I try to create a local user account on a remote machine. For connecting the PowerShell session I'm using a local user on the target machine. This user is not part of the local Administrator group but it's part of a local group which has been granted full privileges on the default PowerShell session configuration. The target machine isn't part of a domain.
The folder creation on the target machine works, so I'm sure the user can run local PowerShell commands successfully. But the ADSI command is failing. I guess because it needs to be run with local Administrator rights. Any idea how I could solve this scenario without remoting in with a local Administrator account?
Script:
$cred = IMPORT-CLIXML C:\temp\credentials.xml
$mySession = New-PSSession -ComputerName $targetMachine -Credential $cred
Invoke-Command -Session $mySession -ScriptBlock {
New-Item -Path "c:\test" -ItemType Directory
$cn = [ADSI]"WinNT://${env:Computername}"
$userObject = $cn.Create("User","testUser")
}
If I add the local user that's used for remoting to the Administrator group all works fine. But I'd like to avoid using a Administrator account to make it more secure.
Whether you are local or on a remote machine via PowerShell remoting, a non-administrator account can not create new user accounts.
So the problem is not that there is no PowerShell cmdlet to add users, ADSI or net user work just fine, but you have to be an administrator.
I tried to remote in as a normal user and then execute a command elevated as an admin on the remote machine. Neither Start-Process no psexec.exe worked.
There may be third party tools that can do this, but you would have to provide a user name and password to them.
Using the JEA toolkit seems to be the cleanest approach, but it has a bit of a learning curve.