This is a very simple script to add a local administrator. You always want a backup Admin to get into a computer, because the “Administrator” should be disabled after all. This is a simple script I use to create one that also generates a password I can store somewhere, like keepass. Here is what it does.

Generates a 32 character complex password. Creates a local user. Adds the user to local Administrators group. Sets the password to never expire. Spits out the password to the console window so you can copy/pasta to keepass.

Add-Type -Assembly System.Web

$pass=[Web.Security.Membership]::GeneratePassword(32,0)

NET USER username “$pass” /ADD /y

NET LOCALGROUP “Administrators” “username” /add

WMIC USERACCOUNT WHERE “Name=‘username‘” SET PasswordExpires=FALSE

Write-Host “$pass” -foregroundcolor red -backgroundcolor yellow

Make sure to replace all the “username” (highlighted in red) with the username you wish to create. I use this at work to create a standard backup admin user for servers. It’s always the same username with a different password for each server.

**UPDATE

I realized this doesn’t work with the execution policy set to restricted. So I made a bat file that runs it from your desktop after setting the execution policy to unrestricted. What I do is copy the two files to the desktop of the server (you can do this in RDP for any server 2008 or greater). Then right click on the bat file and “run as administrator”. ?Here is the script for the bat.

Update deuce. Per reditor’s suggestion I took the command to change the execution policy and instead bypass it.