AD域控组策略------禁用所有本地账号，只启用Administrator账号并统一重置密码

powershell脚本代码如下【已在Windows7、Windows10、Windows11系统上测试功能正常】保存为*.ps1文件，组策略中调用此脚本，计算机配置------策略------Windows设置------脚本（启动/关机）------启动中引用脚本即可，先以下范围OU测试下，测试没问题再全范围推进

# Windows全自动账户管理脚本
# 功能：全自动禁用所有本地账户，启用Administrator，重置密码
# 要求：以管理员身份运行
# 特点：无确认提示，直接执行

# 强制脚本以管理员身份运行
$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
if (-not $currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
    Write-Host "错误：请以管理员身份运行此脚本！" -ForegroundColor Red
    Write-Host "右键点击PowerShell -> 以管理员身份运行" -ForegroundColor Yellow
    Start-Sleep -Seconds 3
    exit 1
}

# 配置参数
$AdminAccount = "Administrator"
$NewPassword = "XiykjAdmin@123456#"
$LogFile = "C:\Windows\Temp\AutoAdminReset_$(Get-Date -Format 'yyyyMMdd_HHmmss').log"

# 开始日志记录
$logContent = @()
function Write-Log {
    param($Message, $Type = "INFO")
    $timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
    $logEntry = "[$timestamp] [$Type] $Message"
    $logContent += $logEntry
    Write-Host $logEntry
}

Write-Log "Windows全自动账户管理脚本开始执行"
Write-Log "脚本版本: 3.0"
Write-Log "操作系统: $((Get-CimInstance Win32_OperatingSystem).Caption)"
Write-Log "计算机名: $env:COMPUTERNAME"

Write-Log "========================================================"
Write-Log "正在全自动执行以下操作："
Write-Log "  1. 获取所有本地用户账户"
Write-Log "  2. 禁用所有非系统账户（除Administrator外）"
Write-Log "  3. 启用Administrator账户"
Write-Log "  4. 重置Administrator密码为: $NewPassword"
Write-Log "[自动模式] 跳过确认，直接执行..."
Write-Log "========================================================"

# 步骤1：获取所有本地用户
Write-Log "步骤1: 获取所有本地用户账户..."
try {
    $localUsers = @()
    
    # 兼容Windows 7的获取用户方法
    if ($PSVersionTable.PSVersion.Major -ge 3) {
        $localUsers = Get-CimInstance -ClassName Win32_UserAccount -Filter "LocalAccount='True'" -ErrorAction Stop
    } else {
        $localUsers = Get-WmiObject -Class Win32_UserAccount -Filter "LocalAccount='True'" -ErrorAction Stop
    }
    
    $userCount = $localUsers.Count
    Write-Log "共找到 $userCount 个本地用户"
    
    # 显示用户列表
    foreach ($user in $localUsers) {
        Write-Log "  发现用户: $($user.Name) (SID: $($user.SID))"
    }
} catch {
    Write-Log "获取用户失败: $_" -Type "ERROR"
    # 尝试使用net user命令
    try {
        $netUsers = net user 2>&1 | Where-Object {$_ -match '^\s*(\S+)\s*$' -and $_ -notmatch '命令成功完成|The command completed successfully|User accounts for'}
        $userCount = $netUsers.Count
        Write-Log "通过net user获取到 $userCount 个用户"
    } catch {
        Write-Log "所有获取用户方法都失败" -Type "ERROR"
        $userCount = 0
    }
}

# 步骤2：禁用所有非Administrator用户
Write-Log "步骤2: 禁用所有非Administrator用户..."
$disabledCount = 0

# 需要跳过的系统账户
$systemAccounts = @("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE", "DefaultAccount")

foreach ($user in $localUsers) {
    $userName = $user.Name
    
    # 跳过系统账户和Administrator
    if ($userName -eq $AdminAccount -or $systemAccounts -contains $userName) {
        continue
    }
    
    # 跳过系统SID账户
    if ($user.SID -match "^S-1-5-(18|19|20|21-.*-500)$") {
        Write-Log "  跳过系统账户: $userName"
        continue
    }
    
    Write-Log "  正在禁用用户: $userName"
    
    # 使用net user命令禁用（最兼容）
    try {
        $result = net user $userName /active:no 2>&1
        if ($LASTEXITCODE -eq 0 -or $result -match "命令成功完成|The command completed successfully") {
            Write-Log "    ✓ 成功禁用" -Type "SUCCESS"
            $disabledCount++
        } else {
            Write-Log "    ✗ 禁用失败: $result" -Type "ERROR"
        }
    } catch {
        Write-Log "    ✗ 禁用失败: $_" -Type "ERROR"
    }
}

# 步骤3：启用Administrator账户
Write-Log "步骤3: 启用Administrator账户..."
$adminEnabled = $false

try {
    # 使用net user命令启用
    $result = net user $AdminAccount /active:yes 2>&1
    if ($LASTEXITCODE -eq 0 -or $result -match "命令成功完成|The command completed successfully") {
        Write-Log "  ✓ Administrator已启用" -Type "SUCCESS"
        $adminEnabled = $true
    } else {
        Write-Log "  ! 启用失败，尝试创建账户" -Type "WARNING"
        
        # 尝试创建Administrator账户
        $result = net user $AdminAccount $NewPassword /add /active:yes 2>&1
        if ($LASTEXITCODE -eq 0) {
            Write-Log "  ✓ 创建并启用成功" -Type "SUCCESS"
            
            # 添加到管理员组
            net localgroup administrators $AdminAccount /add 2>&1 | Out-Null
            Write-Log "  ✓ 已添加到管理员组" -Type "SUCCESS"
            $adminEnabled = $true
        } else {
            Write-Log "  ✗ 创建失败: $result" -Type "ERROR"
        }
    }
} catch {
    Write-Log "  ✗ 启用Administrator失败: $_" -Type "ERROR"
}

# 步骤4：重置Administrator密码
Write-Log "步骤4: 重置Administrator密码..."
$passwordReset = $false

if ($adminEnabled) {
    try {
        $result = net user $AdminAccount $NewPassword 2>&1
        if ($LASTEXITCODE -eq 0 -or $result -match "命令成功完成|The command completed successfully") {
            Write-Log "  ✓ 密码重置成功" -Type "SUCCESS"
            $passwordReset = $true
            
            # 设置密码永不过期
            try {
                net accounts /maxpwage:unlimited 2>&1 | Out-Null
                Write-Log "  ✓ 密码永不过期已设置" -Type "SUCCESS"
            } catch {
                Write-Log "  ! 设置密码永不过期失败" -Type "WARNING"
            }
        } else {
            Write-Log "  ✗ 密码重置失败: $result" -Type "ERROR"
        }
    } catch {
        Write-Log "  ✗ 密码重置失败: $_" -Type "ERROR"
    }
}

# 步骤5：验证结果
Write-Log "步骤5: 验证操作结果..."

# 验证Administrator是否已启用
try {
    $adminStatus = net user $AdminAccount 2>&1 | Select-String "帐户已启用|Account active"
    if ($adminStatus -match "是|Yes") {
        Write-Log "  ✓ Administrator账户状态: 已启用" -Type "SUCCESS"
    } else {
        Write-Log "  ✗ Administrator账户状态: 未启用" -Type "ERROR"
    }
} catch {
    Write-Log "  ! 无法验证Administrator状态" -Type "WARNING"
}

# 完成摘要
Write-Host "`n" + ("=" * 60) -ForegroundColor Green
Write-Host "                   操作完成摘要" -ForegroundColor Green
Write-Host "=" * 60 -ForegroundColor Green
Write-Host ""
Write-Host "统计信息:" -ForegroundColor Yellow
Write-Host "  发现本地用户总数: $userCount" -ForegroundColor White
Write-Host "  已禁用的用户数: $disabledCount" -ForegroundColor White
Write-Host "  Administrator账户状态: $(if($adminEnabled){'已启用'}else{'失败'})" -ForegroundColor $(if($adminEnabled){'Green'}else{'Red'})
Write-Host "  密码重置状态: $(if($passwordReset){'成功'}else{'失败'})" -ForegroundColor $(if($passwordReset){'Green'}else{'Red'})
Write-Host ""
Write-Host "登录信息:" -ForegroundColor Yellow
Write-Host "  用户名: $AdminAccount" -ForegroundColor White
Write-Host "  密码: $NewPassword" -ForegroundColor White
Write-Host ""
Write-Host "系统信息:" -ForegroundColor Yellow
Write-Host "  计算机名: $env:COMPUTERNAME" -ForegroundColor White
Write-Host "  执行时间: $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')" -ForegroundColor White
Write-Host ""
Write-Host "重要提示:" -ForegroundColor Red
Write-Host "  1. 所有非系统本地账户已被禁用" -ForegroundColor Yellow
Write-Host "  2. 建议重启计算机使更改生效" -ForegroundColor Yellow
Write-Host "  3. 请立即使用新密码测试Administrator登录" -ForegroundColor Yellow
Write-Host "  4. 日志文件: $LogFile" -ForegroundColor Cyan

# 记录摘要到日志
$logContent += "=" * 60
$logContent += "操作完成摘要:"
$logContent += "  发现本地用户总数: $userCount"
$logContent += "  已禁用的用户数: $disabledCount"
$logContent += "  Administrator账户状态: $(if($adminEnabled){'已启用'}else{'失败'})"
$logContent += "  密码重置状态: $(if($passwordReset){'成功'}else{'失败'})"
$logContent += "  登录信息:"
$logContent += "    用户名: $AdminAccount"
$logContent += "    密码: $NewPassword"
$logContent += "  系统信息:"
$logContent += "    计算机名: $env:COMPUTERNAME"
$logContent += "    执行时间: $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')"

# 保存日志文件，日志文件保存在客户端C:\Windows\Temp\AutoAdminReset_*.log文件[本功能已注释，防止运行一次生成日志文件占用存储，开启删除<# #>即可]
<# try {
    $logContent | Out-File -FilePath $LogFile -Encoding UTF8
    Write-Log "详细日志已保存到: $LogFile" -Type "INFO"
} catch {
    Write-Log "保存日志失败: $_" -Type "ERROR"
} #>