> ## Documentation Index
> Fetch the complete documentation index at: https://help.gorelo.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Rotate local admin passwords

> Automate local admin password rotation in Gorelo with a PowerShell script that creates the account, sets a secure password, and stores it in a custom field.

This guide helps you set up automatic local admin password rotation in Gorelo. The script creates a local admin account (if it doesn't exist), assigns it to the local administrators group, sets a secure random password, and stores that password in Gorelo for easy retrieval.

<Steps>
  <Step title="Create the custom asset field.">
    1. Navigate to **Settings** > **Assets** > **[Custom Fields](https://app.gorelo.io/admin/admin-settings#asset#assetcustomfields).**
    2. Add a custom field with the following details:
       * **Name**: Local Admin Password
       * **Variable**: localadminpassword
       * **Type**: Text
       * Toggle on **Show on Asset Detail** and **Blue value**.
    3. Click **Save.**
  </Step>

  <Step title="Create the script.">
    1. Navigate to **[Scripts](https://app.gorelo.io/asset/script-list).**
    2. Create a new script with the following details:
       * **Name**: 🔐 Set-LocalAdminPassword
       * **Platform**: Windows
       * **Content**: *\[Copy the PowerShell script provided below]*
    3. Click **Save.**

    ```powershell theme={null}
    # =========================================================================
    # Simple Local Admin Password Management Script for Gorelo RMM
    # =========================================================================

    # Configuration variables - change as needed
    $localAdminAccount = "localadmin"
    $accountFullName = "Local Administrator"
    $accountDescription = ""
    $hideFromLogonScreen = $true  # Set to $false to show the account on logon screen

    try {
        # Generate a strong random password
        $CharSet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_=+[]{}|;:,.<>?"
        $Password = ""
        $Random = New-Object System.Random
        
        # Create a 16-character random password
        1..16 | ForEach-Object { $Password += $CharSet[$Random.Next(0, $CharSet.Length)] }
        
        # Check if the account exists
        $userExists = Get-LocalUser -Name $localAdminAccount -ErrorAction SilentlyContinue
        
        if (-not $userExists) {
            # Create the account if it doesn't exist
            $securePassword = $Password | ConvertTo-SecureString -AsPlainText -Force
            New-LocalUser -Name $localAdminAccount -Password $securePassword -FullName $accountFullName -Description $accountDescription -AccountNeverExpires | Out-Null
            Add-LocalGroupMember -Group "Administrators" -Member $localAdminAccount
            Write-Output "Created local admin account: $localAdminAccount"
        } else {
            # Update password if account exists
            $securePassword = $Password | ConvertTo-SecureString -AsPlainText -Force
            Set-LocalUser -Name $localAdminAccount -Password $securePassword -FullName $accountFullName -Description $accountDescription
            Write-Output "Updated password for: $localAdminAccount"
            
            # Check if user is already in Administrators group, add if not
            $adminGroup = Get-LocalGroupMember -Group "Administrators" -ErrorAction SilentlyContinue
            $isAdmin = $adminGroup | Where-Object { $_.Name -like "*\$localAdminAccount" -or $_.Name -eq $localAdminAccount }
            
            if (-not $isAdmin) {
                Add-LocalGroupMember -Group "Administrators" -Member $localAdminAccount
                Write-Output "Added $localAdminAccount to Administrators group"
            }
        }
        
        # Configure account visibility on logon screen
        if ($hideFromLogonScreen) {
            # Hide the account from logon screen
            $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList"
            if (-not (Test-Path $registryPath)) {
                New-Item -Path $registryPath -Force | Out-Null
            }
            Set-ItemProperty -Path $registryPath -Name $localAdminAccount -Value 0 -Type DWORD -Force
            Write-Output "Account hidden from logon screen"
        } else {
            # Show the account on logon screen (by removing the registry entry if it exists)
            $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList"
            if (Test-Path $registryPath) {
                if (Get-ItemProperty -Path $registryPath -Name $localAdminAccount -ErrorAction SilentlyContinue) {
                    Remove-ItemProperty -Path $registryPath -Name $localAdminAccount -Force
                }
            }
            Write-Output "Account visible on logon screen"
        }
        
        # Store the password in Gorelo RMM
        GoreloAction -SetCustomField -Name "asset.localadminpassword" -Value $Password
        Write-Output "Password stored in custom field"
        
    } catch {
        # Output error to console for on-demand runs
        Write-Error "Error managing local admin account: $_"
        exit 1
    }
    ```
  </Step>

  <Step title="Deploy the script via a policy.">
    1. Navigate to **[Assets](https://app.gorelo.io/asset/asset-list).**
    2. Select any asset where the script has run.
    3. View the **Custom Fields** section to see the stored Local Admin Password.
    4. Click the reveal icon to display the password when needed.
  </Step>
</Steps>

## Customize the script

The script includes several variables at the top that you can modify:

* `$localAdminAccount` = "localadmin" # The username for the local admin account
* `$accountFullName` = "Local Administrator" # The full name for the account
* `$accountDescription` = "" # The account description (optional)
* `$hideFromLogonScreen` = `$true` # Set to `$false` to show the account on logon screen

Adjust these variables to suit your organization's needs before deploying the script.
