1

I am deploying Airwatch to my organization. On company-owned laptops, I would like to lock them down if/when the device is ever un-enrolled. There is no built-in method of doing this, so I am looking for a script to do it. My relevant background: I know very little batch, some powershell, a lot of vbscript (for classic ASP).

I would like one or both of the following:

  • Reset all user passwords on the laptop to something preset
  • Create a specific local admin and then disable all other local users

I know I can use "net user" to get a list of users, but I do not know how to use that list to actually disable the users or change their passwords. The batch commands to fit this logic would be ideal:

net user NewAdmin Password /add

net localgroup administrators NewAdmin /add

UserList = net user output

For each UserName in UserList

     If UserName <> "NewAdmin" Then
          net user UserName NewPassword
          net user UserName /active:no
     End If
Next
Marc B
  • 356,200
  • 43
  • 426
  • 500
Michael
  • 79
  • 6
  • 2
    He is asking how to do this in Windows 10, not Windows 95 when using batch files and net commands was the norm, his code just expresses the desired logic. – Peter Hahndorf Oct 03 '16 at 17:56

1 Answers1

1

If you are using Windows 10 Vs.1607 or newer, you can use something like this PowerShell script:

$AdminPwd = ConvertTo-SecureString -string "foobar2016!" -AsPlainText -Force
$UserPwd = ConvertTo-SecureString -string "foobar2016!" -AsPlainText -Force

$NewAdmin = "NewAdmin"

New-LocalUser -Name $NewAdmin -FullName "New Admin" -Password $AdminPwd
Add-LocalGroupMember -Member $NewAdmin -Group "Administrators"

Get-LocalUser | ForEach-Object {

    if ($_.Name -ne $NewAdmin)
    {
        $_ | Set-LocalUser -Password $UserPwd
        $_ | Disable-LocalUser 
    }
}

Be careful when testing it, it disables all users except the new one. The LocalUser cmdlets are new in PowerShell Vs. 5.1

Peter Hahndorf
  • 10,767
  • 4
  • 42
  • 58
  • That looks like what I need, but many of the laptops I'll be deploying this to will probably not have v5.1 yet. – Michael Oct 03 '16 at 19:50
  • Unfortunately, it also looks like I have the added limitation of not being able to run powershell scripts as admin, which does not take away from your answer, but does make it useless for my purposes, unfortunately. The only script I can be sure will run as admin is cmd/batch in this environment. Thank you Peter! Seems like I may be stuck in the land of Windows 95 after all, if I'm going to be using Airwatch. – Michael Oct 04 '16 at 15:19