Hello everyone, I am currently creating a new local admin using PowerShell. This admin should be able to do everything except for creating another admin account. The account will be deleted after 24 hours. The account can be created without issues, the schedule also works but the permission part is not fully functional yet. I have tried creating a new group and limiting its permissions and then linking it to the normal Administrators group. This did not work. Now I am trying to edit the Administrators group itself so that all accounts within the group cannot create any more accounts. These settings should also be reset after 24 hours. My current code (the script block must be used because our software distribution is only 32-bit capable): $ScriptBlock = {
New-LocalUser -Name “admintemp” -Password (ConvertTo-SecureString “89hfihi244” -AsPlainText -Force) -FullName “24h Admin” -Description “Account exists 24h”
Add-LocalGroupMember -Group “Administrators” -Member “admintemp”
$Rule = New-Object System.Security.AccessControl.RegistryAccessRule(“Administrators”,“FullControl”,“Deny”) $Key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey(“SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System”, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree) $ACL = $Key.GetAccessControl() $ACL.SetAccessRule($Rule) $Key.SetAccessControl($ACL)
$Trigger = New-ScheduledTaskTrigger -At (Get-Date).AddHours(24) -Once $Action = New-ScheduledTaskAction -Execute “PowerShell.exe” -Argument "-Command "& {Remove-LocalGroupMember -Group
“Administrators" -Member
“admintemp"; }
””
Register-ScheduledTask -TaskName “Remove Temporary Admin” -Trigger $Trigger -Action $Action
} & “$env:windir\sysnative\WindowsPowerShell\v1.0\powershell.exe” -command $ScriptBlock
Best regards and thank you, Marc