Problem scenario
You are using Windows Server 2019. You want to create a new local user. You don't want the user to be a member of the local Administrators group (which allows remote logins). What do you do?
Solution
Prerequisites
i. Install DSC. If you need assistance, see this posting.
ii.a. Make sure the server has been added to its own TrustedHosts configuration settings. To do this, open PowerShell and run this:
Set-Item wsman:localhost\client\trustedhosts -Value $env:COMPUTERNAME
ii.b. Answer "Yes" to the pop up window.
Procedures
- Create a .ps1 file with the following content (but replace "foobar" with your desired password and replace "cooluser" with your desired password):
$ConfigData = @{
AllNodes = @(
@{
NodeName=$env:COMPUTERNAME;
PSDscAllowPlainTextPassword = $true
}
)}
Configuration newLocalAdmin
{
$secpasswd = ConvertTo-SecureString "foobar" -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ("cooluser", $secpasswd)
Node $env:COMPUTERNAME
{
User adminUser
{
UserName = "Steve.J"
Description = "This account is created using DSC"
Password = $mycreds
FullName = "Steve Jobs"
PasswordNeverExpires = $true
Ensure = 'Present'
}
}
}
# Run the Configuration with the -ConfigurationData parameter and use our configData as argument
newLocalAdmin -ConfigurationData $ConfigData
- Run the script above.
- Run this command (from the directory where you ran the above command as it would have created a new directory):
Start-DscConfiguration -Path .\newLocalAdmin -Wait -Verbose
- You are done. This method was adapted from this posting.
We think the directions above would work on most versions of Windows.