rezarahimian · December 9, 2019 23:51
diff --git a/Manage-LocalAccount.ps1 b/Manage-LocalAccount.ps1
 [CmdletBinding()]
 PARAM(
    [Parameter(Mandatory=$false)][String] $UserCredentialPath = "C:\PS\Cred_User.xml",
    [Parameter(Mandatory=$false)][String] $ComputerCredentialPath = "C:\PS\Cred_Comp.xml"
 )

 function Invoke-LocalAccount
 {
    [CmdletBinding()]
    PARAM(
        [Parameter(Mandatory=$false)][String] $ComputerName = $env:COMPUTERNAME,
        [Parameter(Mandatory=$false)][ValidateSet('NEW','DEL','REN','DIS','NUL','GET','ADM','SID500','TST','PWD')][String] $Action = 'GET',
        [Parameter(Mandatory=$true)][System.Management.Automation.PSCredential] $ComputerCredential,
        [Parameter(Mandatory=$false)][System.Management.Automation.PSCredential] $UserCredential,
        [Parameter(Mandatory=$false)][String] $UserName,
        [Parameter(Mandatory=$false)][String] $NewName,
        [Parameter(Mandatory=$false)][String] $Description
    )

    try
    {
        Write-Verbose -Message ('Initializing variables...' -f $ComputerName)
        $User = $null
        $ComputerPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($ComputerCredential.Password))
        if ($UserCredential) {
            $UserPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($UserCredential.Password))
        }
        
        Write-Verbose -Message ('Creating ADSI object on "{0}"...' -f $ComputerName)
        $ADSIObj = New-Object -TypeName System.DirectoryServices.DirectoryEntry("WinNT://$($ComputerName)", $ComputerCredential.UserName, $ComputerPassword)
        $Users = $ADSIObj.Children | Where-Object { $_.SchemaClassName -eq 'user' }
        $Groups = $ADSIObj.Children | Where-Object { $_.SchemaClassName -eq 'group' }
        
        if ($UserName -and $Action -ne 'NEW')
        {
            $User = $Users | Where-Object { $_.Name -eq $UserName }
            if (-not $User)
            {
                Write-Verbose -Message ('"{0}" does not exist!' -f $UserName)
                $Action = 'NUL'
            }
        }

        Switch ($Action)
        {
            #Creating new local user account
            'NEW'
            {
                $User = $ADSIObj.Create("User", $UserCredential.UserName)
                $User.SetPassword($UserPassword)
                $User.UserFlags.value = 65536
                $User.SetInfo()
                $User.Description = $Description
                $User.SetInfo()
                Write-Verbose -Message ('Created new user account : "{0}" ' -f ($User | Out-String))
            }


            #Disabling user account
            'DIS'
            {
                $User.AccountDisabled = $true
                $User.SetInfo()
                Write-Verbose -Message ('Disabled user account : "{0}" ' -f ($User | Out-String))
            }


            #Renaming user account to a new name
            'REN'
            {
                $User.Rename($NewName)
                $User.SetInfo()
                Write-Verbose -Message ('Renamed user account : "{0}" ' -f ($User | Out-String))
            }


            #Getting user account
            'GET'
            {
                Write-Verbose -Message ('Found user account : "{0}" ' -f ($User | Out-String))
            }


            #Finding user account with SID500 format
            'SID500'
            {
                ForEach ($User in $Users)
                {
                    $SID = (New-Object -TypeName System.Security.Principal.SecurityIdentifier($User.ObjectSID.Value,0)).Value
                    if ($SID -like '*-500') 
                    { 
                        Write-Verbose -Message ('Found SID500 account : "{0}" ' -f ($User | Out-String))
                        break 
                    }
                }
            }


            #Deleting user account
            'DEL'
            {
                $ADSIObj.Delete('User', $UserName)
                Write-Verbose -Message ('Deleted user account : "{0}" ' -f $UserName)
            }


            #Changing password of user account
            'PWD'
            {
                $User.SetPassword($UserPassword)
                $User.SetInfo()
                Write-Verbose -Message ('Changed password of : "{0}" ' -f ($User | Out-String))
            }

            
            #Adding user account to 'Administrators' group
            'ADM'
            {
               $Group = $Groups | Where-Object { $_.Name -eq 'Administrators' }
               if ($Group)
               {
                    $Group.Add($User.Path)
                    Write-Verbose -Message ('Added user account to "Administrators" group : "{0}" ' -f ($User | Out-String))
               }
               else
               {
                    Write-Verbose -Message ('Cannot find Administrators group to add the user!')
               }
            }

            
            #Testing admin access of user account
            'TST'
            {
                Write-Verbose -Message ('Testing admin access of "{0}" on "{1}"...' -f $UserName, $ComputerName)
                #Add-Type -AssemblyName System.DirectoryServices.AccountManagement
                $User = (New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext('machine', $ComputerName)).ValidateCredentials($UserCredential.UserName, $UserPassword)
                if ($User)
                {
                    Write-Verbose -Message ('"{0}" have admin access to "{1}"...' -f $UserName, $ComputerName)
                }
                else
                {
                    Write-Verbose -Message ('"{0}" does not have admin access to "{1}"...' -f $UserName, $ComputerName)
                }
            }

            
            default
            {
                Write-Verbose -Message ('No action to do!')
            }
        }
    }
    catch
    {
        Write-Verbose -Message $_.Exception.Message
    }

    return $User
 }


 $UserCredential = [System.Management.Automation.PSCredential](Import-Clixml -Path $UserCredentialPath)
 $ComputerCredential = [System.Management.Automation.PSCredential](Import-Clixml -Path $ComputerCredentialPath)

 Invoke-LocalAccount -Action NEW -Description 'New User 1' -UserCredential $UserCredential -ComputerCredential $ComputerCredential -Verbose
 Invoke-LocalAccount -Action REN -UserName 'User1' -NewName 'User2' -ComputerCredential $ComputerCredential -Verbose
 Invoke-LocalAccount -Action PWD -UserName 'User2' -UserCredential $UserCredential -ComputerCredential $ComputerCredential -Verbose
 Invoke-LocalAccount -Action ADM -UserName 'User2' -ComputerCredential $ComputerCredential -Verbose
 Invoke-LocalAccount -Action TST -UserName 'User2' -UserCredential $UserCredential -ComputerCredential $ComputerCredential -Verbose
 Invoke-LocalAccount -Action DIS -UserName 'User2' -UserCredential $UserCredential -ComputerCredential $ComputerCredential -Verbose
 Invoke-LocalAccount -Action GET -UserName 'User2' -ComputerCredential $ComputerCredential -Verbose
 Invoke-LocalAccount -Action DEL -UserName 'User1' -ComputerCredential $ComputerCredential -Verbose
 Invoke-LocalAccount -Action SID500 -ComputerCredential $ComputerCredential -Verbose
	[CmdletBinding()]
	PARAM(
	[Parameter(Mandatory=$false)][String] $UserCredentialPath = "C:\PS\Cred_User.xml",
	[Parameter(Mandatory=$false)][String] $ComputerCredentialPath = "C:\PS\Cred_Comp.xml"
	)

	function Invoke-LocalAccount
	{
	[CmdletBinding()]
	PARAM(
	[Parameter(Mandatory=$false)][String] $ComputerName = $env:COMPUTERNAME,
	[Parameter(Mandatory=$false)][ValidateSet('NEW','DEL','REN','DIS','NUL','GET','ADM','SID500','TST','PWD')][String] $Action = 'GET',
	[Parameter(Mandatory=$true)][System.Management.Automation.PSCredential] $ComputerCredential,
	[Parameter(Mandatory=$false)][System.Management.Automation.PSCredential] $UserCredential,
	[Parameter(Mandatory=$false)][String] $UserName,
	[Parameter(Mandatory=$false)][String] $NewName,
	[Parameter(Mandatory=$false)][String] $Description
	)

	try
	{
	Write-Verbose -Message ('Initializing variables...' -f $ComputerName)
	$User = $null
	$ComputerPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($ComputerCredential.Password))
	if ($UserCredential) {
	$UserPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($UserCredential.Password))
	}

	Write-Verbose -Message ('Creating ADSI object on "{0}"...' -f $ComputerName)
	$ADSIObj = New-Object -TypeName System.DirectoryServices.DirectoryEntry("WinNT://$($ComputerName)", $ComputerCredential.UserName, $ComputerPassword)
	$Users = $ADSIObj.Children \| Where-Object { $_.SchemaClassName -eq 'user' }
	$Groups = $ADSIObj.Children \| Where-Object { $_.SchemaClassName -eq 'group' }

	if ($UserName -and $Action -ne 'NEW')
	{
	$User = $Users \| Where-Object { $_.Name -eq $UserName }
	if (-not $User)
	{
	Write-Verbose -Message ('"{0}" does not exist!' -f $UserName)
	$Action = 'NUL'
	}
	}

	Switch ($Action)
	{
	#Creating new local user account
	'NEW'
	{
	$User = $ADSIObj.Create("User", $UserCredential.UserName)
	$User.SetPassword($UserPassword)
	$User.UserFlags.value = 65536
	$User.SetInfo()
	$User.Description = $Description
	$User.SetInfo()
	Write-Verbose -Message ('Created new user account : "{0}" ' -f ($User \| Out-String))
	}


	#Disabling user account
	'DIS'
	{
	$User.AccountDisabled = $true
	$User.SetInfo()
	Write-Verbose -Message ('Disabled user account : "{0}" ' -f ($User \| Out-String))
	}


	#Renaming user account to a new name
	'REN'
	{
	$User.Rename($NewName)
	$User.SetInfo()
	Write-Verbose -Message ('Renamed user account : "{0}" ' -f ($User \| Out-String))
	}


	#Getting user account
	'GET'
	{
	Write-Verbose -Message ('Found user account : "{0}" ' -f ($User \| Out-String))
	}


	#Finding user account with SID500 format
	'SID500'
	{
	ForEach ($User in $Users)
	{
	$SID = (New-Object -TypeName System.Security.Principal.SecurityIdentifier($User.ObjectSID.Value,0)).Value
	if ($SID -like '*-500')
	{
	Write-Verbose -Message ('Found SID500 account : "{0}" ' -f ($User \| Out-String))
	break
	}
	}
	}


	#Deleting user account
	'DEL'
	{
	$ADSIObj.Delete('User', $UserName)
	Write-Verbose -Message ('Deleted user account : "{0}" ' -f $UserName)
	}


	#Changing password of user account
	'PWD'
	{
	$User.SetPassword($UserPassword)
	$User.SetInfo()
	Write-Verbose -Message ('Changed password of : "{0}" ' -f ($User \| Out-String))
	}


	#Adding user account to 'Administrators' group
	'ADM'
	{
	$Group = $Groups \| Where-Object { $_.Name -eq 'Administrators' }
	if ($Group)
	{
	$Group.Add($User.Path)
	Write-Verbose -Message ('Added user account to "Administrators" group : "{0}" ' -f ($User \| Out-String))
	}
	else
	{
	Write-Verbose -Message ('Cannot find Administrators group to add the user!')
	}
	}


	#Testing admin access of user account
	'TST'
	{
	Write-Verbose -Message ('Testing admin access of "{0}" on "{1}"...' -f $UserName, $ComputerName)
	#Add-Type -AssemblyName System.DirectoryServices.AccountManagement
	$User = (New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext('machine', $ComputerName)).ValidateCredentials($UserCredential.UserName, $UserPassword)
	if ($User)
	{
	Write-Verbose -Message ('"{0}" have admin access to "{1}"...' -f $UserName, $ComputerName)
	}
	else
	{
	Write-Verbose -Message ('"{0}" does not have admin access to "{1}"...' -f $UserName, $ComputerName)
	}
	}


	default
	{
	Write-Verbose -Message ('No action to do!')
	}
	}
	}
	catch
	{
	Write-Verbose -Message $_.Exception.Message
	}

	return $User
	}


	$UserCredential = [System.Management.Automation.PSCredential](Import-Clixml -Path $UserCredentialPath)
	$ComputerCredential = [System.Management.Automation.PSCredential](Import-Clixml -Path $ComputerCredentialPath)

	Invoke-LocalAccount -Action NEW -Description 'New User 1' -UserCredential $UserCredential -ComputerCredential $ComputerCredential -Verbose
	Invoke-LocalAccount -Action REN -UserName 'User1' -NewName 'User2' -ComputerCredential $ComputerCredential -Verbose
	Invoke-LocalAccount -Action PWD -UserName 'User2' -UserCredential $UserCredential -ComputerCredential $ComputerCredential -Verbose
	Invoke-LocalAccount -Action ADM -UserName 'User2' -ComputerCredential $ComputerCredential -Verbose
	Invoke-LocalAccount -Action TST -UserName 'User2' -UserCredential $UserCredential -ComputerCredential $ComputerCredential -Verbose
	Invoke-LocalAccount -Action DIS -UserName 'User2' -UserCredential $UserCredential -ComputerCredential $ComputerCredential -Verbose
	Invoke-LocalAccount -Action GET -UserName 'User2' -ComputerCredential $ComputerCredential -Verbose
	Invoke-LocalAccount -Action DEL -UserName 'User1' -ComputerCredential $ComputerCredential -Verbose
	Invoke-LocalAccount -Action SID500 -ComputerCredential $ComputerCredential -Verbose