Afin de créer le compte admin local pour qui sera utilisé pour LAPS, nous pouvons utiliser un script de remédiation Intune.
Script de détection :
Start-Transcript -Path "$env:ProgramData\Microsoft\IntuneManagementExtension\Logs\LAPSLocalAdmin_Detect.log" -Append
$LAPSAdmin = "Laps"
$Query = Get-WmiObject -Class Win32_UserAccount -Filter "LocalAccount=True"
$Group = Get-WmiObject -Query "Select * From Win32_Group Where LocalAccount = TRUE And SID = 'S-1-5-32-544'"
$Members=$group.GetRelated("win32_useraccount")
If ($Query.Name -notcontains $LAPSAdmin) {
Write-Output "User: $LAPSAdmin does not existing on the device"
Exit 1
}
Elseif ($Members.Name -notcontains $LAPSAdmin) {
Write-Output "User $LAPSAdmin created but not member of the group"
Exit 1
}
Else {
Write-Output "User $LAPSAdmin exists on the device and member of the group"
Exit 0
}
Stop-Transcript
Script de remédiation :
Start-Transcript -Path "$env:ProgramData\Microsoft\IntuneManagementExtension\Logs\LAPSLocalAdmin_Remediate.log" -Append
$LAPSAdmin = "Laps"
$Query = Get-WmiObject -Class Win32_UserAccount -Filter "LocalAccount=True"
$Group = Get-WmiObject -Query "Select * From Win32_Group Where LocalAccount = TRUE And SID = 'S-1-5-32-544'"
$GroupName = $Group.Name
$Members=$group.GetRelated("win32_useraccount")
If ($Query.Name -notcontains $LAPSAdmin) {
Write-Output "User: $LAPSAdmin does not existing on the device, creating user"
try {
$password = "fO%B2vcr36+sj2v}<£]L"
Net User /Add $LAPSAdmin $password /Y
Write-Output "Added Local User $LAPSAdmin"
net localgroup $GroupName $LAPSAdmin /add
Write-Output "Added Local User $LAPSAdmin to Administrators"
Exit 0
}
catch {
Write-Error "Couldn't create user"
Exit 1
}
}
Elseif ($Members.Name -notcontains $LAPSAdmin) {
try {
Write-Output "Added Local User $LAPSAdmin"
net localgroup $GroupName $LAPSAdmin /add
Write-Output "Added Local User $LAPSAdmin to Administrators"
Exit 0
}
catch {
Write-Error "Couldn't add user in the group"
Exit 1
}
}
Else {
Write-Output "User $LAPSAdmin exists on the device"
Exit 0
}
Stop-Transcript