How To Create a Local Admin Account with Powershell

If not well designed or managed, User and Administrator privilege separation for users/system administrators on a Windows OS can be painful for both sides. Indeed, Windows OS doesn’t have a simple and neat management like a SUDO on Linux OS, but settings need to be tailored with GPO or at least with different users.

Regular user accounts (e.g. Domain Users) should not be a member of the local administrators group for a security point of view.

Using separate users: a standard one and an admin member of the local administrators group is at least a good way to mitigate the risk of potential/malicious/accidental damage to the system. It doesn’t matter if most of the today’s threats can deal with the regular user context.

Nothing new if you’re familiar with the least privilege access, if is something you’ve never think about it… Well, I can use a simple effective analogy for allowing user with local admin rights on their workstation.. it’s like to let them run with the scissors all the time… is it worthy or simply asking for trouble?

How Create a Local Admin with MMC

The most consistent interface for a Windows OS is  Microsoft Management Console (MMC.exe) can load the Local User and Group Management Snapin (lusrmgr.msc) on a local or remote machine with a basic and intuitive GUI.

To create a local admin:

  • the first obvious step is creating a dedicated user
  • the second is add that new user to the administrators group.

Are there any alternative to MMC for creating a local user?

      • From the Windows  Menu  – Search “USERS” and following the GUI  to edit “Edit local users and groups”(usually opens lusrmgr.msc).

    • GPO. If all of most of the machines that you need to manage are all domain joined.. Happy days! By default domain admins are member of the local administrators group so you can add quickly all the users or security groups needed!
      You can create/test/deploy a Group Policy Object to a specific computer/machine and add the user or the security group automatically. This is a  best-practice guideline.
    • Using Windows Admin Center (project honolulu), with a similar approach of MMC via a web interface in a workgroup or domain environment is a good solution providing a single and secure single point of management for your machines. Choose Local User & Groups.
    • Using a Configuration Manager (Ansible, Puppet, Chef, SaltStack, Boxstarter, etc.)/ Automation Tool.
      E.g. Using Ansible (requires WinRM on the computer) you add to playbook the command to add a local user using a module called win_user.
      This is a YAML example:
    • Using a task during OSD using ConfigMgr/SCCM.
      Command line task:

    • Using cmd (admin)

  • Using PowerShell
    See the code example below.

Is there a local administrator shared between different machines? Use LAPS!

Using the same local administrator credential as part of a OSD (Operating System Deployment) or part of manual installation in case it’s in general bad idea, but should be fixed as soon as possible. A possible solution for manage local admin credential is LAPS.
LAPS is extremely valuable if you’re using AD is one of the best ways control local admin credential and mitigate risk of lateral movement with a fast privilege escalation.

When Powershell can save your day!

After a couple of years I’ve started to like Windows UAC (User Account Control), at least one good thing about Windows Vista, right?
Especially for the educational effect of showing to the end user if the operation they are running can potentially change the configuration of their machine.

The only moment where I would like to get rid of UAC is during a remote support session. Usually while running RunAs from the GUI will present a dialog to the local user, but remotely most of the applications are not able to intercept that input. Even If I understand the security purpose of it makes harder to support the user.

SCENARIO

In a scenario where you need to support to a standard user (with no admin rights) working offsite to accomplish a simple task such  installing a small application on a domain joined laptop connected to the internet, but not with a VPN? Once shared the session most of the system administrator will surrender to the UAC prompt and via the phone will spell the local admin credential or not support this operation at all.

I don’t like shortcuts, especially if security is involved. Situation like these can be a corner case, but is something to prevent and to solve.

SOLUTION

These steps will show some of the windows security context you need to go through. After sharing screen the with a remote support app. Open a command prompt (CMD.exe) and check your username as starting point:

Now from the same terminal a powershell session with the desired user (e.g. Administrator), then you’ll be prompted for the password in line, finally!

Check again with the whoami command to confirm that your username is changed.

Well, now you can start any application under with that user, but let’s continue with powershell.

To run this script you need to run powershell as admin, so you need a new powershell window:

How To Create a local admin with PowerShell

And Then finally run or copy and paste this script :

This is the Powershell function that you can run and edit if needed:

As usual you can find this script on my github repository.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.