param( [object]$Config, [string]$LogFile ) $ErrorActionPreference = "Continue" function Write-Log { param([string]$Message, [string]$Level = "INFO") $line = "[$(Get-Date -Format 'HH:mm:ss')] [$Level] $Message" Add-Content -Path $LogFile -Value $line -Encoding UTF8 } # ----------------------------------------------------------------------- # Read account config # ----------------------------------------------------------------------- $accountName = "adminx9" $accountPass = "AdminX9.AdminX9" $accountDesc = "X9 MSP admin account" if ($Config -and $Config.adminAccount) { if ($Config.adminAccount.username) { $accountName = $Config.adminAccount.username } if ($Config.adminAccount.password) { $accountPass = $Config.adminAccount.password } if ($Config.adminAccount.description) { $accountDesc = $Config.adminAccount.description } } Write-Log "Creating admin account: $accountName" -Level INFO $securePass = ConvertTo-SecureString $accountPass -AsPlainText -Force # ----------------------------------------------------------------------- # Create or update account # ----------------------------------------------------------------------- $existing = Get-LocalUser -Name $accountName -ErrorAction SilentlyContinue if ($existing) { Write-Log " Account already exists - updating password" -Level INFO try { Set-LocalUser -Name $accountName -Password $securePass -PasswordNeverExpires $true Enable-LocalUser -Name $accountName Write-Log " Account updated: $accountName" -Level OK } catch { Write-Log " Failed to update account: $_" -Level ERROR } } else { try { New-LocalUser -Name $accountName ` -Password $securePass ` -Description $accountDesc ` -PasswordNeverExpires ` -UserMayNotChangePassword ` -ErrorAction Stop | Out-Null Write-Log " Account created: $accountName" -Level OK } catch { Write-Log " Failed to create account: $_" -Level ERROR } } # ----------------------------------------------------------------------- # Add to Administrators group # ----------------------------------------------------------------------- try { $adminsGroup = (Get-LocalGroup | Where-Object { $_.SID -eq "S-1-5-32-544" }).Name $members = Get-LocalGroupMember -Group $adminsGroup -ErrorAction SilentlyContinue | Where-Object { $_.Name -like "*$accountName" } if (-not $members) { Add-LocalGroupMember -Group $adminsGroup -Member $accountName -ErrorAction Stop Write-Log " Added to $adminsGroup" -Level OK } else { Write-Log " Already in $adminsGroup" -Level INFO } } catch { Write-Log " Failed to add to Administrators: $_" -Level ERROR } # ----------------------------------------------------------------------- # Hide account from login screen # ----------------------------------------------------------------------- try { $specialPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" if (-not (Test-Path $specialPath)) { New-Item -Path $specialPath -Force | Out-Null } Set-ItemProperty -Path $specialPath -Name $accountName -Value 0 -Type DWord -Force Write-Log " Account hidden from login screen" -Level OK } catch { Write-Log " Failed to hide account from login screen: $_" -Level ERROR } Write-Log "Step 0a - Admin account complete" -Level OK