Skip to content
  • There are no suggestions because the search field is empty.

Creating a Local Administrator with Remote Capabilities

This article provides two PowerShell scripts to create a secure local administrator account (block_svc) with remote access capabilities via WMI, RPC, SMB and WinRM. These are tailored for both domain-joined and standalone/cloud-hosted environments, with detailed rollback scripts.

Table of Contents

  1. Overview

  2. Choosing the Right Script

  3. Basic Script – AD Managed Environments

  4. Advanced Script – Standalone or Cloud Hosted Environments

  5. Technical Notes on Port Configuration and System Impact

  6. Reversion Scripts

1. Overview

To facilitate secure remote access to Windows endpoints via WMI, RPC, and SMB, in scenarios where a domain Administrator account is unavailable, a local admin account can be established with the necessary privileges and firewall configurations. Block 64 offers two script options:

  • Basic Script: For AD-managed devices using GPO to manage firewall rules.

  • Advanced Script: For standalone/cloud-hosted devices (e.g., Azure, AWS, Workgroup) that require local firewall configuration.

Benefits:

  • Automates account creation

  • Sets required system policies

  • Reduces manual misconfigurations

  • Fully reversible with rollback scripts

Important:

  • Always test scripts in a non-production environment

  • Use a unique, complex password for block_svc

  • Advanced Script opens WMI, RPC, SMB, and WinRM ports. Ensure this complies with your internal network policies before use.

⚠️ Please ensure that your system's PowerShell Execution Policy allows for script execution. You can verify or temporarily allow script execution using the following command in PowerShell:

Verify:
Get-ExecutionPolicy -List

Allow (If Restricted):
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned
To run these scripts manually:
  • Copy and paste the script into a text file
  • Save the file with a .ps1 extension (e.g., CreateBlockSvc.ps1)
  • Right-click the file and choose "Run with PowerShell"

2. Choosing the Right Script

Environment Use This Script Firewall Configuration
Domain-joined with Active Directory Basic Script Managed via GPO
Standalone, Workgroup, or Cloud Advanced Script Opened locally by the script

💡 Tip: If using the Basic Script, configure GPO to open required ports. See: How to Open Ports via GPO

3. Basic Script – AD Managed Environments

This script only creates the account and enables TokenFilterPolicy. It does not modify firewall rules.

# Elevate script if not already running as administrator
$windowsIdentity = [System.Security.Principal.WindowsIdentity]::GetCurrent()
$windowsPrincipal = New-Object System.Security.Principal.WindowsPrincipal($windowsIdentity)
$adminRole = [System.Security.Principal.WindowsBuiltInRole]::Administrator

if (-not $windowsPrincipal.IsInRole($adminRole)) {
    $psi = New-Object System.Diagnostics.ProcessStartInfo "PowerShell"
    $psi.Arguments = "-ExecutionPolicy Bypass -File `"$PSCommandPath`""
    $psi.Verb = "runas"
    [System.Diagnostics.Process]::Start($psi)
    exit
}

Clear-Host
Write-Host "=== Block 64 Local Admin Account Creation Script ===" -ForegroundColor Cyan
Write-Host "This script will:" -ForegroundColor White
Write-Host "- Create a local admin user 'block_svc'" -ForegroundColor White
Write-Host "- Apply remote access policy (TokenFilterPolicy)" -ForegroundColor White
Read-Host "Press Enter to continue..."

# Set TokenFilterPolicy for remote UAC
try {
    Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" `
        -Name "LocalAccountTokenFilterPolicy" -Value 1 -Force
    Write-Host "TokenFilterPolicy applied successfully." -ForegroundColor Green
} catch {
    Write-Host "Error applying TokenFilterPolicy: $($_.Exception.Message)" -ForegroundColor Red
}

# Prompt for password and create the local user
$Password = Read-Host "Enter a strong password for 'block_svc'"
$SecurePassword = ConvertTo-SecureString $Password -AsPlainText -Force
Remove-Variable Password

try {
    if (Get-LocalUser -Name "block_svc" -ErrorAction SilentlyContinue) {
        Write-Host "User 'block_svc' already exists. Skipping creation." -ForegroundColor Yellow
    } else {
        New-LocalUser -Name "block_svc" -Password $SecurePassword -Description "Block64 service account"
        Write-Host "User 'block_svc' created successfully." -ForegroundColor Green
    }

    Set-LocalUser -Name "block_svc" -PasswordNeverExpires $true

    $adminGroupSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544")
    $adminGroupName = $adminGroupSID.Translate([System.Security.Principal.NTAccount]).Value
    Add-LocalGroupMember -Group $adminGroupName -Member "block_svc"
    Write-Host "User 'block_svc' added to group: $adminGroupName" -ForegroundColor Green
} catch {
    Write-Host "Error creating user or adding to group: $($_.Exception.Message)" -ForegroundColor Red
}

Write-Host "`n=== Setup completed successfully ===" -ForegroundColor Cyan
Read-Host "Press Enter to exit..."

After execution, use the credential block_svc in Block 64 tools:

  • Domain: (Leave blank)

  • Username: block_svc

  • Password: (Same one used during script execution)

4. Advanced Script – Standalone or Cloud Hosted Environments

This script performs the following:

  • Creates block_svc with admin rights

  • Enables TokenFilterPolicy for remote login

  • Detects OS language (English, Spanish, Portuguese)

  • Enables only the matching firewall rules for:

    • WMI

    • RPC

    • SMB

    • WinRM

  • Starts the WinRM service if not running

  • Tests Remote Registry access

# Elevate script if not already running as administrator
$windowsIdentity = [System.Security.Principal.WindowsIdentity]::GetCurrent()
$windowsPrincipal = New-Object System.Security.Principal.WindowsPrincipal($windowsIdentity)
$adminRole = [System.Security.Principal.WindowsBuiltInRole]::Administrator

if (-not $windowsPrincipal.IsInRole($adminRole)) {
    $psi = New-Object System.Diagnostics.ProcessStartInfo "PowerShell"
    $psi.Arguments = "-ExecutionPolicy Bypass -NoExit -File `"$PSCommandPath`""
    $psi.Verb = "runas"
    [System.Diagnostics.Process]::Start($psi)
    exit
}

Clear-Host
Write-Host "=== Block 64 Local Admin Account Creation Script ===" -ForegroundColor Cyan
Write-Host "This script will:" -ForegroundColor White
Write-Host "- Create a local admin user 'block_svc'" -ForegroundColor White
Write-Host "- Apply remote access policy (TokenFilterPolicy)" -ForegroundColor White
Write-Host "- Enable essential firewall rules (WMI, RPC, SMB, WinRM)" -ForegroundColor White
Write-Host "- Start WinRM service if not running" -ForegroundColor White
Write-Host "- Test Remote Registry connectivity" -ForegroundColor White
Read-Host "Press Enter to continue..."

# Set TokenFilterPolicy for remote UAC
try {
    Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" `
        -Name "LocalAccountTokenFilterPolicy" -Value 1 -Force
    Write-Host "TokenFilterPolicy applied successfully." -ForegroundColor Green
} catch {
    Write-Host "Error applying TokenFilterPolicy: $($_.Exception.Message)" -ForegroundColor Red
}

# Prompt for password and create the local user
$Password = Read-Host "Enter a strong password for 'block_svc'"
$SecurePassword = ConvertTo-SecureString $Password -AsPlainText -Force
Remove-Variable Password

try {
    if (Get-LocalUser -Name "block_svc" -ErrorAction SilentlyContinue) {
        Write-Host "User 'block_svc' already exists. Skipping creation." -ForegroundColor Yellow
    } else {
        New-LocalUser -Name "block_svc" -Password $SecurePassword -Description "Block64 service account"
        Write-Host "User 'block_svc' created successfully." -ForegroundColor Green
    }

    Set-LocalUser -Name "block_svc" -PasswordNeverExpires $true

    $adminGroupSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544")
    $adminGroup = $adminGroupSID.Translate([System.Security.Principal.NTAccount]).Value.Split("\\")[-1]
    Add-LocalGroupMember -Group $adminGroup -Member "block_svc" -ErrorAction Stop
    Write-Host "User 'block_svc' added to local Administrators group ('$adminGroup')." -ForegroundColor Green
} catch {
    Write-Host "Error creating user or setting permissions: $($_.Exception.Message)" -ForegroundColor Red
}

# Detect system language to apply language-specific firewall rules
$culture = (Get-Culture).Name
Write-Host "`nSystem culture detected: $culture" -ForegroundColor Cyan

switch -Regex ($culture) {
    "^en" {
        $displayNames = @(
            "Windows Management Instrumentation (WMI-In)",
            "Remote Event Log Management (RPC)",
            "Remote Event Log Management (RPC-EPMAP)",
            "File and Printer Sharing (SMB-In)",
            "Windows Remote Management (HTTP-In)"
        )
    }
    "^es" {
        $displayNames = @(
            "Instrumental de administración de Windows (WMI de entrada)",
            "Administración remota de registro de eventos (RPC)",
            "Administración remota de registro de eventos (RPC-EPMAP)",
            "Compartir archivos e impresoras (SMB de entrada)",
            "Administración remota de Windows (HTTP de entrada)"
        )
    }
    "^pt" {
        $displayNames = @(
            "Instrumentação de Gerenciamento do Windows (WMI-In)",
            "Gerenciamento Remoto de Log de Eventos (RPC)",
            "Gerenciamento Remoto de Log de Eventos (RPC-EPMAP)",
            "Compartilhamento de Arquivos e Impressoras (SMB-In)",
            "Gerenciamento Remoto do Windows (HTTP-In)"
        )
    }
    default {
        Write-Host "Unsupported language '$culture'. Defaulting to English rules..." -ForegroundColor Yellow
        $displayNames = @(
            "Windows Management Instrumentation (WMI-In)",
            "Remote Event Log Management (RPC)",
            "Remote Event Log Management (RPC-EPMAP)",
            "File and Printer Sharing (SMB-In)",
            "Windows Remote Management (HTTP-In)"
        )
    }
}

# Enable relevant rules
Write-Host "`nEnabling essential firewall rules..." -ForegroundColor Cyan

foreach ($name in $displayNames) {
    try {
        Enable-NetFirewallRule -DisplayName $name -ErrorAction Stop
        Write-Host "Enabled rule: $name" -ForegroundColor Green
    } catch {
        Write-Host "Could not enable rule '$name': $($_.Exception.Message)" -ForegroundColor Yellow
    }
}

# Start WinRM if needed
Write-Host "`nEnsuring WinRM service is running..." -ForegroundColor Cyan
try {
    Start-Service -Name WinRM -ErrorAction Stop
    Write-Host "WinRM service started successfully." -ForegroundColor Green
} catch {
    Write-Host "Could not start WinRM service: $($_.Exception.Message)" -ForegroundColor Yellow
}

# Remote Registry test
Write-Host "`nTesting Remote Registry connectivity..." -ForegroundColor Cyan
$target = $env:COMPUTERNAME
try {
    $regTest = reg query "\\$target\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion"
    Write-Host "Remote Registry access is working." -ForegroundColor Green
} catch {
    Write-Host "Remote Registry test failed: $($_.Exception.Message)" -ForegroundColor Red
    Write-Host "Hint: Ensure the 'RemoteRegistry' service is running and the firewall is not blocking access." -ForegroundColor Yellow
}

Write-Host "`n=== Setup completed successfully ===" -ForegroundColor Cyan
Read-Host "Press Enter to exit..."

⚠️ This script modifies the local Windows firewall and enables WMI, RPC, and SMB ports. Use only in trusted environments.

After execution, use the credential block_svc in Block 64 tools:

  • Domain: (Leave blank)

  • Username: block_svc

  • Password: (Same one used during script execution)

5. Technical Notes on Port Configuration and System Impact

Ports Opened by Advanced Script

Protocol Ports
WMI TCP 135 + dynamic
RPC TCP 135, TCP 139 + dynamic RPC ports
SMB TCP 445
WinRM TCP 5985 (HTTP)
NetBIOS (legacy) UDP 137/138, TCP 139
 System Changes Summary

Change Scope Description
block_svc account Local New admin-level user
TokenFilterPolicy System-wide Enables remote use of local accounts
Group membership Local group Added to Administrators group
Firewall rules (Advanced Script) Local Enables WMI, RPC, SMB, WinRM
WinRM service Local Started if not already running
 

6. Reversion Scripts

These scripts ensure a clean rollback. Use them during offboarding or if local credentials are no longer needed.

Reversion for Basic Script

✅ Use reversion scripts to safely remove block_svc, and undo TokenFilterPolicy.

# Elevate script if not already running as administrator
$windowsIdentity = [System.Security.Principal.WindowsIdentity]::GetCurrent()
$windowsPrincipal = New-Object System.Security.Principal.WindowsPrincipal($windowsIdentity)
$adminRole = [System.Security.Principal.WindowsBuiltInRole]::Administrator

if (-not $windowsPrincipal.IsInRole($adminRole)) {
    $psi = New-Object System.Diagnostics.ProcessStartInfo "PowerShell"
    $psi.Arguments = "-ExecutionPolicy Bypass -File `"$PSCommandPath`""
    $psi.Verb = "runas"
    [System.Diagnostics.Process]::Start($psi)
    exit
}

Clear-Host
Write-Host "=== Block 64 Local Admin Rollback Basic Script ===" -ForegroundColor Cyan
Write-Host "This script will:" -ForegroundColor White
Write-Host "- Remove the 'block_svc' local user if present" -ForegroundColor White
Write-Host "- Remove the TokenFilterPolicy registry key if it exists" -ForegroundColor White
Read-Host "Press Enter to continue..."

# Remove user 'block_svc'
try {
    Remove-LocalUser -Name "block_svc" -ErrorAction Stop
    Write-Host "User 'block_svc' successfully removed." -ForegroundColor Green
} catch {
    Write-Host "User could not be removed or does not exist: $($_.Exception.Message)" -ForegroundColor Yellow
}

# Remove TokenFilterPolicy
try {
    Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" `
        -Name "LocalAccountTokenFilterPolicy" -ErrorAction Stop
    Write-Host "TokenFilterPolicy registry key removed." -ForegroundColor Green
} catch {
    Write-Host "Registry key not found or could not be removed: $($_.Exception.Message)" -ForegroundColor Yellow
}

Write-Host "`n=== Rollback A completed ===" -ForegroundColor Cyan
Read-Host "Press Enter to exit..."

 

Reversion for Advanced Script

✅ Use reversion scripts to safely remove block_svc, undo TokenFilterPolicy, and (in Advanced Script) close firewall ports.

# Elevate script if not already running as administrator
$windowsIdentity = [System.Security.Principal.WindowsIdentity]::GetCurrent()
$windowsPrincipal = New-Object System.Security.Principal.WindowsPrincipal($windowsIdentity)
$adminRole = [System.Security.Principal.WindowsBuiltInRole]::Administrator

if (-not $windowsPrincipal.IsInRole($adminRole)) {
    Write-Host "This script needs to be run as Administrator. Relaunching..." -ForegroundColor Yellow
    $psi = New-Object System.Diagnostics.ProcessStartInfo "PowerShell"
    $psi.Arguments = "-ExecutionPolicy Bypass -NoExit -File `"$PSCommandPath`""
    $psi.Verb = "runas"
    [System.Diagnostics.Process]::Start($psi)
    exit
}

Clear-Host
Write-Host "=== Block 64 Local Admin Rollback Advanced Script ===" -ForegroundColor Cyan
Write-Host "This script will:" -ForegroundColor White
Write-Host "- Remove the 'block_svc' local user if present" -ForegroundColor White
Write-Host "- Remove the TokenFilterPolicy registry key if it exists" -ForegroundColor White
Write-Host "- Disable firewall rules for WMI, RPC, SMB, and WinRM" -ForegroundColor White
Read-Host "Press Enter to continue..."

# Remove local user
try {
    Remove-LocalUser -Name "block_svc" -ErrorAction Stop
    Write-Host "User 'block_svc' successfully removed." -ForegroundColor Green
} catch {
    Write-Host "User could not be removed or does not exist: $($_.Exception.Message)" -ForegroundColor Yellow
}

# Remove TokenFilterPolicy
try {
    Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" `
        -Name "LocalAccountTokenFilterPolicy" -ErrorAction Stop
    Write-Host "TokenFilterPolicy registry key removed." -ForegroundColor Green
} catch {
    Write-Host "Registry key not found or could not be removed: $($_.Exception.Message)" -ForegroundColor Yellow
}

# Detect system language for disabling appropriate rules
$culture = (Get-Culture).Name
Write-Host "`nSystem culture detected: $culture" -ForegroundColor Cyan

switch -Regex ($culture) {
    "^en" {
        $displayNames = @(
            "Windows Management Instrumentation (WMI-In)",
            "Remote Event Log Management (RPC)",
            "Remote Event Log Management (RPC-EPMAP)",
            "File and Printer Sharing (SMB-In)",
            "Windows Remote Management (HTTP-In)"
        )
    }
    "^es" {
        $displayNames = @(
            "Instrumental de administración de Windows (WMI de entrada)",
            "Administración remota de registro de eventos (RPC)",
            "Administración remota de registro de eventos (RPC-EPMAP)",
            "Compartir archivos e impresoras (SMB de entrada)",
            "Administración remota de Windows (HTTP de entrada)"
        )
    }
    "^pt" {
        $displayNames = @(
            "Instrumentação de Gerenciamento do Windows (WMI-In)",
            "Gerenciamento Remoto de Log de Eventos (RPC)",
            "Gerenciamento Remoto de Log de Eventos (RPC-EPMAP)",
            "Compartilhamento de Arquivos e Impressoras (SMB-In)",
            "Gerenciamento Remoto do Windows (HTTP-In)"
        )
    }
    default {
        Write-Host "Unsupported language '$culture'. Defaulting to English rules..." -ForegroundColor Yellow
        $displayNames = @(
            "Windows Management Instrumentation (WMI-In)",
            "Remote Event Log Management (RPC)",
            "Remote Event Log Management (RPC-EPMAP)",
            "File and Printer Sharing (SMB-In)",
            "Windows Remote Management (HTTP-In)"
        )
    }
}

# Disable the rules
Write-Host "`nDisabling firewall rules..." -ForegroundColor Cyan

foreach ($name in $displayNames) {
    try {
        Disable-NetFirewallRule -DisplayName $name -ErrorAction Stop
        Write-Host "Disabled rule: $name" -ForegroundColor Green
    } catch {
        Write-Host "Could not disable rule '$name': $($_.Exception.Message)" -ForegroundColor Yellow
    }
}

Write-Host "`n=== Rollback B completed ===" -ForegroundColor Cyan
Read-Host "Press Enter to exit..."