2

I am working at a customer site commissioning a bunch of Windows 7 systems that were just delivered. The systems were imaged with a basic setup that included all of the main software needed for the customer except for a local (non admin) account that is required for this application.

I know that I can run the net user command to programmatically add the desired local account. However this command does not fully set up the local account. You still need to log into it (and see the your desktop is being prepared message) before the complete windows configuration has been performed for that account. But I don't want to do that - I just want to run my powershell script and say "Done!"

So after running net user is there anyway via command line or powershell action to trigger the process that fully fleshes out the account?

Edit

My end goal is to have access to the Startup folder for the account I am creating so that I can copy in some shortcuts. And to do all of this via a powershell script with NO user interaction.

Edit 2

And while I need the solution to work under powershell 2, I am also interested in seeing any solution that works under any later powershell version

Community
  • 1
Peter M
  • 1,036
  • 9
  • 20
  • 1
    The title of your question says one thing, but then the text says "I already know how to do that thing that I asked in my title but what I _really_ want to do is ..." It sounds like what you're asking for is a way to programmatically simulate an interactive logon. And I don't think there is one. It might not be possible to do what you're asking to do. But - simply running a program with runas.exe specifying the other user's account, while not an interactive logon, is capable of creating a profile. Not sure if it's enough but it's worth a try. – Ryan Ries Jul 03 '16 at 21:01
  • @RyanRies Point taken about the title. I'll edit it ASAP. And I hadn't thought of runas .. I will give that a try. – Peter M Jul 03 '16 at 21:24
  • @RyanRies `Runas` fails for me. It seems it requires a password for the account and the account I am trying create doesn't have one. `1327: Logon failure: user account restriction. Possible reasons are blank passwords not allowed, logon hour restrictions, or a policy restriction has been enforced.` – Peter M Jul 03 '16 at 21:42
  • Maybe you could give the user a password with `net user username newpassword` – Ryan Ries Jul 03 '16 at 22:39
  • @RyanRies Unfortunately the whole point of this additional account is that it doesn't have a password. – Peter M Jul 03 '16 at 23:02
  • 1
    OK, well in order to allow your user to perform a network logon with a blank password, you need to disable the setting `"Accounts: Limit local account use of blank passwords to console logon only"` However, there's no way to do that programmatically AFAIK. You have to do it through the Local Computer Policy mmc snapin. But I did confirm with my test user that using runas with a blank password did create a profile for the user. – Ryan Ries Jul 03 '16 at 23:21
  • @RyanRies This is for a local account – Peter M Jul 03 '16 at 23:26
  • I know. I tested it using a local account. I also forgot to mention `net user test /passwordreq:no` – Ryan Ries Jul 03 '16 at 23:32
  • You can always set a password for the user then run `psexec.exe` with the new password and then remove the password again using `net user`. A profile folder for the user is created under `C:\users` but the registry hive files are not there – Peter Hahndorf Jul 04 '16 at 13:37
  • @RyanRies I still get the `'preparing you desktop` message and not all of the account is created. Of course right now I am testing on Home Premium rather than Professional (long story) and don't have the mmc. I supposedly edited a registry key that does the same thing, but I still have to hit to submit a blank password when executing `run as` – Peter M Jul 05 '16 at 21:26
  • Is your goal to just access the Startup folder to copy some shortcuts into it like stated in your __Edit__? – humble.adm1n Jul 12 '16 at 08:43

1 Answers1

0

Tested in Wondows 7 Professional.

First to say, you will see the Your Desktop is beeing prepared message on first logon.

BUT: your goal, adding shortcuts to Startup, is achivable and working.

  1. create a file with following content and save it to desired destination as *.reg file:

    Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa]
"LimitBlankPasswordUse"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa]
"LimitBlankPasswordUse"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"LimitBlankPasswordUse"=dword:00000000

This enables interactive logon for accounts with blank passwords (referrence1) (referrence2)

  1. start an elevated cmd prompt

  2. import the regkey

    regedit.exe /s "C:\tmp\reg.reg"

  3. Create your user account

    net user /ADD <username>

  4. run runas as your created user. I started ping and redirected its output to NUL to wait for the profile to be generated.

    echo | runas /env /profile /user:<username> "cmd /c ping 127.0.0.1 -n 5 >NUL"

  5. Make Startup directory for your user

    mkdir "C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"

  6. Create a shortcut in Startup folder, e.g. via powershell script (example)

Done. As I mentioned, when first logging in you'll see Your Desktop is beeing prepared but the the startup is working correctly.

Community
  • 1
humble.adm1n
  • 151
  • 7
  • Your Step 4 does not seem to work from within a powershell script as written. It is possible CMD `echo` behaves differently to powershell `echo` – Peter M Jul 12 '16 at 15:22