xetup/scripts/00-admin-account.ps1

param(
    [object]$Config,
    [string]$LogFile
)

$ErrorActionPreference = "Continue"

function Write-Log {
    param([string]$Message, [string]$Level = "INFO")
    $line = "[$(Get-Date -Format 'HH:mm:ss')] [$Level] $Message"
    Add-Content -Path $LogFile -Value $line -Encoding UTF8
}

# -----------------------------------------------------------------------
# Read account config
# -----------------------------------------------------------------------
$accountName = "adminx9"
$accountPass = "AdminX9.AdminX9"
$accountDesc = "X9 MSP admin account"

if ($Config -and $Config.adminAccount) {
    if ($Config.adminAccount.username) { $accountName = $Config.adminAccount.username }
    if ($Config.adminAccount.password) { $accountPass = $Config.adminAccount.password }
    if ($Config.adminAccount.description) { $accountDesc = $Config.adminAccount.description }
}

Write-Log "Creating admin account: $accountName" -Level INFO

$securePass = ConvertTo-SecureString $accountPass -AsPlainText -Force

# -----------------------------------------------------------------------
# Create or update account
# -----------------------------------------------------------------------
$existing = Get-LocalUser -Name $accountName -ErrorAction SilentlyContinue

if ($existing) {
    Write-Log "  Account already exists - updating password" -Level INFO
    try {
        Set-LocalUser -Name $accountName -Password $securePass -PasswordNeverExpires $true
        Enable-LocalUser -Name $accountName
        Write-Log "  Account updated: $accountName" -Level OK
    }
    catch {
        Write-Log "  Failed to update account: $_" -Level ERROR
    }
} else {
    try {
        New-LocalUser -Name $accountName `
                      -Password $securePass `
                      -Description $accountDesc `
                      -PasswordNeverExpires `
                      -UserMayNotChangePassword `
                      -ErrorAction Stop | Out-Null
        Write-Log "  Account created: $accountName" -Level OK
    }
    catch {
        Write-Log "  Failed to create account: $_" -Level ERROR
    }
}

# -----------------------------------------------------------------------
# Add to Administrators group
# -----------------------------------------------------------------------
try {
    $adminsGroup = (Get-LocalGroup | Where-Object { $_.SID -eq "S-1-5-32-544" }).Name
    $members = Get-LocalGroupMember -Group $adminsGroup -ErrorAction SilentlyContinue |
               Where-Object { $_.Name -like "*$accountName" }
    if (-not $members) {
        Add-LocalGroupMember -Group $adminsGroup -Member $accountName -ErrorAction Stop
        Write-Log "  Added to $adminsGroup" -Level OK
    } else {
        Write-Log "  Already in $adminsGroup" -Level INFO
    }
}
catch {
    Write-Log "  Failed to add to Administrators: $_" -Level ERROR
}

# -----------------------------------------------------------------------
# Hide account from login screen
# -----------------------------------------------------------------------
try {
    $specialPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList"
    if (-not (Test-Path $specialPath)) {
        New-Item -Path $specialPath -Force | Out-Null
    }
    Set-ItemProperty -Path $specialPath -Name $accountName -Value 0 -Type DWord -Force
    Write-Log "  Account hidden from login screen" -Level OK
}
catch {
    Write-Log "  Failed to hide account from login screen: $_" -Level ERROR
}

Write-Log "Step 0a - Admin account complete" -Level OK
Add admin account creation and Windows activation steps - 00-admin-account.ps1: create/update adminx9, add to Administrators, hide from login screen via SpecialAccounts\UserList - 08-activation.ps1: activate via config key or GVLK fallback matched by OS edition; supports optional KMS server; skips if already active - config.json: add adminAccount block (password), activation block (productKey placeholder, kmsServer) - Deploy-Windows.ps1: add Step 0a and Step 0b before bloatware removal - Test-Deployment.ps1: add checks for admin account and activation - SPEC.md: document new steps, close open question #4 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-03-14 19:15:30 +01:00			`param(`
			`[object]$Config,`
			`[string]$LogFile`
			`)`

			`$ErrorActionPreference = "Continue"`

			`function Write-Log {`
			`param([string]$Message, [string]$Level = "INFO")`
			`$line = "[$(Get-Date -Format 'HH:mm:ss')] [$Level] $Message"`
			`Add-Content -Path $LogFile -Value $line -Encoding UTF8`
			`}`

			`# -----------------------------------------------------------------------`
			`# Read account config`
			`# -----------------------------------------------------------------------`
			`$accountName = "adminx9"`
			`$accountPass = "AdminX9.AdminX9"`
			`$accountDesc = "X9 MSP admin account"`

			`if ($Config -and $Config.adminAccount) {`
			`if ($Config.adminAccount.username) { $accountName = $Config.adminAccount.username }`
			`if ($Config.adminAccount.password) { $accountPass = $Config.adminAccount.password }`
			`if ($Config.adminAccount.description) { $accountDesc = $Config.adminAccount.description }`
			`}`

			`Write-Log "Creating admin account: $accountName" -Level INFO`

			`$securePass = ConvertTo-SecureString $accountPass -AsPlainText -Force`

			`# -----------------------------------------------------------------------`
			`# Create or update account`
			`# -----------------------------------------------------------------------`
			`$existing = Get-LocalUser -Name $accountName -ErrorAction SilentlyContinue`

			`if ($existing) {`
			`Write-Log " Account already exists - updating password" -Level INFO`
			`try {`
			`Set-LocalUser -Name $accountName -Password $securePass -PasswordNeverExpires $true`
			`Enable-LocalUser -Name $accountName`
			`Write-Log " Account updated: $accountName" -Level OK`
			`}`
			`catch {`
			`Write-Log " Failed to update account: $_" -Level ERROR`
			`}`
			`} else {`
			`try {`
			New-LocalUser -Name $accountName `
			-Password $securePass `
			-Description $accountDesc `
			-PasswordNeverExpires `
			-UserMayNotChangePassword `
			`-ErrorAction Stop \| Out-Null`
			`Write-Log " Account created: $accountName" -Level OK`
			`}`
			`catch {`
			`Write-Log " Failed to create account: $_" -Level ERROR`
			`}`
			`}`

			`# -----------------------------------------------------------------------`
			`# Add to Administrators group`
			`# -----------------------------------------------------------------------`
			`try {`
			`$adminsGroup = (Get-LocalGroup \| Where-Object { $_.SID -eq "S-1-5-32-544" }).Name`
			`$members = Get-LocalGroupMember -Group $adminsGroup -ErrorAction SilentlyContinue \|`
			`Where-Object { $_.Name -like "*$accountName" }`
			`if (-not $members) {`
			`Add-LocalGroupMember -Group $adminsGroup -Member $accountName -ErrorAction Stop`
			`Write-Log " Added to $adminsGroup" -Level OK`
			`} else {`
			`Write-Log " Already in $adminsGroup" -Level INFO`
			`}`
			`}`
			`catch {`
			`Write-Log " Failed to add to Administrators: $_" -Level ERROR`
			`}`

			`# -----------------------------------------------------------------------`
			`# Hide account from login screen`
			`# -----------------------------------------------------------------------`
			`try {`
			`$specialPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList"`
			`if (-not (Test-Path $specialPath)) {`
			`New-Item -Path $specialPath -Force \| Out-Null`
			`}`
			`Set-ItemProperty -Path $specialPath -Name $accountName -Value 0 -Type DWord -Force`
			`Write-Log " Account hidden from login screen" -Level OK`
			`}`
			`catch {`
			`Write-Log " Failed to hide account from login screen: $_" -Level ERROR`
			`}`

			`Write-Log "Step 0a - Admin account complete" -Level OK`