# LAPS Local Account Management **Author:** Doug Hesseltine **Copyright:** Technologist.services 2025 **Last Modified:** January 22nd, 2025 **Version:** 1.1 ## Overview This project contains a batch script for managing local administrator accounts on Windows systems in conjunction with Microsoft LAPS (Local Administrator Password Solution). ## Files - `LAPS-SetLocalAccounts.bat` - Main script for creating/managing local admin accounts and removing unwanted user accounts ## LAPS-SetLocalAccounts.bat ### Purpose Create a new local admin user with a random password and optionally remove existing local users. The script integrates with Microsoft LAPS to manage local administrator passwords. ### Configuration The script uses two main configuration variables that can be adjusted at the top of the file: - **AdminUser** (line 10): The username for the local administrator account (default: `masteradmin`) - **UsersToRemove** (line 11): Comma-separated list of local users to remove ### Key Features - Generates a 20-character random password using alphanumeric and special characters - Checks if the admin user already exists and is a member of the local administrators group - Only creates/modifies users when necessary - Removes specified unwanted local user accounts - Triggers LAPS policy processing after completion - Logs operation to `C:\temp\laps.txt` ### Behavior Logic (Version 1.1+) The script follows this decision flow: 1. **Check if admin user exists** - If NO: Generate password, create user, add to administrators group, continue script - If YES: Proceed to step 2 2. **Check if user is member of local administrators group** - If YES: Exit quietly (no action needed) - If NO: Add user to administrators group, continue script 3. **Remove unwanted users** (if configured) - Removes users listed in `UsersToRemove` variable - Removes from administrators group first, then deletes account 4. **Trigger LAPS policy processing** - Executes `Invoke-LapsPolicyProcessing` via PowerShell ### Usage Run the script with administrative privileges: ```batch LAPS-SetLocalAccounts.bat ``` The script will: - Create or verify the admin user account - Remove any specified unwanted accounts - Trigger LAPS policy processing ### Customization To customize for different clients, simply modify the `AdminUser` variable on line 10: ```batch set "AdminUser=yourclientadmin" ``` All validation and operations will use this configured username. ## Version History ### Version 1.1 (January 22nd, 2025) - Added validation to check if admin user exists and is member of local administrators group before proceeding - Script now exits quietly if user already exists and is in administrators group - Improved efficiency by avoiding unnecessary operations - Enhanced logic to handle case where user exists but is not in administrators group ### Version 1.0 (December 23rd, 2024) - Initial release - Random password generation - Local admin user creation - Unwanted user removal - LAPS policy integration ## Requirements - Windows OS - Administrative privileges - Microsoft LAPS installed and configured - PowerShell available for LAPS policy processing ## Notes - The generated password is 20 characters long with mixed case, numbers, and special characters - Password is only generated when needed (user doesn't exist) - Script creates `C:\temp\laps.txt` as a completion marker - All operations require administrative privileges