3

tried creating users with powershel.This worked fine for local machine. But how to create a local user account in a remote machine using remote powershell?

The script localwindows.ps1 is 

$comp = [adsi]'WinNT://machinename,computer';
$user = $comp.Create('User', 'account4');
$user.SetPassword('change,password.10');
$user.SetInfo();

I tried the same thing through C# : 

            PSCredential credential = new PSCredential(userName, securePassword);
            WSManConnectionInfo connectionInfo = new WSManConnectionInfo(false, "machinename", 5985, "/wsman", shellUri, credential);
            using (Runspace runspace = RunspaceFactory.CreateRunspace(connectionInfo))
            {

                runspace.Open();
                 String file = "C:\\localwindows.ps1";
                 Pipeline pipeline = runspace.CreatePipeline();
                 pipeline.Commands.AddScript(System.IO.File.ReadAllText(file));                    
                 pipeline.Commands.Add("Out-String");

                 // execute the script 
                 Collection<PSObject> results = pipeline.Invoke();
              }

This also works fine locally .But for remote computer its throwing exception "create :Access is denied ".

cmm user
  • 2,426
  • 7
  • 34
  • 48

6 Answers6

2

I was able to create a local user account in a remote computer using the following command : 

Invoke-Command -ComputerName machineName -filepath c:\script.ps1 -credential  $getcredential

The script is 

$comp = [adsi]'WinNT://localhost,computer';
$user = $comp.Create('User', 'account11');
$user.SetPassword('change,password.10');
$user.SetInfo();
$user
cmm user
  • 2,426
  • 7
  • 34
  • 48
0

Use the ADSI WinNT provider:

$username = "foo"
$password = "bar"
$computer = "hostname"

$prov = [adsi]"WinNT://$computer"
$user = $prov.Create("User", $username)
$user.SetPassword($password)
$user.SetInfo()
Ansgar Wiechers
  • 193,178
  • 25
  • 254
  • 328
  • I used the above method for connecting to localhost.But while trying to create it in a remote machine its throwing the exception: 'Exception calling "setinfo" with "0" argument(s): "Access is denied. " At line:1 char:12 + $HD.setinfo <<<< () + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvokeTI' – cmm user Nov 25 '13 at 08:54
  • Make sure your account is authorized for remote access to that host, that remote management is enabled (`winrm qc`) and that the Windows Firewall on the remote host allows access. – Ansgar Wiechers Nov 25 '13 at 09:39
  • How to pass the credential of an account which has permission in the remote host? – cmm user Nov 25 '13 at 09:59
  • Try `New-Object System.DirectoryServices.DirectoryEntry("WinNT://$computer", $adminuser, $adminpass)` instead of `[adsi]"WinNT://$computer"`. – Ansgar Wiechers Nov 25 '13 at 10:42
0

The powershell script invoke-Command executes any powershell script on a remote computer. You didn't say just how you use powershell to create the user, but as an example you write:

invoke-command -computername myserver {[ADSI]$server="WinNT://localhost";$HD=$server.Create("User","HD");$HD.SetPassword("H3lpD3>K");$HD.SetInfo()}

You can also execute your local powershell script remotely by using the -filepath parameter:

Invoke-Command -ComputerName MyRemoteServer -filepath c:\Scripts\DaScript.ps1

To enable remote commands you will have to enable winrm on the remote computer. you can do this by running

winrm quickconfig

On the remote computer.

Snorre
  • 955
  • 1
  • 5
  • 18
  • I tried in the following way[ADSI]$server="WinNT://localhost" $HelpDesk=$server.Create("User","HelpDesk") $HelpDesk.SetPassword("H3lpD3>K") $HelpDesk.SetInfo() – cmm user Nov 25 '13 at 08:41
  • I tried in the following way : [ADSI]$server="WinNT://localhost" $HelpDesk=$server.Create("User","HelpDesk") $HelpDesk.SetPassword("H3lpD3>K") $HelpDesk.SetInfo() But while giving the following I am getting error: [ADSI]$server="WinNT://$servername" $HD=$server.Create("User","HD") $HD.SetPassword("H3lpD3>K") $HD.SetInfo() – cmm user Nov 25 '13 at 08:50
  • I am getting the error :'Exception calling "setinfo" with "0" argument(s): "Access is denied. " At line:1 char:12 + $HD.setinfo <<<< () + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvokeTI' Here the servername is the name of the remote computer to connect to. – cmm user Nov 25 '13 at 08:50
  • I've updated my answer with your code, and tested it to work fine on my network. It looks like you have some access issues. Make sure you run your Powershell window as administrator and that you have run the winrm quickconfig on the remote server. – Snorre Nov 25 '13 at 09:25
  • Localhost works fine for me. I started the powershell as administrator. Also I ran 'winrm quickconfig' on the remote machine.But I am getting the error "Exception calling "SetInfo" with "0" argument(s): "Unspecified error " At line:1 char:12 + $HD.SetInfo <<<< () + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvokeTI" – cmm user Nov 25 '13 at 09:58
  • I'm afraid I don't have any resolution to that. Just make sure the user you are creating have a unique name, and that you don't replace "localhost" in my example, just the value of "myserver" – Snorre Nov 25 '13 at 10:39
0

If you have a PowerShell script to create a local user account locally on a server, then just simply use PSExec to run it on remote machines with administrative account

Chelseawillrecover
  • 2,596
  • 1
  • 31
  • 51
  • I tried executing the sript on the remote computer usinf the following command - C:\localwindows.ps1 PSexec.exe \\%comp% -c -f -u Domain\username %ScriptPath% But I am still getting the error Exception calling "SetInfo" with "0" argument(s): "Access is denied. " At C:\localwindows.ps1:4 char:14 + $user.SetInfo <<<< (); + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvokeTI – cmm user Nov 26 '13 at 06:09
  • OK i will take a look at this when I get to work. In the meantime, try checking the windows log on the remote machine and see if anything is logged. Also confirm if the domain account used is both a member of the domain admin group and local administrators group on the target machines – Chelseawillrecover Nov 26 '13 at 06:12
  • The account I used was of a user(local Administrators role) on the domain. I tried with Computer\Adminisrator to create account on a remote machine, but that also threw excepton: "Access is denied. " – cmm user Nov 26 '13 at 08:21
  • OK I forgot to mention here, when you try to run psexec, open the command prompt as administrator and also disable UAC on both machines. UAC sometimes could be a pain... You can create a chat for this so this post does not get too long. Also what OS are you trying this on – Chelseawillrecover Nov 26 '13 at 08:32
  • I tried to create local account from a windows 7 machine in another windows 7 machine. The user in the local machine doesnot have administrative role in the remote windows 7 machine. I tried creating a local user account from windows 7 to windows 2008 r2, it worked fine since the user in windows 7 had privilege on the remote machine. – cmm user Nov 26 '13 at 11:05
  • I tried the case after disabling UAC. But it didn't work. I don't have the privilege to start a chat, that's why I am commenting on the post. – cmm user Nov 26 '13 at 11:06
  • This is not rocket science, can you confirm that the domain account you are using is a member of both domain admin group at domain level and also member of local administrators group on target machine. – Chelseawillrecover Nov 26 '13 at 14:06
  • let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/42025/discussion-between-user3024121-and-chelseawillrecover) – cmm user Nov 27 '13 at 09:55
0

Invoke-Command works but you can also use Enter-PSSession -Computer to submit commands locally on a remote machine. The following will prompt the user for the username and add them to the local Administrators group with no password:

$user = read-host 'What is the name of the local user you would like to add?'
net user /add $user
net localgroup Administrators /add $user
Wesley
  • 111
  • 1
0

I don't know if the question is still relevant, but I have tried this out and found what needs to be fixed. When you create the directory entry object, use the following code

$objOu = New-Object System.DirectoryServices.DirectoryEntry("WinNT://$computer", $admin, $adminPass, "Secure")

The rest is the same.

IdoFlatow
  • 1,440
  • 10
  • 8