Configure Local User Account with DSC

talkbubble Yesterday I posted an article on how to use PowerShell and the [ADSI] type accelerator to set a local user account. However, if you are running PowerShell 4.0 you have another option: Desired State Configuration (DSC).

I’m going to assume you have some basic understanding of how DSC works. If not, head over to the Public OneDrive folder for PowerShell.org and grab a copy of the free DSC ebook.

DSC ships with a provider resource for user accounts.

dsc-userresource

Because of the account password, the official stance is to use a certificate to handle encrypting the password. You can read about that on the PowerShell team blog. But that’s more than I want to deal with right now, plus I trust the security of my local test network so my configurations will store the passwords as plain text in the resulting MOFs. I suppose I should show you the script I came up with.

This script is intended to define a set of MOFs for computers in my Globomantics domain that all start with “CHI”. The script takes an array of computernames. From there it defines the configuration, defines the necessary configuration data to allow plain text passwords and then executes the configuration. The configuration also has a Group resource to add the account to the local Administrators group. Note the DependsOn setting in the group configuration. This ensures that the account will be set up before adding it to the group.

To create the configurations I run my script specifying the computer names.
config-localpassword-dsc

PowerShell will prompt me for the credentials. When finished I am left with a MOF file for each computer under C:\Scripts\LocalUserAccounts, because I specified an output path. When I’m ready, I can push the configuration to the servers:

And that’s it! I can verify using the NET USER command in a remote session.

verify-dsc-user

DSC promises to change the way IT Pros get their work done, and in a positive way!

3 thoughts on “Configure Local User Account with DSC

  1. I was just wondering what we could leverage DSC to do. This is a great idea. Use DSC to manage those troublesome local settings like local accounts.

    Thanks Jeff

    • Be aware that my example is putting the password in clear text in the MOF. The better way uses certificates and encryption.

      • I know but the idea is worth it. We can use DSC for other local account issue that can be a headache to maintain or change.

        It would be nice if Microsoft extended GP to use some elements of DSC. Managing change is important. It needs to be effortless.

Comments are closed.