So this blog is attached to the MSP Security Summit presentation I’ve given. These scripts are some examples on how you could deploy named accounts with your RMM system. How to deploy the scripts as securely as possible really depends on your RMM system – Some systems allow you to pass passwords as secure strings, others require plain text but keep everything in memory to prevent the credentials from leaking.
These scripts are examples, modify them to your own environments as much as you want.
Script One: Creating a named Account
You can schedule this script using your RMM at your clients to create your named account. It will create a domain account if the machine is a domain controller, and it will create a local account if the machine is a server or workstation. I’d strongly recommend to use a different named account for workstations, than servers and domain controllers in case you use this version.
The script will expect a secure string as input for the password field. If your RMM does not support this, you’ll need to account for this.
param(
$Username,
$Password
)
function Set-NamedAccount ($Username, $Password, $type) {
switch ($type) {
'Local' {
$ExistingUser = get-localuser $Username -ErrorAction SilentlyContinue
if (!$ExistingUser) {
write-host "Creating new user admin $username" -ForegroundColor green
New-LocalUser -Name $Username -Password $Password -PasswordNeverExpires
Add-LocalGroupMember -Member $Username -SID 'S-1-5-32-544'
}
else {
write-host "Setting password for admin $username" -ForegroundColor Green
Set-LocalUser -Name $Username -Password $Password
}
}
'Domain' {
$ExistingUser = get-aduser -filter * | Where-Object { $_.SamAccountName -eq $Username } -ErrorAction SilentlyContinue
if (!$ExistingUser) {
write-host "Creating new domain admin for $username" -ForegroundColor Green
New-ADUser -Name $Username -SamAccountName $Username -AccountPassword $Password -Enabled $True
$ExistingUser = get-aduser -filter * | Where-Object { $_.SamAccountName -eq $Username }
$Groups = @("Domain Admins", "Administrators", "Schema Admins", "Enterprise Admins")
$groups | Add-ADGroupMember -members $ExistingUser -erroraction SilentlyContinue
}
else {
write-host "Setting password for admin $username" -ForegroundColor green
$ExistingUser | Set-adaccountpassword -newPassword $Password
}
}
}
}
$DomainCheck = Get-CimInstance -ClassName Win32_OperatingSystem
switch ($DomainCheck.ProductType) {
1 { Set-NamedAccount -Username $Username -Password $Password -type "Local" }
2 { Set-NamedAccount -Username $Username -Password $Password -type "Domain" }
3 { Set-NamedAccount -Username $Username -Password $Password -type "Local" }
Default { write-warning -message "Could not get Server Type. Quitting script." }
}
Script Two: Creating a named Account with extra info
This named account script allows you to create a named account with a pseudo random part directly added to the username. Our RMM system allows us to add the customer ID from an external system. This makes sure you don’t use the same username across your entire client base and are still able remember the username for each client yourself. For example “JohnDoe-2123”
This also prevents a hacker from getting a credentials pair (Username+Password) and spraying them across other services.
param(
$Username,
$Password,
$NameSeed
)
function Set-NamedAccount ($Username, $Password, $type) {
switch ($type) {
'Local' {
$ExistingUser = get-localuser $Username -ErrorAction SilentlyContinue
if (!$ExistingUser) {
write-host "Creating new user admin $username" -ForegroundColor green
New-LocalUser -Name $Username -Password $Password -PasswordNeverExpires
Add-LocalGroupMember -Member $Username -SID 'S-1-5-32-544'
}
else {
write-host "Setting password for admin $username" -ForegroundColor Green
Set-LocalUser -Name $Username -Password $Password
}
}
'Domain' {
$ExistingUser = get-aduser -filter * | Where-Object { $_.SamAccountName -eq $Username } -ErrorAction SilentlyContinue
if (!$ExistingUser) {
write-host "Creating new domain admin for $username" -ForegroundColor Green
New-ADUser -Name $Username -SamAccountName $Username -AccountPassword $Password -Enabled $True
$ExistingUser = get-aduser -filter * | Where-Object { $_.SamAccountName -eq $Username }
$Groups = @("Domain Admins", "Administrators", "Schema Admins", "Enterprise Admins")
$groups | Add-ADGroupMember -members $ExistingUser -erroraction SilentlyContinue
}
else {
write-host "Setting password for admin $username" -ForegroundColor green
$ExistingUser | Set-adaccountpassword -newPassword $Password
}
}
}
}
$DomainCheck = Get-CimInstance -ClassName Win32_OperatingSystem
switch ($DomainCheck.ProductType) {
1 { Set-NamedAccount -Username $Username+$NameSeed -Password $Password -type "Local" }
2 { Set-NamedAccount -Username $Username+$NameSeed -Password $Password -type "Domain" }
3 { Set-NamedAccount -Username $Username+$NameSeed -Password $Password -type "Local" }
Default { write-warning -message "Could not get Server Type. Quitting script." }
}
You could also change this script to randomize the password, so you get pseudo-random passwords at your clients. Just heed my warning that I also gave during the presentation; do not think of this as a replacement for MFA.
Script Three: Removing a named account
So after you start using named accounts you’ll probably have someone leave the company, removing the account can be done by executing the following script.
param(
$Username,
)
function Remove-NamedAccount ($Username, $type) {
switch ($type) {
'Local' {
$ExistingUser = get-localuser $Username -ErrorAction SilentlyContinue
if (!$ExistingUser) {
write-host "No such user found: $username" -ForegroundColor green
}
else {
write-host "Deleting $username" -ForegroundColor Green
Remove-LocalUser -Name $Username -Confirm:$false
}
}
'Domain' {
$ExistingUser = get-aduser -filter * | Where-Object { $_.SamAccountName -eq $Username } -ErrorAction SilentlyContinue
if (!$ExistingUser) {
write-host "No such user found: $username" -ForegroundColor Green
}
else {
write-host "Deleting $username" -ForegroundColor green
$ExistingUser | remove-aduser
}
}
}
}
$DomainCheck = Get-CimInstance -ClassName Win32_OperatingSystem
switch ($DomainCheck.ProductType) {
1 { Set-NamedAccount -Username $Username+$NameSeed -Password $Password -type "Local" }
2 { Set-NamedAccount -Username $Username+$NameSeed -Password $Password -type "Domain" }
3 { Set-NamedAccount -Username $Username+$NameSeed -Password $Password -type "Local" }
Default { write-warning -message "Could not get Server Type. Quitting script." }
}
This deletes the entire user from both the local store, and the domain. You can choose to replace the removal with a disable policy using the same script.
And more?
Well, that’s it for named accounts. Just remember to keep good security hygiene and start monitoring for security based threats too; unknown admin logons, forbidden users such as service accounts, new users, shodan results, port scans, Privileged Group Changes and all that kinda stuff 🙂
And that’s it! I hope you enjoyed the presentation and if you have any questions, let me know. As always, Happy PowerShelling.
If you want to contact me directly you can find me on twitter here, or via email: Kelvin {at} limenetworks.nl
- Documenting with PowerShell: Syncing Unifi devices to IT-Glue - May 24, 2020
- Documenting and monitoring blogs updates - May 21, 2020
- Documenting with PowerShell: Documenting Unifi infrastructure - May 18, 2020