# =========================================================================
# Simple Local Admin Password Management Script for Gorelo RMM
# =========================================================================
# Configuration variables - change as needed
$localAdminAccount = "localadmin"
$accountFullName = "Local Administrator"
$accountDescription = ""
$hideFromLogonScreen = $true # Set to $false to show the account on logon screen
try {
# Generate a strong random password
$CharSet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_=+[]{}|;:,.<>?"
$Password = ""
$Random = New-Object System.Random
# Create a 16-character random password
1..16 | ForEach-Object { $Password += $CharSet[$Random.Next(0, $CharSet.Length)] }
# Check if the account exists
$userExists = Get-LocalUser -Name $localAdminAccount -ErrorAction SilentlyContinue
if (-not $userExists) {
# Create the account if it doesn't exist
$securePassword = $Password | ConvertTo-SecureString -AsPlainText -Force
New-LocalUser -Name $localAdminAccount -Password $securePassword -FullName $accountFullName -Description $accountDescription -AccountNeverExpires | Out-Null
Add-LocalGroupMember -Group "Administrators" -Member $localAdminAccount
Write-Output "Created local admin account: $localAdminAccount"
} else {
# Update password if account exists
$securePassword = $Password | ConvertTo-SecureString -AsPlainText -Force
Set-LocalUser -Name $localAdminAccount -Password $securePassword -FullName $accountFullName -Description $accountDescription
Write-Output "Updated password for: $localAdminAccount"
# Check if user is already in Administrators group, add if not
$adminGroup = Get-LocalGroupMember -Group "Administrators" -ErrorAction SilentlyContinue
$isAdmin = $adminGroup | Where-Object { $_.Name -like "*\$localAdminAccount" -or $_.Name -eq $localAdminAccount }
if (-not $isAdmin) {
Add-LocalGroupMember -Group "Administrators" -Member $localAdminAccount
Write-Output "Added $localAdminAccount to Administrators group"
}
}
# Configure account visibility on logon screen
if ($hideFromLogonScreen) {
# Hide the account from logon screen
$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList"
if (-not (Test-Path $registryPath)) {
New-Item -Path $registryPath -Force | Out-Null
}
Set-ItemProperty -Path $registryPath -Name $localAdminAccount -Value 0 -Type DWORD -Force
Write-Output "Account hidden from logon screen"
} else {
# Show the account on logon screen (by removing the registry entry if it exists)
$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList"
if (Test-Path $registryPath) {
if (Get-ItemProperty -Path $registryPath -Name $localAdminAccount -ErrorAction SilentlyContinue) {
Remove-ItemProperty -Path $registryPath -Name $localAdminAccount -Force
}
}
Write-Output "Account visible on logon screen"
}
# Store the password in Gorelo RMM
GoreloAction -SetCustomField -Name "asset.localadminpassword" -Value $Password
Write-Output "Password stored in custom field"
} catch {
# Output error to console for on-demand runs
Write-Error "Error managing local admin account: $_"
exit 1
}
