I had several requests from the developers at our company, to enable auto logon for various servers. I knew this was possible through regedit (as explained in this Microsoft support article)
Though, sometimes it needed to be done on (test) servers which reside on a domain and sometimes it needed to be done one (stand-alone) azure servers. Thus I wanted to automate this process.
I need to be able to validate the credentials first. Also I needed to know if a computer is part of a domain. It seems that if the logged on user is a domain account, the environment variable USERDNSDOMAIN is present. In my case this check is enough to determine if a computer is part of a domain or not (as all accounts that are logged on in domain joined computers are domain account, and in cases they are local account, I would want to set the auto logon for that local account).
Thus it is east to check if the computer is part of a domain or not. I just check if $env:USERDNSDOMAIN equals to $null.
Then I’ll do an extra check if $env:COMPUTERNAME equals $env:USERDOMAIN. If so, the computer is definitely not domain joined.
Then I can check the user credentials that were supplied with the Get-Credential command.
Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$Obj = New-Object System.DirectoryServices.AccountManagement.PrincipalContext('machine', $Computer)
If($Obj.ValidateCredentials($Username, $Password) -eq "True")
If the computer is part of a domain, I’ll have the check the credentials with the DC. This can be achieved with this command:
$CurrentDomain = "LDAP://" + ([ADSI]"").distinguishedName
$Domain = New-Object System.DirectoryServices.DirectoryEntry($CurrentDomain,$UserName,$Password)
If the $Domain variable is $null, the supplied credentials don’t work. Otherwise they are correct and the $Domain variable will contain the LDAP path to the domain, the distinguishedName (and other domain related information).
So if the account is verified, in both cases I can set the registry keys
$RegKeyPathWinLogon = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
Set-ItemProperty -Path $RegKeyPathWinLogon -Name "AutoAdminLogon" -Value "1"
Set-ItemProperty -Path $RegKeyPathWinLogon -Name "DefaultUserName" -Value "$Username"
Set-ItemProperty -Path $RegKeyPathWinLogon -Name "DefaultPassword" -Value "$Password"
You can download the entire script here.