limehawk_admin_profile_branding.ps1 - limehawk/rmm-scripts GitHub Wiki

limehawk_admin_profile_branding.ps1

Standardized Limehawk MSP automation for administrator account management and branding.

Overview

This script automates the management of local administrator accounts on Windows systems, including the built-in Administrator account and a custom MSP admin account. It handles password rotation, account branding (profile pictures and wallpaper), and synchronization with SuperOps RMM platform.

Purpose

Standardized Limehawk MSP automation to:

  1. Remove the provisioning account "limehawk" (user + profile) safely
  2. Ensure the built-in Administrator account (SID *-500) is enabled and named
  3. Set Administrator Full Name (display) per policy
  4. Generate & set a strong random password, push to SuperOps custom field
  5. Apply Administrator account picture (multi-size) and wallpaper

Prerequisites

Windows / Runtime Requirements

  • PowerShell 5.1+
  • Run as local Administrator (elevated)
  • Local user management available (Server/Client SKUs)
  • Access to C:\Users\Administrator\NTUSER.DAT (profile must exist/loaded steps below)

SuperOps Requirements

  • $SuperOpsModule available (Import-Module on line 1)
  • Runtime cmdlet Send-CustomField available to update "Admin Password"
  • Internet egress to SuperOps endpoint via the SuperOps agent/runtime

Configuration

Required Inputs

All inputs are hardcoded in the script settings section:

Feature Toggles:

  • $RemoveLimehawkAccount: Remove local "limehawk" user + profile(s) (boolean)
  • $StandardizeAdminName: Ensure account name is literally "Administrator" (boolean)

Account Names:

  • $BuiltInAdminNewName: Name for the built-in Administrator account (default: "hawkadmin")
  • $MspAdminName: Name for the MSP admin account (default: "limehawk")

Branding:

  • $AdminFullName: Administrator Full Name/display name (default: "Limehawk")
  • $PhotoSource: Path to profile picture PNG
  • $WallpaperPath: Path to wallpaper PNG

SuperOps Custom Fields:

  • $BuiltInAdminPasswordField: Custom field name for built-in admin password
  • $MspAdminPasswordField: Custom field name for MSP admin password

Policy Settings:

  • $GeneratedPasswordLength: Length for random password generation (default: 16)
  • $DisableAdminOnExit: Disable Administrator account on exit (boolean)
  • $ReturnToOriginalState: Return Administrator account to original state on exit (boolean)

Behavior

The script performs operations in the following sequence:

  1. Prechecks: Validates elevation and SuperOps module availability
  2. Target Account Discovery: Identifies built-in Administrator by SID (*-500)
  3. Built-in Admin Management: Renames to $BuiltInAdminNewName, sets random password, syncs to SuperOps, disables account
  4. MSP Admin Management: Creates or updates MSP admin account, sets password, syncs to SuperOps, enables account
  5. Old Account Cleanup: Removes legacy MSP accounts (m5sadmin, tiltlocal, clientadmin) if found
  6. Branding Application: Applies profile pictures and wallpapers to both admin accounts
  7. Cleanup: Restores Administrator account to original state or leaves disabled based on settings

Safety / Idempotence

  • Deleting the "limehawk" user/profile is gated by $RemoveLimehawkAccount
  • Administrator profile handling is SID-based (never by name alone)
  • If Administrator profile path is not C:\Users\Administrator, the script moves into a "prepare" flow: removes the old profile and instructs a one-time login
  • Account picture & wallpaper operations are no-throw best-effort

Security Notes

  • Requires elevated permissions to modify system components
  • Generates strong random passwords (16 characters with mixed character types)
  • Passwords are synced to SuperOps custom fields for secure storage
  • No secrets are printed to console
  • Registry hive operations include proper load/unload hardening

Exit Codes

  • 0 = Success
  • 1 = Failure (see "ERROR OCCURRED" diagnostics)

Example Output

[ PRECHECKS ]
--------------------------------------------------------------
Elevated               : Yes

[ SUPEROPS MODULE ]
--------------------------------------------------------------
Importing Module       : SuperOps
SuperOps Cmdlets       : OK

[ TARGET ACCOUNTS / PATHS ]
--------------------------------------------------------------
Built-in Admin         : Administrator (S-1-5-21-xxx-500)
Initial Admin State    : False
Admin Profile Path     : C:\Users\Administrator
Admin NTUSER.DAT       : C:\Users\Administrator\NTUSER.DAT

[ BUILT-IN ADMINISTRATOR MANAGEMENT ]
--------------------------------------------------------------
Built-in Admin Renamed : Administrator -> hawkadmin
Built-in Admin Password: Set
SuperOps Sync (Built-in): Password for 'hawkadmin' updated in 'Built-in Admin Password'
Built-in Admin Status  : Disabled

[ MSP ADMINISTRATOR ACCOUNT MANAGEMENT ]
--------------------------------------------------------------
MSP Admin Account      : Created 'limehawk'
MSP Admin Group        : Added to Administrators
SuperOps Sync (MSP)    : Password for 'limehawk' updated in 'MSP Admin Password'
MSP Admin Status       : Enabled

[ ADMIN PICTURE & WALLPAPER ]
--------------------------------------------------------------
Photo Source           : C:\Users\Public\Pictures\limehawk_profile.png
Wallpaper Path         : C:\Users\Public\Pictures\limehawk_wallpaper.png
Profile pictures applied under C:\Users\Public\AccountPictures\S-1-5-21-xxx-500
Wallpaper registry set: C:\Users\Public\Pictures\limehawk_wallpaper.png

[ FINAL STATUS ]
--------------------------------------------------------------
Administrator account is enabled, named, branded, and password synced to SuperOps.

[ SCRIPT COMPLETED ]
--------------------------------------------------------------

Version History

  • v3.1.4 (2025-12-01) - Fix cleanup section using old admin name after rename
  • v3.1.3 (2025-12-01) - Fix error when limehawk account doesn't exist by moving MSP admin profile lookup to after account creation
  • v3.1.2 (2025-10-31) - Improved wallpaper application by defaulting profile paths and adding clearer warnings for missing profiles. Set 'Limehawk' MSP admin full name
  • v3.1.1 (2025-09-05) - Reordered sections to set/sync password before profile check
  • v3.1.0 (2025-08-20) - Standardized sections (ASCII headers), PS5.1-safe helpers, consolidated diagnostics, strong password generator, file existence checks, registry hive load/unload hardening
  • v3.0.0 (2025-08-19) - Initial combined automation (user/profile cleanup, branding, password handling, SuperOps custom field update)

Links