Jump to content

[beta] User Creation Tool


Recommended Posts

Updated first post, bringing this guy to v.0.4 ...

Got rid of the external applications used to set the password age and to change the computer name, and implemented WMI calls instead, added an option in the INI file to invoke the 'Confirm' dialog and finally added tooltips, for every control ...

:P

CF

[Edit]

Updated again to 0.4.1 (reverted to external tools since WMI was breaking the code at T13)

Updated yet again to 0.5 combining both WMI and external tool calls depending on the system state (at T13 the external tools are used, otherwise WMI is used)

Edited by cancerface
Link to comment
Share on other sites

  • 2 weeks later...

Yet another update, check the first post

Major changes this time as I managed to figure out how to use direct API calls to netapi32 and kernell32 in order to create the user and change the computer name :w00t:

This means that there is no longer the need for any external tools or for native windows tools (such as net.exe and wmi.exe) ...

I successfully tested this in a working XP box as well as during a deployment at T13.

However the API code breaks in Windows 2k so I had removed the support for that OS until I can figure out another way to add the user to a group in 2k.

v.0.6 Changelog

- Added a check for OS type (will only run in XP/2K3)

- Added a check for admin privileges

- Added options to parse the computername/username sections

- The computername is set using a direct kernel32 API call

- The user is created using a direct netapi32 API call

- Changed the interface and added a computer Icon

:yes:

CF

Link to comment
Share on other sites

After discovering a bug in v0.6 that would not add the created user to any group, I had to release a new version ... In the process I also managed to get this little tool to work in Windows 2000! So here is the new version ...

(check first post)

v.0.7 Changelog

- Fixed nasty bug from 0.6 that wouldn't add the user to a group

- Added support for Windows 2000

- Added support for non english windows version (I hope ...)

Enjoy!

CF

Link to comment
Share on other sites

  • 2 weeks later...

Following the discussion with DarkShadows in this thread I tried to implement the idea of securing the new administrator’s password using the LsaStorePrivateData method. It is a simple process if we want to create an account with admin privileges, since this new account will be able to access the stored encrypted password in an autologon scenario. Unfortunately this is not the case for a new, regular user, since the LsaStorePrivateData will only allow the creator of a secret and any members of the administrators group to read the secret. This means that in order to create a simple user and enable autologon without exposing his/her password as a clear text entry in the system registry then we would have to somehow create a login session for this user, impersonate him/her then encrypt and store the password.

The LsaStorePrivateData method is not however perfect, as the information stored (DefaultPassword in our case) can be found in HKLM\SECURITY\Policy\Secrets\DefaultPassword. Since there are ways to dump the content of the above key and decrypt the data, I am currently looking for another way of encrypting the password, using the CryptProtectData function of Win2k/XP.

In version v0.8 of this tool I have added support for the LsaStorePrivateData functionality. If you create a user with administrator’s privileges and enable autologon, the user’s password will not be stored in the registry as a clear text, but will be encrypted so that it will be more difficult for a non admin user to gain access to this information. In fact this is the process that TweakUI (XP) is using in order to store the DefaultPassword, used for autologon sessions, in the registry.

v0.8 Changelog

- Added support for LsaStorePrivateData functionality (password encryption for autologon)

- Fixed a bug with user enumeration at T12

Updated 1st post and uploaded the new version

:)

CF

Link to comment
Share on other sites

In fact this is the process that TweakUI (XP) is using in order to store the DefaultPassword, used for autologon sessions, in the registry.

It looks like it's also the method the Run command control userpasswords2 uses at least in Win XP SP2. I tested this method in two machines and DefaultPassword is absent in the registry key.

Good piece of work your program!

Link to comment
Share on other sites

Good piece of work your program!
Thanks Takeshi, glad you like it :)
I tested this method in two machines and DefaultPassword is absent in the registry key.

Well, the DefaultPassword entry from HKLM\Software\Microsoft\Windows NT\WinLogon is missing (the clear-text password), but the Default password is in fact stored in the registry, encrypted, under the HKLM\SECURITY\Policy\Secrets\DefaultPassword key, which you need to manually access using admin privileges. In other words it is more secure than the clear text method, but not perfect, yet :)

I am experimenting with another method suggested by M$ which is a bit more complicated but guarantees better encryption, as suggested in this MSDN page ...

CF

Link to comment
Share on other sites

What is PC description for? didn't even now Windows had this... seems useless to me!
ControlPanel->System->Computer Name->Computer Description ;)

It's the description that appears when you browse a network for a certain computer ...

It would be great if I could set the Network name
Can you elaborate a bit more on that? As far as I can see here my tool changes both the Physical NetBios and DNS hostname ... I am calling SetComputerNameEx for ComputerNamePhysicalNetBIOS and ComputerNamePhysicalDnsHostname ...

Are you referring to a fully qualified domain name? Something like mypc.somewhere.com?

CF

Link to comment
Share on other sites

No I don't mean pc name, I mean Workgroup name, if you have a (wireless) network, the network musthave a name...

right-click My computer, tab Computer Name, then the Modify button, now you can set a Workgroup name (or choose a domain name if the pc is in a domain but thats not for home users I suppose).

Link to comment
Share on other sites

@ZileXa

That's on my list of things to do :yes:

I am using NetJoinDomain to add the workstation to a workgroup. I have to test a few things in non XP systems and then I'll release a new version.

I am also working on including a list of known MACs in the INI file with references to specific computer names so that a name will be automatically picked up if a MAC address is detected ...

CF

Link to comment
Share on other sites

I liked ZileXa's suggestion to add support for joining a workgroup so I uploaded yet another version of this tool bringing it to v0.9

createuser090te.th.jpg

v.0.9 Changelog

- Added new option to join the computer to a workgroup

- Generate secure autologin password for non admin users (ie no clear text passwords in the registry)

- Removed the 'ForceNewName' switch (not needed)

- Fixed error that occured when enumerating users at T12

- Rewrote the administrator check code

- Added an option to disable the timeout

Updated the first post and uploaded version 0.9.

Enjoy :)

CF

Edited by cancerface
Link to comment
Share on other sites

Awesome app, CF. I plan on adding it to my unattended routine, no doubt.

In my case, I rename the admin account via WINNT.sif and supply the password there as well. The install runs and boots to the Desktop, where I install other apps and such. A batch file then runs to capture the settings, copying them over to the Default User profile. I would like to use your tool at that point to create additional users so that, upon reboot, all of the users would appear on a Welcome Screen. So my questions:

1. Is there anything that would prevent me from running the tool multiple times to create new users?

2. To what group is the user added if the "Add to Admin group" is unchecked?

Sorry but I have not had time to try your tool, I know the answers would present themselves at that time to me. But if you know off the top of your head...? Thanks in advance.

Link to comment
Share on other sites

Awesome app, CF. I plan on adding it to my unattended routine, no doubt.
Glad you like it blinkdt :yes:
1. Is there anything that would prevent me from running the tool multiple times to create new users?
Not at all. You would have to provide a new NewUser.ini file for each user that you wish to create. Set the EnableTimeOut to 1 and the TimeOut to something like 1000 (1 sec) then write new values for the [userInfo] section and execute the program again. Don't forget to add ParseComputerSection=0 after the first execution (you don't want to change the computer name/workgroup again!)
2. To what group is the user added if the "Add to Admin group" is unchecked?
It is the Users group or whatever name that group has in the system language.
In my case, I rename the admin account via WINNT.sif and supply the password there as well.
My idea was to use an encrypted password at WINNT.SIF for the administrator which means that autologon would not work, but then run the program at T12, create a new admin account and enable autologon so that the new password would not appear in the registry. This is not perfect of course since the password would still be as plain text in NewUser.ini (for now, at least).

Although my intention was not to create a tool that would handle multiple, accounts this suggestion has come up twice so far. I am only creating one account at T12 with admin privileges and then RunOnce occurs in that account's namespace. The point of having the GUI is to be able to change that account's information in case I wanted to install on another computer.

If however I had a list of standard users to be created I doubt that I would be using a GUI. I would go with oobe or with a simple batch script that would use net.exe commands to create the users.

Another idea would be to leave the GUI with the option to generate one admin account and at the same time to add a switch that would force the program to parse yet another section (or sections) that would contain the details of other users to be created (who would belong to the Users group), without asking for these details via the GUI. I am open to suggestions :)

CF

Edited by cancerface
Link to comment
Share on other sites

This is something ive been looking for! Now only if i knew how to create multiple dif users

Has anyone tried this??

Incredible little app I've been playing with for over 8 months...it can do anything from adding multiple users (along w/ password expiration, set 'primary user', set roaming profiles, set user specific registry entries, etc) to installing files. Pretty sweet, no?

You can set it up to do only user setup, file setup or both.

Edited by razormoon
Link to comment
Share on other sites

I have a little problem with this nice utility. It cannot start at all! :)

It says: "you do not have admin priviliges - aborting!".

I have tried on win2k3 and on winxppro. Maybe the hungarian localization is the root of the problem?

Joc

Edited by Joc
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...