration variables - change as needed
$localAdminAccount = "localadmin"
$accountFullName = "Local Administrator"
$accountDescription = ""
$hideFromLogonScreen = $true  # Set to $false to show the account on logon screen

try {
    # Generate a strong random password
    $CharSet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_=+[]{}|;:,.<>?"
    $Password = ""
    $Random = New-Object System.Random
    
    # Create a 16-character random password
    1..16 | ForEach-Object { $Password += $CharSet[$Random.Next(0, $CharSet.Length)] }
    
    # Check if the account exists
    $userExists = Get-LocalUser -Name $localAdminAccount -ErrorAction SilentlyContinue
    
    if (-not $userExists) {
        # Create the account if it doesn't exist
        $securePassword = $Password | ConvertTo-SecureString -AsPlainText -Force
        New-LocalUser -Name $localAdminAccount -Password $securePassword -FullName $accountFullName -Description $accountDescription -AccountNeverExpires | Out-Null
        Add-LocalGroupMember -Group "Administrators" -Member $localAdminAccount
        Write-Output "Created local admin account: $localAdminAccount"
    } else {
        # Update password if account exists
        $securePassword = $Password | ConvertTo-SecureString -AsPlainText -Force
        Set-LocalUser -Name $localAdminAccount -Password $securePassword -FullName $accountFullName -Description $accountDescription
        Write-Output "Updated password for: $localAdminAccount"
        
        # Check if user is already in Administrators group, add if not
        $adminGroup = Get-LocalGroupMember -Group "Administrators" -ErrorAction SilentlyContinue
        $isAdmin = $adminGroup | Where-Object { $_.Name -like "*\$localAdminAccount" -or $_.Name -eq $localAdminAccount }
        
        if (-not $isAdmin) {
            Add-LocalGroupMember -Group "Administrators" -Member $localAdminAccount
            Write-Output "Added $localAdminAccount to Administrators group"
        }
    }
    
    # Configure account visibility on logon screen
    if ($hideFromLogonScreen) {
        # Hide the account from logon screen
        $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList"
        if (-not (Test-Path $registryPath)) {
            New-Item -Path $registryPath -Force | Out-Null
        }
        Set-ItemProperty -Path $registryPath -Name $localAdminAccount -Value 0 -Type DWORD -Force
        Write-Output "Account hidden from logon screen"
    } else {
        # Show the account on logon screen (by removing the registry entry if it exists)
        $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList"
        if (Test-Path $registryPath) {
            if (Get-ItemProperty -Path $registryPath -Name $localAdminAccount -ErrorAction SilentlyContinue) {
                Remove-ItemProperty -Path $registryPath -Name $localAdminAccount -Force
            }
        }
        Write-Output "Account visible on logon screen"
    }
    
    # Store the password in Gorelo RMM
    GoreloAction -SetCustomField -Name "asset.localadminpassword" -Value $Password
    Write-Output "Password stored in custom field"
    
} catch {
    # Output error to console for on-demand runs
    Write-Error "Error managing local admin account: $_"
    exit 1
}
3

Deploy the script via a policy

  1. Navigate to Assets
  2. Select any asset where the script has run
  3. View the Custom Fields section to see the stored Local Admin Password
  4. Click the reveal icon to display the password when needed

Customize the script

The script includes several variables at the top that you can modify:
  • $localAdminAccount = “localadmin” # The username for the local admin account
  • $accountFullName = “Local Administrator” # The full name for the account
  • $accountDescription = "" # The account description (optional)
  • `hideFromLogonScreen= $true # Set to $false to show the account on logon screen
Adjust these variables to suit your organization’s needs before deploying the script.