On our default Windows system image a user with administrative success is created using a secret password. This is used for support purposes. What I need is a script to create this user but not exposing the password in plain text (maybe using a hashed value? Is there a way to achieve that?
I am free to use powershell or whatever makes sense - I just need to be able to give this to a person without having them to know the password.
You got a few options, though this question belongs to ServerFault IMAO. If the computer is joined in a domain, add the group that contains the support account in post-install script. Like so,
([adsi]"WinNT://./Administrators,group").Add("WinNT://domain/supportGroup,group")
This will add domain\supportGroup in the local Administrators group, so any member of the former is granted permissions via domain group membership. Leveraging group membership for security is a best practice.
The caveat with relying on domain groups is that if the computer is unable to connect the domain, logon as a member of supportGroup fails - unless you got cached credentials.
For non-domain computers, you are short of luck. One could create an account and store credentials in obfuscated a file. Base64 works pretty well. After creating the user, overwrite and delete the file. This will stop well-behaving users to accidentally discovering the password, but will do next to nothing for malicious users.
Another an approach would be based on, say, using an algorithm for the password. By generating one based on computer's name and whatnot, you don't need to hardcode the password. Then again, simply reading the source code will provide the password, so you are out of luck against malicious users again. This is quite a vulnerability as anyone discovering the algorithm would gain privileged access to all systems, so think very carefully if this is the way to proceed.
