Local Administrator Password Solution (LAPS), но нужно расширять схему и ставить агентов на клиентские тачки, также имеются некоторые проблемы с совместимостью.
В Powershell 5.1 есть команда Set-LocalUser, но нужно везде расставить Powershell 5.1.
При отсутствии возможности оперативно расставить Powershell 5.1 по сети, можно действовать через ADSI.
Проверка прав локального админа Администратор
Function Convert-UserFlag { Param ($UserFlag) $List = New-Object System.Collections.ArrayList Switch ($UserFlag) { ($UserFlag -BOR 0x0001) {[void]$List.Add('SCRIPT')} ($UserFlag -BOR 0x0002) {[void]$List.Add('ACCOUNTDISABLE')} ($UserFlag -BOR 0x0008) {[void]$List.Add('HOMEDIR_REQUIRED')} ($UserFlag -BOR 0x0010) {[void]$List.Add('LOCKOUT')} ($UserFlag -BOR 0x0020) {[void]$List.Add('PASSWD_NOTREQD')} ($UserFlag -BOR 0x0040) {[void]$List.Add('PASSWD_CANT_CHANGE')} ($UserFlag -BOR 0x0080) {[void]$List.Add('ENCRYPTED_TEXT_PWD_ALLOWED')} ($UserFlag -BOR 0x0100) {[void]$List.Add('TEMP_DUPLICATE_ACCOUNT')} ($UserFlag -BOR 0x0200) {[void]$List.Add('NORMAL_ACCOUNT')} ($UserFlag -BOR 0x0800) {[void]$List.Add('INTERDOMAIN_TRUST_ACCOUNT')} ($UserFlag -BOR 0x1000) {[void]$List.Add('WORKSTATION_TRUST_ACCOUNT')} ($UserFlag -BOR 0x2000) {[void]$List.Add('SERVER_TRUST_ACCOUNT')} ($UserFlag -BOR 0x10000) {[void]$List.Add('DONT_EXPIRE_PASSWORD')} ($UserFlag -BOR 0x20000) {[void]$List.Add('MNS_LOGON_ACCOUNT')} ($UserFlag -BOR 0x40000) {[void]$List.Add('SMARTCARD_REQUIRED')} ($UserFlag -BOR 0x80000) {[void]$List.Add('TRUSTED_FOR_DELEGATION')} ($UserFlag -BOR 0x100000) {[void]$List.Add('NOT_DELEGATED')} ($UserFlag -BOR 0x200000) {[void]$List.Add('USE_DES_KEY_ONLY')} ($UserFlag -BOR 0x400000) {[void]$List.Add('DONT_REQ_PREAUTH')} ($UserFlag -BOR 0x800000) {[void]$List.Add('PASSWORD_EXPIRED')} ($UserFlag -BOR 0x1000000) {[void]$List.Add('TRUSTED_TO_AUTH_FOR_DELEGATION')} ($UserFlag -BOR 0x04000000) {[void]$List.Add('PARTIAL_SECRETS_ACCOUNT')} } $List -join ', ' } (Get-ADComputer -Filter "Enabled -eq 'True'" -SearchBase "OU=Workstations,OU=company,DC=domain,DC=ru" -Properties OperatingSystem |? OperatingSystem -match "Windows").name |% { echo "$_" Convert-UserFlag -UserFlag ([ADSI]"WinNT://$_/Администратор,user").UserFlags.Value }
https://mcpmag.com/articles/2015/04/15/reporting-on-local-accounts.aspx
https://support.microsoft.com/ru-ru/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties
https://windowsnotes.ru/powershell-2/pobitovye-operatory-v-powershell/
https://community.spiceworks.com/topic/2077624-getting-local-admin-group-members
https://www.petri.com/managing-local-user-accounts-with-powershell
https://blogs.technet.microsoft.com/russellt/2016/05/26/passwd_notreqd/
Is it possible to uncheck "Password Never Expires" for all local users?
$ADS_UF_DONT_EXPIRE_PASSWD = 0x00010000 $set_password_never_expires = $true $adsi = [ADSI]"WinNT://$env:COMPUTERNAME" $adsi.Children | Where-Object { $_.SchemaClassName -eq 'user' } | ForEach-Object { $is_set = ($_.UserFlags.Value -band $ADS_UF_DONT_EXPIRE_PASSWD) -eq $ADS_UF_DONT_EXPIRE_PASSWD if ($is_set -and -not $set_password_never_expires) { Write-Verbose -Message "Unchecking 'Password never expires' for user $($_.Name)" $_.UserFlags = $_.UserFlags.Value -bxor $ADS_UF_DONT_EXPIRE_PASSWD $_.SetInfo() } elseif (-not $is_set -and $set_password_never_expires) { Write-Verbose -Message "Checking 'Password never expires' for user $($_.Name)" $_.UserFlags = $_.UserFlags.Value -bor $ADS_UF_DONT_EXPIRE_PASSWD $_.SetInfo() } }