===== Управление паролями локальных админов в домене =====
==== Нормальное решение ====
[[https://docs.microsoft.com/en-us/previous-versions/mt227395(v=msdn.10)|Local Administrator Password Solution]] (LAPS), но нужно расширять схему и ставить агентов на клиентские тачки, также имеются некоторые проблемы с совместимостью.
==== Костыли ====
В Powershell 5.1 есть команда Set-LocalUser, но нужно везде расставить Powershell 5.1.
При отсутствии возможности оперативно расставить Powershell 5.1 по сети, можно действовать через ADSI.
Проверка прав локального админа Администратор
Function Convert-UserFlag {
Param ($UserFlag)
$List = New-Object System.Collections.ArrayList
Switch ($UserFlag) {
($UserFlag -BOR 0x0001) {[void]$List.Add('SCRIPT')}
($UserFlag -BOR 0x0002) {[void]$List.Add('ACCOUNTDISABLE')}
($UserFlag -BOR 0x0008) {[void]$List.Add('HOMEDIR_REQUIRED')}
($UserFlag -BOR 0x0010) {[void]$List.Add('LOCKOUT')}
($UserFlag -BOR 0x0020) {[void]$List.Add('PASSWD_NOTREQD')}
($UserFlag -BOR 0x0040) {[void]$List.Add('PASSWD_CANT_CHANGE')}
($UserFlag -BOR 0x0080) {[void]$List.Add('ENCRYPTED_TEXT_PWD_ALLOWED')}
($UserFlag -BOR 0x0100) {[void]$List.Add('TEMP_DUPLICATE_ACCOUNT')}
($UserFlag -BOR 0x0200) {[void]$List.Add('NORMAL_ACCOUNT')}
($UserFlag -BOR 0x0800) {[void]$List.Add('INTERDOMAIN_TRUST_ACCOUNT')}
($UserFlag -BOR 0x1000) {[void]$List.Add('WORKSTATION_TRUST_ACCOUNT')}
($UserFlag -BOR 0x2000) {[void]$List.Add('SERVER_TRUST_ACCOUNT')}
($UserFlag -BOR 0x10000) {[void]$List.Add('DONT_EXPIRE_PASSWORD')}
($UserFlag -BOR 0x20000) {[void]$List.Add('MNS_LOGON_ACCOUNT')}
($UserFlag -BOR 0x40000) {[void]$List.Add('SMARTCARD_REQUIRED')}
($UserFlag -BOR 0x80000) {[void]$List.Add('TRUSTED_FOR_DELEGATION')}
($UserFlag -BOR 0x100000) {[void]$List.Add('NOT_DELEGATED')}
($UserFlag -BOR 0x200000) {[void]$List.Add('USE_DES_KEY_ONLY')}
($UserFlag -BOR 0x400000) {[void]$List.Add('DONT_REQ_PREAUTH')}
($UserFlag -BOR 0x800000) {[void]$List.Add('PASSWORD_EXPIRED')}
($UserFlag -BOR 0x1000000) {[void]$List.Add('TRUSTED_TO_AUTH_FOR_DELEGATION')}
($UserFlag -BOR 0x04000000) {[void]$List.Add('PARTIAL_SECRETS_ACCOUNT')}
}
$List -join ', '
}
(Get-ADComputer -Filter "Enabled -eq 'True'" -SearchBase "OU=Workstations,OU=company,DC=domain,DC=ru" -Properties OperatingSystem |? OperatingSystem -match "Windows").name |% {
echo "$_"
Convert-UserFlag -UserFlag ([ADSI]"WinNT://$_/Администратор,user").UserFlags.Value
}
https://mcpmag.com/articles/2015/04/15/reporting-on-local-accounts.aspx\\
https://support.microsoft.com/ru-ru/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties\\
https://windowsnotes.ru/powershell-2/pobitovye-operatory-v-powershell/\\
https://community.spiceworks.com/topic/2077624-getting-local-admin-group-members\\
https://www.petri.com/managing-local-user-accounts-with-powershell\\
https://blogs.technet.microsoft.com/russellt/2016/05/26/passwd_notreqd/
[[https://www.reddit.com/r/PowerShell/comments/a0du0v/is_it_possible_to_uncheck_password_never_expires/|Is it possible to uncheck "Password Never Expires" for all local users]]?
$ADS_UF_DONT_EXPIRE_PASSWD = 0x00010000
$set_password_never_expires = $true
$adsi = [ADSI]"WinNT://$env:COMPUTERNAME"
$adsi.Children | Where-Object { $_.SchemaClassName -eq 'user' } | ForEach-Object {
$is_set = ($_.UserFlags.Value -band $ADS_UF_DONT_EXPIRE_PASSWD) -eq $ADS_UF_DONT_EXPIRE_PASSWD
if ($is_set -and -not $set_password_never_expires) {
Write-Verbose -Message "Unchecking 'Password never expires' for user $($_.Name)"
$_.UserFlags = $_.UserFlags.Value -bxor $ADS_UF_DONT_EXPIRE_PASSWD
$_.SetInfo()
} elseif (-not $is_set -and $set_password_never_expires) {
Write-Verbose -Message "Checking 'Password never expires' for user $($_.Name)"
$_.UserFlags = $_.UserFlags.Value -bor $ADS_UF_DONT_EXPIRE_PASSWD
$_.SetInfo()
}
}