12 Replies Latest reply on Jan 21, 2009 9:35 AM by Ravikant

    How to deploy local user to many computers

    giesd-ro Apprentice

       

      Hi @ll

       

       

      i use ManagementSuite 8.7 SP4 and i want to deploy new local users to pc's.

       

       

      How can i handle this ?

       

       

      Thanks

       

       

        • 1. Re: How to deploy local user to many computers
          Jared Barneck SupportEmployee

          Use a batch file and run a "net user" to create the user.

           

          net user /?
          The syntax of this command is:
          
          
          NET USER
          [username [password|*] [options]] [/DOMAIN]
                   username {password | *} /ADD [options] [/DOMAIN]
                   username [/DELETE] [/DOMAIN]
          

           

          • Then push the batch file.  Note: If you do not want the password in clear text in the batch file, add the user and then change the password afterwards like this:
          • Right click on any "LIVE" workstation (even though you click on one machine, you can create a task and deploy it to many workstaitons). It has to be "LIVE" meaning currently on and accessible or it will grey out some things.
          • Click Manage local users and groups
          • Click the Schedule icon.
          • Enter the username and the password
          • Schedule it out to machines that succeeded in the previous batch file task.

          • 2. Re: How to deploy local user to many computers
            Jared Barneck SupportEmployee

            For an exact syntax you just need to deploy the following batch file.

             

            REM Add a user batch file
            
            net user user1 passwd! /add

             

            However, maybe you do not want the username and password in the batch file in clear text. That batch file will hang out in the ldclient\SDMCache for a short time, as well as being echoed to the sdclient_task#.log in the ldclient\data directory.

             

            So you can store the password in the command line of the Distribution Package.

             

            REM Add a user
            REM %1 is the username
            REM %2 is the password
            
            REM Turn echo off so the password is not echoed to the log
            @echo off
            net user %1 %1 /add
            

             

            Now in the distribution package simply put the username and the password in the command line.

             

            To delete a user, it is just as simple.

             

            REM Add a user batch file
            
            net user John1 /delete

             

             

            Now you may ask, how can I add more than one user, and keep the passwords somewhat safe?  Here is an simply one command in a batch file that will add all the users from a .csv file.

             

            REM Add all the users from a .csv file
            
            REM Turn echo off so the passwords are not echoed to the log
            @echo off
            FOR /F "tokens=1,2 delims=," %%a IN (users.csv) DO net user %1 %1 /add
            

             

            The .csv file would look like this:

             

            John,passwd!1234
            Jane,passwd!1234
            
            I think I will throw this stuff in a document.
            Jared,passwd!1234

             

            • 3. Re: How to deploy local user to many computers
              Rookie

               

              Rhyous,

               

               

               

               

               

              If you put the password in the command line for the task, does that clear text password get saved into any log or ini file on the core server?

               

               

              Also, is there any easy way to rename a local user?

               

               

              Or would you simply use two "net user" commands?  One with /delete and then one with the /add? (Actually, you'd have to use the "net group" command to add the new user to the correct group. 

               

               

              Sure would be nice if there were a "net user /rename" command.

               

               

               

               

               

              Thanks,

               

               

              Chris

               

               

              • 4. Re: How to deploy local user to many computers
                Jared Barneck SupportEmployee

                It would if ECHO is ON, if you look in the batch file, I turned ECHO OFF before running that line so that would not occur.  It should not be in any log with ECHO OFF.

                 

                So it only existing in clear text in the distribution package, which should be fine as long as you trust your LANDesk Admins.

                 

                If you don't trust the landesk admins, you may want to look at Bat2exe

                • 5. Re: How to deploy local user to many computers
                  zman Master

                  If you use a distribution package with a command line it get stored in the local sdclient log files. I asked for a ER to have an option to not include this in the log files and to not gen log files at all.  We created an autoitscript that:

                   

                  • Code is Obfuscated just in case it become decompiled.

                  • Use a password for decompile.

                  • Use a command line on the exe for username and password.

                  • Both username and password are encrypted so even if they see the log file it looks like 231343134JKL134LJ1 13JLKJ1324KKL134LLKLJ1234LJ1K4LJL

                  • Totally secure nothing is but we can;t use scripts for this since there is no task completion

                   

                   

                  Autoit has several encryption functions AES, Blowfish, etc...

                   

                   

                  Bat2Exe  :_|

                  • 6. Re: How to deploy local user to many computers
                    Rookie

                     

                    zman,

                     

                     

                    That is more of what I was expecting...that some log file would indeed have the command line options of a distribution task.

                     

                     

                    Sure would be nice if LDMS had the ability to add/delete/rename local users/groups for a lot of computers like they provide for changing the password for a local account.

                     

                     

                    -Chris

                     

                     

                    • 7. Re: How to deploy local user to many computers
                      Jared Barneck SupportEmployee

                      We have a separate way to change the password that works just fine and is encrypted.

                       

                      To send a secure password,

                      1. Right click on any machine that is awake and has cba access.

                      2. Choose Manage Local Users and Groups

                      3. Click the Schedule Icon from that window.

                      4. Fill out the name and the password.

                       

                      The problem is that that process doesn't add the user if it does not exist.  It is adding the user account first that is tricky.  You could add the account without a password first using the batch file but usually there are password restrictions that prevent this. If there are no password restrictions then one batch file job to add a user and a scond job to securely set the password afterwards using our Manage Local Users and Groups options would work.

                      • 8. Re: How to deploy local user to many computers
                        Jared Barneck SupportEmployee

                        I guess you could push out the new user first, with some ugly password like this: Passwd!1234 so you get past the password requirements, and then you can use the other way to set the password.

                         

                        It is still two jobs though.

                         

                        I agree that it would be nice if the process scheduled task to change the password would add the user account if it is not there.  You should submit a case and ask for it to be enhanced.

                        • 9. Re: How to deploy local user to many computers
                          Jared Barneck SupportEmployee

                          One more thing...when I first tested this, it was not in any logs if ECHO was turned Off.  But we have greatly enhanced our logging and now as of 8.8 it is in these logs:

                           

                          sdclient_##.log

                          servicehost.log

                           

                          You can basically find out which logs it is in by doing a search for files containing your password string.

                          • 10. Re: How to deploy local user to many computers
                            Rookie

                            Actually if you go back to my inital post above (#3), what I really need is a way to rename the local admin account.   There doesn't appear to be a convenient way to just rename a local account....beyond doing a net user /delete, net user /add.

                            • 11. Re: How to deploy local user to many computers
                              zman Master

                              Yep and I believe it is all still assumes machines are on and there is no task completition. Maybe someday builtin, but scripting is the only real way now.

                              • 12. Re: How to deploy local user to many computers
                                Apprentice

                                so is it still the only way to do this is by using scripts or has there been a new feature?