AD域控组策略------禁用所有本地账号，只启用Administrator账号并统一重置密码

news/2026/1/18 20:53:48/文章来源:https://www.cnblogs.com/xiykj/p/19499099

powershell脚本代码如下【已在Windows7、Windows10、Windows11系统上测试功能正常】保存为*.ps1文件，组策略中调用此脚本，计算机配置------策略------Windows设置------脚本（启动/关机）------启动中引用脚本即可，先以下范围OU测试下，测试没问题再全范围推进

# Windows全自动账户管理脚本
# 功能：全自动禁用所有本地账户，启用Administrator，重置密码
# 要求：以管理员身份运行
# 特点：无确认提示，直接执行# 强制脚本以管理员身份运行
$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
if (-not $currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {Write-Host "错误：请以管理员身份运行此脚本！" -ForegroundColor RedWrite-Host "右键点击PowerShell -> 以管理员身份运行" -ForegroundColor YellowStart-Sleep -Seconds 3exit 1
}# 配置参数
$AdminAccount = "Administrator"
$NewPassword = "XiykjAdmin@123456#"
$LogFile = "C:\Windows\Temp\AutoAdminReset_$(Get-Date -Format 'yyyyMMdd_HHmmss').log"# 开始日志记录
$logContent = @()
function Write-Log {param($Message, $Type = "INFO")$timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"$logEntry = "[$timestamp] [$Type] $Message"$logContent += $logEntryWrite-Host $logEntry
}Write-Log "Windows全自动账户管理脚本开始执行"
Write-Log "脚本版本: 3.0"
Write-Log "操作系统: $((Get-CimInstance Win32_OperatingSystem).Caption)"
Write-Log "计算机名: $env:COMPUTERNAME"Write-Log "========================================================"
Write-Log "正在全自动执行以下操作："
Write-Log "  1. 获取所有本地用户账户"
Write-Log "  2. 禁用所有非系统账户（除Administrator外）"
Write-Log "  3. 启用Administrator账户"
Write-Log "  4. 重置Administrator密码为: $NewPassword"
Write-Log "[自动模式] 跳过确认，直接执行..."
Write-Log "========================================================"# 步骤1：获取所有本地用户
Write-Log "步骤1: 获取所有本地用户账户..."
try {$localUsers = @()# 兼容Windows 7的获取用户方法if ($PSVersionTable.PSVersion.Major -ge 3) {$localUsers = Get-CimInstance -ClassName Win32_UserAccount -Filter "LocalAccount='True'" -ErrorAction Stop} else {$localUsers = Get-WmiObject -Class Win32_UserAccount -Filter "LocalAccount='True'" -ErrorAction Stop}$userCount = $localUsers.CountWrite-Log "共找到 $userCount 个本地用户"# 显示用户列表foreach ($user in $localUsers) {Write-Log "  发现用户: $($user.Name) (SID: $($user.SID))"}
} catch {Write-Log "获取用户失败: $_" -Type "ERROR"# 尝试使用net user命令try {$netUsers = net user 2>&1 | Where-Object {$_ -match '^\s*(\S+)\s*$' -and $_ -notmatch '命令成功完成|The command completed successfully|User accounts for'}$userCount = $netUsers.CountWrite-Log "通过net user获取到 $userCount 个用户"} catch {Write-Log "所有获取用户方法都失败" -Type "ERROR"$userCount = 0}
}# 步骤2：禁用所有非Administrator用户
Write-Log "步骤2: 禁用所有非Administrator用户..."
$disabledCount = 0# 需要跳过的系统账户
$systemAccounts = @("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE", "DefaultAccount")foreach ($user in $localUsers) {$userName = $user.Name# 跳过系统账户和Administratorif ($userName -eq $AdminAccount -or $systemAccounts -contains $userName) {continue}# 跳过系统SID账户if ($user.SID -match "^S-1-5-(18|19|20|21-.*-500)$") {Write-Log "  跳过系统账户: $userName"continue}Write-Log "  正在禁用用户: $userName"# 使用net user命令禁用（最兼容）try {$result = net user $userName /active:no 2>&1if ($LASTEXITCODE -eq 0 -or $result -match "命令成功完成|The command completed successfully") {Write-Log "    ✓ 成功禁用" -Type "SUCCESS"$disabledCount++} else {Write-Log "    ✗ 禁用失败: $result" -Type "ERROR"}} catch {Write-Log "    ✗ 禁用失败: $_" -Type "ERROR"}
}# 步骤3：启用Administrator账户
Write-Log "步骤3: 启用Administrator账户..."
$adminEnabled = $falsetry {# 使用net user命令启用$result = net user $AdminAccount /active:yes 2>&1if ($LASTEXITCODE -eq 0 -or $result -match "命令成功完成|The command completed successfully") {Write-Log "  ✓ Administrator已启用" -Type "SUCCESS"$adminEnabled = $true} else {Write-Log "  ! 启用失败，尝试创建账户" -Type "WARNING"# 尝试创建Administrator账户$result = net user $AdminAccount $NewPassword /add /active:yes 2>&1if ($LASTEXITCODE -eq 0) {Write-Log "  ✓ 创建并启用成功" -Type "SUCCESS"# 添加到管理员组net localgroup administrators $AdminAccount /add 2>&1 | Out-NullWrite-Log "  ✓ 已添加到管理员组" -Type "SUCCESS"$adminEnabled = $true} else {Write-Log "  ✗ 创建失败: $result" -Type "ERROR"}}
} catch {Write-Log "  ✗ 启用Administrator失败: $_" -Type "ERROR"
}# 步骤4：重置Administrator密码
Write-Log "步骤4: 重置Administrator密码..."
$passwordReset = $falseif ($adminEnabled) {try {$result = net user $AdminAccount $NewPassword 2>&1if ($LASTEXITCODE -eq 0 -or $result -match "命令成功完成|The command completed successfully") {Write-Log "  ✓ 密码重置成功" -Type "SUCCESS"$passwordReset = $true# 设置密码永不过期try {net accounts /maxpwage:unlimited 2>&1 | Out-NullWrite-Log "  ✓ 密码永不过期已设置" -Type "SUCCESS"} catch {Write-Log "  ! 设置密码永不过期失败" -Type "WARNING"}} else {Write-Log "  ✗ 密码重置失败: $result" -Type "ERROR"}} catch {Write-Log "  ✗ 密码重置失败: $_" -Type "ERROR"}
}# 步骤5：验证结果
Write-Log "步骤5: 验证操作结果..."# 验证Administrator是否已启用
try {$adminStatus = net user $AdminAccount 2>&1 | Select-String "帐户已启用|Account active"if ($adminStatus -match "是|Yes") {Write-Log "  ✓ Administrator账户状态: 已启用" -Type "SUCCESS"} else {Write-Log "  ✗ Administrator账户状态: 未启用" -Type "ERROR"}
} catch {Write-Log "  ! 无法验证Administrator状态" -Type "WARNING"
}# 完成摘要
Write-Host "`n" + ("=" * 60) -ForegroundColor Green
Write-Host "                   操作完成摘要" -ForegroundColor Green
Write-Host "=" * 60 -ForegroundColor Green
Write-Host ""
Write-Host "统计信息:" -ForegroundColor Yellow
Write-Host "  发现本地用户总数: $userCount" -ForegroundColor White
Write-Host "  已禁用的用户数: $disabledCount" -ForegroundColor White
Write-Host "  Administrator账户状态: $(if($adminEnabled){'已启用'}else{'失败'})" -ForegroundColor $(if($adminEnabled){'Green'}else{'Red'})
Write-Host "  密码重置状态: $(if($passwordReset){'成功'}else{'失败'})" -ForegroundColor $(if($passwordReset){'Green'}else{'Red'})
Write-Host ""
Write-Host "登录信息:" -ForegroundColor Yellow
Write-Host "  用户名: $AdminAccount" -ForegroundColor White
Write-Host "  密码: $NewPassword" -ForegroundColor White
Write-Host ""
Write-Host "系统信息:" -ForegroundColor Yellow
Write-Host "  计算机名: $env:COMPUTERNAME" -ForegroundColor White
Write-Host "  执行时间: $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')" -ForegroundColor White
Write-Host ""
Write-Host "重要提示:" -ForegroundColor Red
Write-Host "  1. 所有非系统本地账户已被禁用" -ForegroundColor Yellow
Write-Host "  2. 建议重启计算机使更改生效" -ForegroundColor Yellow
Write-Host "  3. 请立即使用新密码测试Administrator登录" -ForegroundColor Yellow
Write-Host "  4. 日志文件: $LogFile" -ForegroundColor Cyan# 记录摘要到日志
$logContent += "=" * 60
$logContent += "操作完成摘要:"
$logContent += "  发现本地用户总数: $userCount"
$logContent += "  已禁用的用户数: $disabledCount"
$logContent += "  Administrator账户状态: $(if($adminEnabled){'已启用'}else{'失败'})"
$logContent += "  密码重置状态: $(if($passwordReset){'成功'}else{'失败'})"
$logContent += "  登录信息:"
$logContent += "    用户名: $AdminAccount"
$logContent += "    密码: $NewPassword"
$logContent += "  系统信息:"
$logContent += "    计算机名: $env:COMPUTERNAME"
$logContent += "    执行时间: $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')"# 保存日志文件，日志文件保存在客户端C:\Windows\Temp\AutoAdminReset_*.log文件[本功能已注释，防止运行一次生成日志文件占用存储，开启删除<# #>即可]
<# try {$logContent | Out-File -FilePath $LogFile -Encoding UTF8Write-Log "详细日志已保存到: $LogFile" -Type "INFO"
} catch {Write-Log "保存日志失败: $_" -Type "ERROR"
} #>