-
Notifications
You must be signed in to change notification settings - Fork 6
limehawk_admin_profile_branding.ps1
Corey Watson edited this page Dec 19, 2025
·
1 revision
Standardized Limehawk MSP automation for administrator account management and branding.
This script automates the management of local administrator accounts on Windows systems, including the built-in Administrator account and a custom MSP admin account. It handles password rotation, account branding (profile pictures and wallpaper), and synchronization with SuperOps RMM platform.
Standardized Limehawk MSP automation to:
- Remove the provisioning account "limehawk" (user + profile) safely
- Ensure the built-in Administrator account (SID *-500) is enabled and named
- Set Administrator Full Name (display) per policy
- Generate & set a strong random password, push to SuperOps custom field
- Apply Administrator account picture (multi-size) and wallpaper
- PowerShell 5.1+
- Run as local Administrator (elevated)
- Local user management available (Server/Client SKUs)
- Access to C:\Users\Administrator\NTUSER.DAT (profile must exist/loaded steps below)
-
$SuperOpsModuleavailable (Import-Module on line 1) - Runtime cmdlet Send-CustomField available to update "Admin Password"
- Internet egress to SuperOps endpoint via the SuperOps agent/runtime
All inputs are hardcoded in the script settings section:
Feature Toggles:
-
$RemoveLimehawkAccount: Remove local "limehawk" user + profile(s) (boolean) -
$StandardizeAdminName: Ensure account name is literally "Administrator" (boolean)
Account Names:
-
$BuiltInAdminNewName: Name for the built-in Administrator account (default: "hawkadmin") -
$MspAdminName: Name for the MSP admin account (default: "limehawk")
Branding:
-
$AdminFullName: Administrator Full Name/display name (default: "Limehawk") -
$PhotoSource: Path to profile picture PNG -
$WallpaperPath: Path to wallpaper PNG
SuperOps Custom Fields:
-
$BuiltInAdminPasswordField: Custom field name for built-in admin password -
$MspAdminPasswordField: Custom field name for MSP admin password
Policy Settings:
-
$GeneratedPasswordLength: Length for random password generation (default: 16) -
$DisableAdminOnExit: Disable Administrator account on exit (boolean) -
$ReturnToOriginalState: Return Administrator account to original state on exit (boolean)
The script performs operations in the following sequence:
- Prechecks: Validates elevation and SuperOps module availability
- Target Account Discovery: Identifies built-in Administrator by SID (*-500)
-
Built-in Admin Management: Renames to
$BuiltInAdminNewName, sets random password, syncs to SuperOps, disables account - MSP Admin Management: Creates or updates MSP admin account, sets password, syncs to SuperOps, enables account
- Old Account Cleanup: Removes legacy MSP accounts (m5sadmin, tiltlocal, clientadmin) if found
- Branding Application: Applies profile pictures and wallpapers to both admin accounts
- Cleanup: Restores Administrator account to original state or leaves disabled based on settings
- Deleting the "limehawk" user/profile is gated by
$RemoveLimehawkAccount - Administrator profile handling is SID-based (never by name alone)
- If Administrator profile path is not C:\Users\Administrator, the script moves into a "prepare" flow: removes the old profile and instructs a one-time login
- Account picture & wallpaper operations are no-throw best-effort
- Requires elevated permissions to modify system components
- Generates strong random passwords (16 characters with mixed character types)
- Passwords are synced to SuperOps custom fields for secure storage
- No secrets are printed to console
- Registry hive operations include proper load/unload hardening
- 0 = Success
- 1 = Failure (see "ERROR OCCURRED" diagnostics)
[ PRECHECKS ]
--------------------------------------------------------------
Elevated : Yes
[ SUPEROPS MODULE ]
--------------------------------------------------------------
Importing Module : SuperOps
SuperOps Cmdlets : OK
[ TARGET ACCOUNTS / PATHS ]
--------------------------------------------------------------
Built-in Admin : Administrator (S-1-5-21-xxx-500)
Initial Admin State : False
Admin Profile Path : C:\Users\Administrator
Admin NTUSER.DAT : C:\Users\Administrator\NTUSER.DAT
[ BUILT-IN ADMINISTRATOR MANAGEMENT ]
--------------------------------------------------------------
Built-in Admin Renamed : Administrator -> hawkadmin
Built-in Admin Password: Set
SuperOps Sync (Built-in): Password for 'hawkadmin' updated in 'Built-in Admin Password'
Built-in Admin Status : Disabled
[ MSP ADMINISTRATOR ACCOUNT MANAGEMENT ]
--------------------------------------------------------------
MSP Admin Account : Created 'limehawk'
MSP Admin Group : Added to Administrators
SuperOps Sync (MSP) : Password for 'limehawk' updated in 'MSP Admin Password'
MSP Admin Status : Enabled
[ ADMIN PICTURE & WALLPAPER ]
--------------------------------------------------------------
Photo Source : C:\Users\Public\Pictures\limehawk_profile.png
Wallpaper Path : C:\Users\Public\Pictures\limehawk_wallpaper.png
Profile pictures applied under C:\Users\Public\AccountPictures\S-1-5-21-xxx-500
Wallpaper registry set: C:\Users\Public\Pictures\limehawk_wallpaper.png
[ FINAL STATUS ]
--------------------------------------------------------------
Administrator account is enabled, named, branded, and password synced to SuperOps.
[ SCRIPT COMPLETED ]
--------------------------------------------------------------
- v3.1.4 (2025-12-01) - Fix cleanup section using old admin name after rename
- v3.1.3 (2025-12-01) - Fix error when limehawk account doesn't exist by moving MSP admin profile lookup to after account creation
- v3.1.2 (2025-10-31) - Improved wallpaper application by defaulting profile paths and adding clearer warnings for missing profiles. Set 'Limehawk' MSP admin full name
- v3.1.1 (2025-09-05) - Reordered sections to set/sync password before profile check
- v3.1.0 (2025-08-20) - Standardized sections (ASCII headers), PS5.1-safe helpers, consolidated diagnostics, strong password generator, file existence checks, registry hive load/unload hardening
- v3.0.0 (2025-08-19) - Initial combined automation (user/profile cleanup, branding, password handling, SuperOps custom field update)
- View Script Source
- Scripts - Back to script index