PowerShell, Windows 10, Windows 11, Windows Server

Hands-Off Admin Password Rotation for MSPs: PS

August 18, 2021

Table of Contents

Reading Time: 14 minutes

🔐 The Never-Ending Password Talk

After working previously at an MSP that had automated password rotation for computers and servers at our ready, it made the process of remote support so much faster and less annoying, I knew I wanted to replicate it. No Excel sheets to open, no password managers and MFA codes to get through. They had a separate application for it. When I moved to a new employer without it I figured out how to do it with PowerShell.

The passwords are generated in memory and not logged on the Windows machines, instead the RMM agent monitors the script output in memory and records it to the corresponding endpoint’s RMM attribute value of the particular RMM solution. In these scripts provided below, they are currently set for Action1, but commented out notes at the bottom explain how to implement with ConnectWise Automate or Datto RMM.

💭 Key Considerations Before Scripting

Before diving into automation, here are essential things to keep in mind when designing password rotation scripts:

Passwords should be rotated on a regular schedule.
Passwords must be complex and randomly generated.
You should always have access to the updated password.
Passwords should never be stored on the endpoint where they can be retrieved by attackers.

🛠️ Safe for RMM Integration

I spent time testing scripts previously for Datto RMM, which can easily schedule jobs and execute PowerShell scripts across endpoints. When the job runs, the script is temporarily copied to the endpoint and executed from a path like:

Plaintext

C:\ProgramData\CentraStage\Packages\d0b49e6e-9eb6-48bf-8e28-99271b329f93#\command.ps1

C:\ProgramData\CentraStage\Packages\d0b49e6e-9eb6-48bf-8e28-99271b329f93#\command.ps1

The GUID in the path is unique for each execution. The generated password is not stored on the endpoint. After the script runs, the output (including the new password) is accessible via the “StdOut” link in Datto RMM, allowing you to copy and paste it into the target system using tools like Splashtop or Web Remote.

While the password is briefly available in memory, it’s never saved to disk—providing a decent security trade-off. If malware is already present and capable of reading memory, you’re compromised regardless.

🔄 Administrator Password Rotation Script

Here is a script to rotate the Administrator password for either a Domain or Local account named "Administrator". On a domain controller or Windows client endpoint, the built-in Administrator account already exists and should never be deleted, so this script just aims to rotate its password.

PowerShell

<#
.DESCRIPTION
    This script will randomize a 16-character password that will consist of Upper-case, Lower-case, Numerals, and Symbols and apply it to the domain or local user account in Windows named Administrator.

.NOTES
    SETTINGS:
        Username       : Administrator
        PasswordLength : 16
        CharacterSet   : Upper-case, Lower-case, Numerals, and Symbols
        RMM Target     : Action1 Custom Attribute "Administrator Password"

    Script Name : _Set RMM Value - Password Rotation - Administrator - v2.7
    Version     : 2.7
    Author      : WinReflection (www.winreflection.com), in collaboration with ChatGPT.
    RMMs        : Action1 (Custom Attributes)
    Requirements:
        - Administrator or SYSTEM privileges.
        - Local admin rights.
        - On domain controllers: ActiveDirectory module available.
        - Action1 agent with Action1-Set-CustomAttribute cmdlet.
        - PowerShell 5.1 or Windows Management Framework 5.1 on older operating systems such as Windows Server 2012/2012 R2 and Windows 8/8.1 to provide the required cmdlets (for example, Get-LocalUser and Set-LocalUser).

    CHANGELOG:
        v2.7 - Added a runtime check to verify that PowerShell 5.1 or newer is available, and exit with a clear message if the requirement is not met. Simplified logic to rotate the existing "Administrator" account without attempting to create it if missing.
        v2.6 - Documented the requirement for PowerShell 5.1 / Windows Management Framework 5.1 on older systems such as Windows Server 2012/2012 R2 and Windows 8/8.1.
        v2.5 - Added explicit detection of the local "Administrator" account and safer handling when it already exists.
        v2.0 - Standardized formatting, added header, SETTINGS, and RMM notes. Logic unchanged.
        v1.x - Initial implementation for local and domain "Administrator" account rotation and Action1 attribute update.
#>

# =====================================================================
# REGION: Config.
# =====================================================================

$ErrorActionPreference = 'Stop'
$Username              = 'Administrator'   # Account name to rotate.

# =====================================================================
# REGION: PowerShell Version Check.
# =====================================================================

# Verify that the current PowerShell version is 5.1 or newer.
$psMajor = $PSVersionTable.PSVersion.Major
$psMinor = $PSVersionTable.PSVersion.Minor

if (
    ($psMajor -lt 5) -or
    ($psMajor -eq 5 -and $psMinor -lt 1)
) {
    Write-Output "PowerShell 5.1 or newer is required for this script. Current version: $($PSVersionTable.PSVersion)."
    return
}

# =====================================================================
# REGION: Functions.
# =====================================================================

function New-RandomPassword {
    <#
    .DESCRIPTION
        Generates a random password.
    .PARAMETER Length
        Length of the generated password.
    #>
    param(
        [int]$Length = 16
    )

    # Use a single flat character set to keep it simple and avoid infinite loops.
    $chars = 'ABCDEFGHJKMNOPQRSTUVWXYZabcdefghjkmnopqrstuvwxyz0123456789!#$%&*+=?@'.ToCharArray()
    $max   = $chars.Length

    -join (1..$Length | ForEach-Object {
        $chars[(Get-Random -Min 0 -Max $max)]
    })
}

# =====================================================================
# REGION: Environment Detection.
# =====================================================================

# Detect whether this is a domain controller (ProductType = 2).
$IsDomainController = $false
try {
    $os = Get-CimInstance -ClassName Win32_OperatingSystem -ErrorAction Stop
    if ($os.ProductType -eq 2) {
        $IsDomainController = $true
    }
}
catch {
    # If detection fails, assume a non-domain controller rather than hanging.
    $IsDomainController = $false
}

# =====================================================================
# REGION: Main Logic.
# =====================================================================

# Generate the new password and convert it to a secure string.
$Passwd       = New-RandomPassword -Length 16
$PasswdSecStr = ConvertTo-SecureString $Passwd -AsPlainText -Force

if (-not $IsDomainController) {
    # --------------------------------------------------------------
    # Non-domain controller: Use the local "Administrator" account.
    # --------------------------------------------------------------

    # Try to detect whether the local "Administrator" account already exists.
    $LocalAdministrator = $null
    try {
        $LocalAdministrator = Get-LocalUser -Name $Username -ErrorAction Stop
    }
    catch [Microsoft.PowerShell.Commands.UserNotFoundException] {
        # The local "Administrator" account does not exist.
        Write-Output "The local 'Administrator' account was not found. No changes were made."
        return
    }
    catch {
        # If Get-LocalUser fails for another reason, report the error and exit.
        Write-Output "Failed to query the local 'Administrator' account. Error: $($_.Exception.Message)"
        return
    }

    if ($null -ne $LocalAdministrator) {
        # The local "Administrator" account exists, so rotate the password.
        try {
            # On newer systems, set the password and mark it as never expiring.
            Set-LocalUser -Name $Username -Password $PasswdSecStr -PasswordNeverExpires $true
        }
        catch {
            # On older systems without PasswordNeverExpires support, only set the password.
            Set-LocalUser -Name $Username -Password $PasswdSecStr
        }
    }

    # --------------------------------------------------------------
    # RMM Integration: Action1 custom attribute.
    # --------------------------------------------------------------
    Action1-Set-CustomAttribute "Administrator Password" "$Passwd"
    # ConnectWise Automate: Write-Output $Passwd.
    # Datto RMM: Add UDF application code here to store $Passwd (not included in this script).
}
else {
    # --------------------------------------------------------------
    # Domain controller: Use the domain "Administrator" account.
    # --------------------------------------------------------------

    # Import the ActiveDirectory module if it is not already loaded.
    if (-not (Get-Module ActiveDirectory -ErrorAction SilentlyContinue)) {
        Import-Module ActiveDirectory -ErrorAction Stop -Verbose:$false | Out-Null
    }

    try {
        # Verify that the domain "Administrator" account exists.
        $null = Get-ADUser -Identity $Username -ErrorAction Stop
    }
    catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] {
        # The domain "Administrator" account does not exist.
        Write-Output "The domain 'Administrator' account was not found. No changes were made."
        return
    }
    catch {
        # If Get-ADUser fails for another reason, report the error and exit.
        Write-Output "Failed to query the domain 'Administrator' account. Error: $($_.Exception.Message)"
        return
    }

    try {
        # Rotate the password on the existing domain user account.
        Set-ADAccountPassword -Identity $Username -Reset -NewPassword $PasswdSecStr
        Set-ADUser -Identity $Username -PasswordNeverExpires $true
    }
    catch {
        Write-Output "Failed to rotate the password for the domain 'Administrator' account. Error: $($_.Exception.Message)"
        return
    }

    # --------------------------------------------------------------
    # RMM Integration: Action1 custom attribute.
    # --------------------------------------------------------------
    Action1-Set-CustomAttribute "Administrator Password" "$Passwd"
    # ConnectWise Automate: Write-Output $Passwd.
    # Datto RMM: Add UDF application code here to store $Passwd (not included in this script).
}

<#
.DESCRIPTION
    This script will randomize a 16-character password that will consist of Upper-case, Lower-case, Numerals, and Symbols and apply it to the domain or local user account in Windows named Administrator.

.NOTES
    SETTINGS:
        Username       : Administrator
        PasswordLength : 16
        CharacterSet   : Upper-case, Lower-case, Numerals, and Symbols
        RMM Target     : Action1 Custom Attribute "Administrator Password"

    Script Name : _Set RMM Value - Password Rotation - Administrator - v2.7
    Version     : 2.7
    Author      : WinReflection (www.winreflection.com), in collaboration with ChatGPT.
    RMMs        : Action1 (Custom Attributes)
    Requirements:
        - Administrator or SYSTEM privileges.
        - Local admin rights.
        - On domain controllers: ActiveDirectory module available.
        - Action1 agent with Action1-Set-CustomAttribute cmdlet.
        - PowerShell 5.1 or Windows Management Framework 5.1 on older operating systems such as Windows Server 2012/2012 R2 and Windows 8/8.1 to provide the required cmdlets (for example, Get-LocalUser and Set-LocalUser).

    CHANGELOG:
        v2.7 - Added a runtime check to verify that PowerShell 5.1 or newer is available, and exit with a clear message if the requirement is not met. Simplified logic to rotate the existing "Administrator" account without attempting to create it if missing.
        v2.6 - Documented the requirement for PowerShell 5.1 / Windows Management Framework 5.1 on older systems such as Windows Server 2012/2012 R2 and Windows 8/8.1.
        v2.5 - Added explicit detection of the local "Administrator" account and safer handling when it already exists.
        v2.0 - Standardized formatting, added header, SETTINGS, and RMM notes. Logic unchanged.
        v1.x - Initial implementation for local and domain "Administrator" account rotation and Action1 attribute update.
#>

# =====================================================================
# REGION: Config.
# =====================================================================

$ErrorActionPreference = 'Stop'
$Username              = 'Administrator'   # Account name to rotate.

# =====================================================================
# REGION: PowerShell Version Check.
# =====================================================================

# Verify that the current PowerShell version is 5.1 or newer.
$psMajor = $PSVersionTable.PSVersion.Major
$psMinor = $PSVersionTable.PSVersion.Minor

if (
    ($psMajor -lt 5) -or
    ($psMajor -eq 5 -and $psMinor -lt 1)
) {
    Write-Output "PowerShell 5.1 or newer is required for this script. Current version: $($PSVersionTable.PSVersion)."
    return
}

# =====================================================================
# REGION: Functions.
# =====================================================================

function New-RandomPassword {
    <#
    .DESCRIPTION
        Generates a random password.
    .PARAMETER Length
        Length of the generated password.
    #>
    param(
        [int]$Length = 16
    )

    # Use a single flat character set to keep it simple and avoid infinite loops.
    $chars = 'ABCDEFGHJKMNOPQRSTUVWXYZabcdefghjkmnopqrstuvwxyz0123456789!#$%&*+=?@'.ToCharArray()
    $max   = $chars.Length

    -join (1..$Length | ForEach-Object {
        $chars[(Get-Random -Min 0 -Max $max)]
    })
}

# =====================================================================
# REGION: Environment Detection.
# =====================================================================

# Detect whether this is a domain controller (ProductType = 2).
$IsDomainController = $false
try {
    $os = Get-CimInstance -ClassName Win32_OperatingSystem -ErrorAction Stop
    if ($os.ProductType -eq 2) {
        $IsDomainController = $true
    }
}
catch {
    # If detection fails, assume a non-domain controller rather than hanging.
    $IsDomainController = $false
}

# =====================================================================
# REGION: Main Logic.
# =====================================================================

# Generate the new password and convert it to a secure string.
$Passwd       = New-RandomPassword -Length 16
$PasswdSecStr = ConvertTo-SecureString $Passwd -AsPlainText -Force

if (-not $IsDomainController) {
    # --------------------------------------------------------------
    # Non-domain controller: Use the local "Administrator" account.
    # --------------------------------------------------------------

    # Try to detect whether the local "Administrator" account already exists.
    $LocalAdministrator = $null
    try {
        $LocalAdministrator = Get-LocalUser -Name $Username -ErrorAction Stop
    }
    catch [Microsoft.PowerShell.Commands.UserNotFoundException] {
        # The local "Administrator" account does not exist.
        Write-Output "The local 'Administrator' account was not found. No changes were made."
        return
    }
    catch {
        # If Get-LocalUser fails for another reason, report the error and exit.
        Write-Output "Failed to query the local 'Administrator' account. Error: $($_.Exception.Message)"
        return
    }

    if ($null -ne $LocalAdministrator) {
        # The local "Administrator" account exists, so rotate the password.
        try {
            # On newer systems, set the password and mark it as never expiring.
            Set-LocalUser -Name $Username -Password $PasswdSecStr -PasswordNeverExpires $true
        }
        catch {
            # On older systems without PasswordNeverExpires support, only set the password.
            Set-LocalUser -Name $Username -Password $PasswdSecStr
        }
    }

    # --------------------------------------------------------------
    # RMM Integration: Action1 custom attribute.
    # --------------------------------------------------------------
    Action1-Set-CustomAttribute "Administrator Password" "$Passwd"
    # ConnectWise Automate: Write-Output $Passwd.
    # Datto RMM: Add UDF application code here to store $Passwd (not included in this script).
}
else {
    # --------------------------------------------------------------
    # Domain controller: Use the domain "Administrator" account.
    # --------------------------------------------------------------

    # Import the ActiveDirectory module if it is not already loaded.
    if (-not (Get-Module ActiveDirectory -ErrorAction SilentlyContinue)) {
        Import-Module ActiveDirectory -ErrorAction Stop -Verbose:$false | Out-Null
    }

    try {
        # Verify that the domain "Administrator" account exists.
        $null = Get-ADUser -Identity $Username -ErrorAction Stop
    }
    catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] {
        # The domain "Administrator" account does not exist.
        Write-Output "The domain 'Administrator' account was not found. No changes were made."
        return
    }
    catch {
        # If Get-ADUser fails for another reason, report the error and exit.
        Write-Output "Failed to query the domain 'Administrator' account. Error: $($_.Exception.Message)"
        return
    }

    try {
        # Rotate the password on the existing domain user account.
        Set-ADAccountPassword -Identity $Username -Reset -NewPassword $PasswdSecStr
        Set-ADUser -Identity $Username -PasswordNeverExpires $true
    }
    catch {
        Write-Output "Failed to rotate the password for the domain 'Administrator' account. Error: $($_.Exception.Message)"
        return
    }

    # --------------------------------------------------------------
    # RMM Integration: Action1 custom attribute.
    # --------------------------------------------------------------
    Action1-Set-CustomAttribute "Administrator Password" "$Passwd"
    # ConnectWise Automate: Write-Output $Passwd.
    # Datto RMM: Add UDF application code here to store $Passwd (not included in this script).
}

🔄 Support Password Rotation Script

This script is different in that it aims to provide password rotation for either a Domain or Local account named "Support". However, it also works as an onboarding script for new Windows endpoints to create the Support account on either a Windows client, DC, or member server so that you can get access to Admin rights fast.

PowerShell

<#
.DESCRIPTION
    This script will randomize a 16-character password that will consist of Upper-case, Lower-case, Numerals, and Symbols and apply it to the domain or local user account in Windows named Support.

.NOTES
    SETTINGS:
        Username       : Support
        PasswordLength : 16
        CharacterSet   : Upper-case, Lower-case, Numerals, and Symbols
        RMM Target     : Action1 Custom Attribute "Support Password"

    Script Name : _Set RMM Value - Password Rotation - Support - v2.7
    Version     : 2.7
    Author      : WinReflection (www.winreflection.com), in collaboration with ChatGPT.
    RMMs        : Action1 (Custom Attributes)
    Requirements:
        - Administrator or SYSTEM privileges.
        - Local admin rights.
        - On domain controllers: ActiveDirectory module available.
        - Action1 agent with Action1-Set-CustomAttribute cmdlet.
        - PowerShell 5.1 or Windows Management Framework 5.1 on older operating systems such as Windows Server 2012/2012 R2 and Windows 8/8.1 to provide the required cmdlets (for example, Get-LocalUser and Set-LocalUser).

    CHANGELOG:
        v2.7 - Added a runtime check to verify that PowerShell 5.1 or newer is available, and exit with a clear message if the requirement is not met.
        v2.6 - Documented the requirement for PowerShell 5.1 / Windows Management Framework 5.1 on older systems such as Windows Server 2012/2012 R2 and Windows 8/8.1.
        v2.5 - Added explicit detection of the local "Support" account and safer handling when it already exists, including a fallback path for UserExistsException during creation.
        v2.0 - Standardized formatting, added header, SETTINGS, and RMM notes. Logic unchanged.
        v1.x - Initial implementation for local and domain "Support" account rotation and Action1 attribute update.
#>

# =====================================================================
# REGION: Config.
# =====================================================================

$ErrorActionPreference = 'Stop'
$Username              = 'Support'   # Account name to rotate.

# =====================================================================
# REGION: PowerShell Version Check.
# =====================================================================

# Verify that the current PowerShell version is 5.1 or newer.
$psMajor = $PSVersionTable.PSVersion.Major
$psMinor = $PSVersionTable.PSVersion.Minor

if (
    ($psMajor -lt 5) -or
    ($psMajor -eq 5 -and $psMinor -lt 1)
) {
    Write-Output "PowerShell 5.1 or newer is required for this script. Current version: $($PSVersionTable.PSVersion)."
    return
}

# =====================================================================
# REGION: Functions.
# =====================================================================

function New-RandomPassword {
    <#
    .DESCRIPTION
        Generates a random password.
    .PARAMETER Length
        Length of the generated password.
    #>
    param(
        [int]$Length = 16
    )

    # Use a single flat character set to keep it simple and avoid infinite loops.
    $chars = 'ABCDEFGHJKMNOPQRSTUVWXYZabcdefghjkmnopqrstuvwxyz0123456789!#$%&*+=?@'.ToCharArray()
    $max   = $chars.Length

    -join (1..$Length | ForEach-Object {
        $chars[(Get-Random -Min 0 -Max $max)]
    })
}

# =====================================================================
# REGION: Environment Detection.
# =====================================================================

# Detect whether this is a domain controller (ProductType = 2).
$IsDomainController = $false
try {
    $os = Get-CimInstance -ClassName Win32_OperatingSystem -ErrorAction Stop
    if ($os.ProductType -eq 2) {
        $IsDomainController = $true
    }
}
catch {
    # If detection fails, assume a non-domain controller rather than hanging.
    $IsDomainController = $false
}

# =====================================================================
# REGION: Main Logic.
# =====================================================================

# Generate the new password and convert it to a secure string.
$Passwd       = New-RandomPassword -Length 16
$PasswdSecStr = ConvertTo-SecureString $Passwd -AsPlainText -Force

if (-not $IsDomainController) {
    # --------------------------------------------------------------
    # Non-domain controller: Use the local "Support" account.
    # --------------------------------------------------------------

    # Try to detect whether the local "Support" account already exists.
    $LocalSupport = $null
    try {
        $LocalSupport = Get-LocalUser -Name $Username -ErrorAction Stop
    }
    catch [Microsoft.PowerShell.Commands.UserNotFoundException] {
        # The local "Support" account does not exist.
        $LocalSupport = $null
    }
    catch {
        # If Get-LocalUser fails for another reason, leave $LocalSupport as $null and rely on New-LocalUser.
        $LocalSupport = $null
    }

    if ($null -ne $LocalSupport) {
        # The local "Support" account exists, so rotate the password.
        try {
            # On newer systems, set the password and mark it as never expiring.
            Set-LocalUser -Name $Username -Password $PasswdSecStr -PasswordNeverExpires $true
        }
        catch {
            # On older systems without PasswordNeverExpires support, only set the password.
            Set-LocalUser -Name $Username -Password $PasswdSecStr
        }
    }
    else {
        # The local "Support" account does not exist, so attempt to create it.
        try {
            # Create the local admin account.
            New-LocalUser -Name $Username -Password $PasswdSecStr -FullName $Username | Out-Null

            # Attempt to set the password to never expire if the platform supports it.
            try {
                Set-LocalUser -Name $Username -PasswordNeverExpires $true
            }
            catch {
                # Ignore this step if PasswordNeverExpires is not supported.
            }

            # Add the account to the local Administrators group.
            Add-LocalGroupMember -Group 'Administrators' -Member $Username | Out-Null
        }
        catch [Microsoft.PowerShell.Commands.UserExistsException] {
            # If the user already exists at creation time, fall back to rotating the password.
            try {
                # On newer systems, set the password and mark it as never expiring.
                Set-LocalUser -Name $Username -Password $PasswdSecStr -PasswordNeverExpires $true
            }
            catch {
                # On older systems without PasswordNeverExpires support, only set the password.
                Set-LocalUser -Name $Username -Password $PasswdSecStr
            }
        }
    }

    # --------------------------------------------------------------
    # RMM Integration: Action1 custom attribute.
    # --------------------------------------------------------------
    Action1-Set-CustomAttribute "Support Password" "$Passwd"
    # ConnectWise Automate: Write-Output $Passwd.
    # Datto RMM: Add UDF application code here to store $Passwd (not included in this script).
}
else {
    # --------------------------------------------------------------
    # Domain controller: Use the domain "Support" account.
    # --------------------------------------------------------------

    # Import the ActiveDirectory module if it is not already loaded.
    if (-not (Get-Module ActiveDirectory -ErrorAction SilentlyContinue)) {
        Import-Module ActiveDirectory -ErrorAction Stop -Verbose:$false | Out-Null
    }

    try {
        # Rotate the password on the existing domain user account.
        $null = Get-ADUser -Identity $Username -ErrorAction Stop

        Set-ADAccountPassword -Identity $Username -Reset -NewPassword $PasswdSecStr
        Set-ADUser -Identity $Username -PasswordNeverExpires $true
    }
    catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] {
        # Create the domain user if it does not already exist.
        New-ADUser -Name $Username `
                   -SamAccountName $Username `
                   -AccountPassword $PasswdSecStr `
                   -Enabled $true `
                   -PasswordNeverExpires $true | Out-Null

        # Add the account to the desired group, such as Administrators or Domain Admins.
        Add-ADGroupMember -Identity 'Administrators' -Members $Username -ErrorAction Stop
    }

    # --------------------------------------------------------------
    # RMM Integration: Action1 custom attribute.
    # --------------------------------------------------------------
    Action1-Set-CustomAttribute "Support Password" "$Passwd"
    # ConnectWise Automate: Write-Output $Passwd.
    # Datto RMM: Add UDF application code here to store $Passwd (not included in this script).
}

<#
.DESCRIPTION
    This script will randomize a 16-character password that will consist of Upper-case, Lower-case, Numerals, and Symbols and apply it to the domain or local user account in Windows named Support.

.NOTES
    SETTINGS:
        Username       : Support
        PasswordLength : 16
        CharacterSet   : Upper-case, Lower-case, Numerals, and Symbols
        RMM Target     : Action1 Custom Attribute "Support Password"

    Script Name : _Set RMM Value - Password Rotation - Support - v2.7
    Version     : 2.7
    Author      : WinReflection (www.winreflection.com), in collaboration with ChatGPT.
    RMMs        : Action1 (Custom Attributes)
    Requirements:
        - Administrator or SYSTEM privileges.
        - Local admin rights.
        - On domain controllers: ActiveDirectory module available.
        - Action1 agent with Action1-Set-CustomAttribute cmdlet.
        - PowerShell 5.1 or Windows Management Framework 5.1 on older operating systems such as Windows Server 2012/2012 R2 and Windows 8/8.1 to provide the required cmdlets (for example, Get-LocalUser and Set-LocalUser).

    CHANGELOG:
        v2.7 - Added a runtime check to verify that PowerShell 5.1 or newer is available, and exit with a clear message if the requirement is not met.
        v2.6 - Documented the requirement for PowerShell 5.1 / Windows Management Framework 5.1 on older systems such as Windows Server 2012/2012 R2 and Windows 8/8.1.
        v2.5 - Added explicit detection of the local "Support" account and safer handling when it already exists, including a fallback path for UserExistsException during creation.
        v2.0 - Standardized formatting, added header, SETTINGS, and RMM notes. Logic unchanged.
        v1.x - Initial implementation for local and domain "Support" account rotation and Action1 attribute update.
#>

# =====================================================================
# REGION: Config.
# =====================================================================

$ErrorActionPreference = 'Stop'
$Username              = 'Support'   # Account name to rotate.

# =====================================================================
# REGION: PowerShell Version Check.
# =====================================================================

# Verify that the current PowerShell version is 5.1 or newer.
$psMajor = $PSVersionTable.PSVersion.Major
$psMinor = $PSVersionTable.PSVersion.Minor

if (
    ($psMajor -lt 5) -or
    ($psMajor -eq 5 -and $psMinor -lt 1)
) {
    Write-Output "PowerShell 5.1 or newer is required for this script. Current version: $($PSVersionTable.PSVersion)."
    return
}

# =====================================================================
# REGION: Functions.
# =====================================================================

function New-RandomPassword {
    <#
    .DESCRIPTION
        Generates a random password.
    .PARAMETER Length
        Length of the generated password.
    #>
    param(
        [int]$Length = 16
    )

    # Use a single flat character set to keep it simple and avoid infinite loops.
    $chars = 'ABCDEFGHJKMNOPQRSTUVWXYZabcdefghjkmnopqrstuvwxyz0123456789!#$%&*+=?@'.ToCharArray()
    $max   = $chars.Length

    -join (1..$Length | ForEach-Object {
        $chars[(Get-Random -Min 0 -Max $max)]
    })
}

# =====================================================================
# REGION: Environment Detection.
# =====================================================================

# Detect whether this is a domain controller (ProductType = 2).
$IsDomainController = $false
try {
    $os = Get-CimInstance -ClassName Win32_OperatingSystem -ErrorAction Stop
    if ($os.ProductType -eq 2) {
        $IsDomainController = $true
    }
}
catch {
    # If detection fails, assume a non-domain controller rather than hanging.
    $IsDomainController = $false
}

# =====================================================================
# REGION: Main Logic.
# =====================================================================

# Generate the new password and convert it to a secure string.
$Passwd       = New-RandomPassword -Length 16
$PasswdSecStr = ConvertTo-SecureString $Passwd -AsPlainText -Force

if (-not $IsDomainController) {
    # --------------------------------------------------------------
    # Non-domain controller: Use the local "Support" account.
    # --------------------------------------------------------------

    # Try to detect whether the local "Support" account already exists.
    $LocalSupport = $null
    try {
        $LocalSupport = Get-LocalUser -Name $Username -ErrorAction Stop
    }
    catch [Microsoft.PowerShell.Commands.UserNotFoundException] {
        # The local "Support" account does not exist.
        $LocalSupport = $null
    }
    catch {
        # If Get-LocalUser fails for another reason, leave $LocalSupport as $null and rely on New-LocalUser.
        $LocalSupport = $null
    }

    if ($null -ne $LocalSupport) {
        # The local "Support" account exists, so rotate the password.
        try {
            # On newer systems, set the password and mark it as never expiring.
            Set-LocalUser -Name $Username -Password $PasswdSecStr -PasswordNeverExpires $true
        }
        catch {
            # On older systems without PasswordNeverExpires support, only set the password.
            Set-LocalUser -Name $Username -Password $PasswdSecStr
        }
    }
    else {
        # The local "Support" account does not exist, so attempt to create it.
        try {
            # Create the local admin account.
            New-LocalUser -Name $Username -Password $PasswdSecStr -FullName $Username | Out-Null

            # Attempt to set the password to never expire if the platform supports it.
            try {
                Set-LocalUser -Name $Username -PasswordNeverExpires $true
            }
            catch {
                # Ignore this step if PasswordNeverExpires is not supported.
            }

            # Add the account to the local Administrators group.
            Add-LocalGroupMember -Group 'Administrators' -Member $Username | Out-Null
        }
        catch [Microsoft.PowerShell.Commands.UserExistsException] {
            # If the user already exists at creation time, fall back to rotating the password.
            try {
                # On newer systems, set the password and mark it as never expiring.
                Set-LocalUser -Name $Username -Password $PasswdSecStr -PasswordNeverExpires $true
            }
            catch {
                # On older systems without PasswordNeverExpires support, only set the password.
                Set-LocalUser -Name $Username -Password $PasswdSecStr
            }
        }
    }

    # --------------------------------------------------------------
    # RMM Integration: Action1 custom attribute.
    # --------------------------------------------------------------
    Action1-Set-CustomAttribute "Support Password" "$Passwd"
    # ConnectWise Automate: Write-Output $Passwd.
    # Datto RMM: Add UDF application code here to store $Passwd (not included in this script).
}
else {
    # --------------------------------------------------------------
    # Domain controller: Use the domain "Support" account.
    # --------------------------------------------------------------

    # Import the ActiveDirectory module if it is not already loaded.
    if (-not (Get-Module ActiveDirectory -ErrorAction SilentlyContinue)) {
        Import-Module ActiveDirectory -ErrorAction Stop -Verbose:$false | Out-Null
    }

    try {
        # Rotate the password on the existing domain user account.
        $null = Get-ADUser -Identity $Username -ErrorAction Stop

        Set-ADAccountPassword -Identity $Username -Reset -NewPassword $PasswdSecStr
        Set-ADUser -Identity $Username -PasswordNeverExpires $true
    }
    catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] {
        # Create the domain user if it does not already exist.
        New-ADUser -Name $Username `
                   -SamAccountName $Username `
                   -AccountPassword $PasswdSecStr `
                   -Enabled $true `
                   -PasswordNeverExpires $true | Out-Null

        # Add the account to the desired group, such as Administrators or Domain Admins.
        Add-ADGroupMember -Identity 'Administrators' -Members $Username -ErrorAction Stop
    }

    # --------------------------------------------------------------
    # RMM Integration: Action1 custom attribute.
    # --------------------------------------------------------------
    Action1-Set-CustomAttribute "Support Password" "$Passwd"
    # ConnectWise Automate: Write-Output $Passwd.
    # Datto RMM: Add UDF application code here to store $Passwd (not included in this script).
}

These scripts have been tested but perhaps I missed something. In any case, they’re provided for you to paste into ChatGPT or other AIs if you wish to improve upon them, but this should be a great starting point.

✅ Conclusion

This approach allows you to automate password changes without manual intervention. If someone leaves your MSP or gains unauthorized access, the password will rotate on the next schedule. You can even set it to rotate hourly for extra peace of mind.

🌿 Final Thoughts

Have ideas for improving this process or using a different tool? I’d love to hear how you’re handling password rotation in your environment.

WinReflection

My name is Dex, author at WinReflection.

I am a Christian, conservative, problem-solver, and truth-seeker who is not afraid to share about important or controversial issues—silence leads to death. There’s more to life than the worldly status quo, and that’s why many are sad and depressed—they’re suffocating. Truth and purpose can bring fresh air into one’s life, and that’s my mission. For those that care, here is my script/command laboratory.

📖 John 3:16: For God so loved the world that He gave His one and only Son, that whoever believes in Him shall not perish but have eternal life.

August 18, 2021/0 Comments/by WinReflection

0 replies

Want to join the discussion?
Feel free to contribute!

🌍 Share Jesus Christ

💧
Living Waters

What does it mean to be a good person? Many people believe they are good by comparing themselves to others, but God’s standard reveals the truth of the heart. Learn how to lovingly walk people through that question, point them toward repentance, and share the Gospel with clarity, humility, and courage. Discover how to bring Living Waters to those around you and make a real difference.

➜Click: here►

Open on YouTube if the embedded controls act up.

🌐 Helpful IT Tools

🧰
Tech Toolkit

Here are some IT resources for your journey.

➜Click: herer/

Community help for sysadmins and IT pros.

➜Click: hereF

Windows tools, OS discussions, and tech fixes.

➜Click: hereS

Server hardware, parts, and refurbished gear.

⚙️
Driver Updater

Need an easy way to update drivers without all the manual work? I’ve found Driver Easy to be the best program for this. It also finds updates for drivers that you may never have been able to find yourself or that the OEM never released.

➜Click: hereDE

Scan and update missing or outdated drivers.

🕶️
Blue Light Blocking Glasses

These have been a lifesaver—no magnification or distortion, and they help reduce headaches, improve sleep, and ease eye strain after a full workday.

➜Click: hereA

Non-magnifying glasses for screen-heavy days.

📄
Ditch Adobe PDF

A free PDF editor that does the job. Forget Adobe and their anti-consumer practices.

➜Click: hereW

Free PDF editing without Adobe subscription pressure.

🐧
My Favorite Linux Distro

Zorin OS is a great Linux distro for people familiar with Windows. It can also be installed on old hardware to bring new life to it via their Lite version.

➜Click: hereZ

Windows-friendly Linux for new or older PCs.

🛠️
Windows PE Recovery USB Tools

PhoenixPE is the best PE builder I’ve used—an ultra-light Windows RE–based bootable USB that runs in RAM and supports apps/tools for password resets (unencrypted drives), backups, and data recovery.

➜Click: hereGH

Build a recovery USB for repairs and recovery.

💿
Customize Windows Media

Need to modify Windows installation media to integrate the latest updates, device drivers, and more with a nice interface?

➜Click: hereW

Customize Windows ISOs with updates and drivers.

💊 Cancer Cure?

🧬
Cancer-Related Resource Review

The resources below include articles, personal accounts, and product references involving ivermectin, fenbendazole, and related supplements that are sometimes discussed in cancer-related conversations online. This content is provided for informational review only, is not medical advice, and should not be understood as established cancer treatment guidance. Personal accounts are not the same as clinical evidence. Consult a licensed healthcare professional before making any treatment decisions.

➜Click: herePMC

PubMed Central research review.

➜Click: hereR

Personal fenbendazole cancer testimony.

➜Click: here►

Video discussion on cancer-related claims.

➜Click: here►

Video discussion on alternative protocols.

➜Click: hereIMG

Reference image with protocol notes.

💊
Vendor References

These vendor links are included as product-source references only. Their presence here does not imply medical recommendation, safety, effectiveness, or suitability for any condition.

➜Click: hereP

Ivermectin vendor reference.

➜Click: hereP

Online pharmacy vendor reference.

➜Click: hereP

Generic pharmacy vendor reference.

🍄
Turkey Tail Mushroom

The links below are examples of outside discussion and product references related to turkey tail mushroom.

➜Click: here►

Turkey tail mushroom video segment.

➜Click: hereA

Turkey tail product reference.

🧪
Methylene Blue

The links below are examples of outside discussion and product references related to methylene blue.

➜Click: here►

Methylene blue short video.

➜Click: hereA

Methylene blue product reference.

🎥
David Lester Straight

The materials below are discussion and reference links related to statements made in the video.

➜Click: here►

Out of Babylon with David Straight (6/8).

➜Click: hereP

del-IMMUNE V product reference.

➜Click: here►

Related immune support video.

➜Click: here►

Related probiotic discussion video.

➜Click: hereP

Seed probiotic product source.

➜Click: hereA

Amazon probiotic product reference.

➜Click: hereA

Amazon 100-strain probiotic reference.

I take my probiotic supplements with Kefir for extra power and effect right away in the morning and before bed.

🪥
Probiotic Toothpaste

This section includes oral-care and supplement references mentioned alongside probiotic use.

➜Click: hereA

Probiotic toothpaste product reference.

❓ Once Saved, Always Saved?

🛡️
Your Minimum Work

A Christian is called to combat sin in their daily life while also asking for forgiveness and repenting. Some say this doesn’t sound like “good news” but hold on.

God wants those in Heaven that choose Him and His ways, obeying Him.

📖
John 14:15

“If you love Me, you will keep My commandments.”

Jesus said this as a call to love shown through obedience.

Disobeying Jesus after knowing His sacrifice is worse than never understanding it. It’s about your heart posture towards Christ and working with Him to improve and make yourself more Holy and fit for Heaven. Not perfect, but improving and not giving up.

➜Click: here►

OBE Testimony

😔 Are You Depressed?

🧠
Mental Health Discussion

A chemical imbalance in the brain? Perhaps not—review the links below and consider whether it may be worth exploring a different approach to mental health with a qualified medical professional.

➜Click: here►

Video discussing chemical imbalance claims.

➜Click: here►

Follow-up mental health discussion video.

⚙️
Magnesium & Depression Research

The article “Rapid recovery from major depression using magnesium treatment” by George A. Eby and Karen L. Eby was published in Medical Hypotheses in 2006. Review it as an informational research reference only, and discuss magnesium or any supplement changes with a qualified medical professional.

➜Click: herePM

PubMed record for the magnesium article.

➜Click: hereDOI

DOI link for the published article.

🦠
Probiotics

➜Click: hereA

Amazon 100-strain probiotic reference.

It may be beneficial to eat more fermented foods like Kefir and others to support regular gut health. Always discuss with a medical professional first before taking anything.

🍬
L-Tryptophan Gummies

L-Tryptophan is a supplement some people explore for mood and sleep support. Discuss with a qualified medical professional before use, especially if taking medications.

➜Click: hereA

L-Tryptophan gummies product reference.

⚡
L-Tyrosine Gummies

L-Tyrosine is a supplement some people explore for focus, stress, and dopamine support. Discuss with a qualified medical professional before use.

➜Click: hereA

L-Tyrosine gummies product reference.

🌿
St. John’s Wort Gummies

St. John’s Wort is a supplement some people use for mood support and mild depressive symptoms. I am not on any medications and decided to try it, and I have been feeling amazing! Use caution, especially if taking antidepressants or other medications, and discuss it with a qualified medical professional before use.

➜Click: hereA

St. John’s Wort product reference.

👑 Crowns in Heaven

🏆
Heavenly Rewards

How we live after giving our lives to Jesus Christ matters. Salvation is a gift of grace, but Scripture reminds us that our faithfulness, obedience, sacrifice, and love for Christ are not forgotten. Every act done for the Lord, every trial endured with faith, and every life poured out for His Kingdom will be seen by God and rewarded in eternity. Be encouraged to live today with heaven in view, knowing that what is surrendered to Christ will never be wasted.

➜Click: here►

Open on YouTube if the embedded controls act up.

⛪ 501(c)(3) Churches

⚔️
Spiritual Leadership

Too many leaders stay silent—whether from fear of losing tax exempt status or from spiritual hesitation. Meanwhile, compromised leadership leaves the Church vulnerable.

📖
Luke 20:25

“Then give back to Caesar what is Caesar’s, and to God what is God’s.”

➜Click: here►

Video discussion on Church leadership and silence.

➜Click: here►

Related video on courage and spiritual responsibility.

🏛️
Christian Nationalism

If pastors fear losing tax-exempt status and refuse to get involved, how can we build Christ’s Church the way Scripture commands? Spiritual leaders are called to shepherd with courage, speak truth, and equip believers—not retreat from the public square when obedience becomes costly.

➜Click: here►

Short video on Christian Nationalism and discernment.

💐 You Must Forgive

🕊️
Choose Forgiveness

As a Christian, you’re called to forgive those who have hurt you. Forgiveness doesn’t always mean trusting them again or letting them back into your life; it means releasing the anger, bitterness, and hurt so you can be free from the poison that a grudge creates. Sometimes you must practice this every day when memories resurface. Pray and ask the Lord to help you finally lay to rest what has been done in the past.

➜Click: here►

Open on YouTube if the embedded controls act up.

✒️ Don’t Get Chipped

💳
Cashless System & Digital ID

The next technology for a cashless system and Digital ID has already been invented, just not forced on us yet. Don’t cave.

➜Click: hereW

World Economic Forum article on RFID microchips.

➜Click: hereW

USA Today article on future chip adoption.

📖
Revelation 13:16–17

“It also forced all people, great and small, rich and poor, free and slave, to receive a mark on their right hands or on their foreheads, so that they could not buy or sell unless they had the mark, which is the name of the beast or the number of its name.”

🔥 Increase Testosterone

🌿
Natural Testosterone Support

Fadogia Agrestis and Tongkat Ali are herbs some people use in support of natural testosterone goals. The materials below are provided for informational review only and should not be understood as medical advice. Product links are included as source references only. Use caution, cycle thoughtfully, and discuss supplements with a qualified healthcare professional before use.

➜Click: here►

Video discussion on Fadogia and testosterone support.

➜Click: here►

Video discussion on Tongkat Ali and hormone support.

➜Click: hereA

Fadogia Agrestis product source reference.

➜Click: hereA

Tongkat Ali product source reference.

🕵️‍♂️ Find Missing People

🕊️
Word of Knowledge

The Holy Spirit can grant many gifts in Christianity, including the Word of Knowledge. After prayer, some believers seek insight for missing-person cases and share it with law enforcement. Counterfeits exist in New Age, occult, and remote-viewing practices, which mix truth with deception; by contrast, the Holy Spirit is the Spirit of truth.

➜Click: here►

Short video on spiritual insight and discernment.

➜Click: hereW

Article on prophetic insight and missing-person cases.

👽 Biblical View on UFOs

🛸
Aliens, Fallen Angels & Discernment

The Biblical view suggests “aliens” may be fallen angels—spiritual beings from a non-physical reality inhabiting a physical entity to complete a malicious goal. Understanding this helps us discern truth from deception in today’s world.

➜Click: here►

Video on aliens, fallen angels, and discernment.

🏔️
Philip Schneider | Dulce Base War

➜Click: here►

Part 1: Mystery Beneath the Mesa.

➜Click: here►

Part 2: War Beneath the Mesa.

🔭
Bob Lazar’s Testimonies

➜Click: here►

Bob Lazar UNSEEN Interview.

➜Click: here►

Bob Lazar & JRE interview.

🙏 Shots Bad!

✝️
Jesus Christ, the Master Healer

Jesus Christ is the Master Healer. If you are concerned about your health, bring your worries to Him in prayer and ask for wisdom, peace, and healing. Faith can help you stand strong in difficult times, while wise medical guidance can help you make informed decisions about your care.

➜Click: hereR

Rumble panel discussion with medical doctors.

➜Click: here►

YouTube video on health-related concerns.

➜Click: hereIG

Instagram reel with a short health-related clip.

➜Click: here►

Additional YouTube video for further review.

Hands-Off Admin Password Rotation for MSPs: PS

🔐 The Never-Ending Password Talk

💭 Key Considerations Before Scripting

🛠️ Safe for RMM Integration

🔄 Administrator Password Rotation Script

🔄 Support Password Rotation Script

✅ Conclusion

🌿 Final Thoughts

Leave a Reply

Leave a Reply Cancel reply