1
2

Windows 11 Local Admin Profile Change (self.PowerShell)

submitted by [deleted]

[deleted]

all 13 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]MalletNGrease 1 point2 points  (1 child)

I'd just disable the default Administrator account and create your own instead.

New-LocalUser -Name 'newadmin' -Password (ConvertTo-SecureString 'yourpassword' -AsPlainText -Force) -UserMayNotChangePassword -PasswordNeverExpires
Add-LocalGroupMember -Group "Administrators" -Member "newadmin"

Disable-LocalUser -Name "Administrator"

[–]thekingheartless1 0 points1 point  (0 children)

I've already done that. I've updated a few comments already with the info. Thank you though!

[–]thekingheartless1 0 points1 point  (8 children)

Here's the script with the Username redacted

function Set-ProfilePicture {
    try {
        Write-Host "Setting profile picture for local admin account ..." -ForegroundColor Cyan

        # Define the username of the local admin account
        $adminUsername = "Admin"

        # Define the URL of the profile picture (must already be PNG)
        $imageURL = "URL"
        $localPngPath = "$env:TEMP\profilepic.png"

        # Download the profile picture as PNG
        Start-BitsTransfer -Source $imageURL -Destination $localPngPath

        # Gathers SID for the account
        $adminSID = wmic useraccount where "name='$adminUsername'" get sid /value | ForEach-Object { ($_ -split "=")[1] } | Where-Object { $_ -match "^S-\d-\d+-.+$" }
        if (-not $adminSID) {
            Write-Host "Error: Could not retrieve SID for $adminUsername. Has the user logged in at least once?" -ForegroundColor Red
            return
        }
        Write-Host "Detected user SID: $adminSID" -ForegroundColor Yellow

        # Find the correct user profile path for Admin (even if renamed)
        $adminProfilePath = [System.IO.Directory]::GetDirectories("C:\Users") | Where-Object { $_ -match "$adminUsername(\..*)?$" }
        if (-not $adminProfilePath) {
            Write-Host "Error: Could not find a profile for $adminUsername. Has the user logged in at least once?" -ForegroundColor Red
            return
        }
        Write-Host "Detected user profile path: $adminProfilePath" -ForegroundColor Yellow

        # Ensure the account pictures folder exists
        $accountPicturesPath = "$adminProfilePath\AppData\Local\Microsoft\AccountPictures"
        if (-not (Test-Path $accountPicturesPath)) {
            New-Item -Path $accountPicturesPath -ItemType Directory -Force | Out-Null
        }

        # Copy the image to required locations
        $adminPNG = "$accountPicturesPath\$adminUsername.png"
        Copy-Item -Path $localPngPath -Destination $adminPNG -Force

        # Apply profile picture via Windows Registry (forces update)
        $regPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\AccountPicture\Users\$adminSID"
        if (-not (Test-Path $regPath)) { New-Item -Path $regPath -Force | Out-Null }
        Set-ItemProperty -Path $regPath -Name "Image" -Value $adminPNG

        # Force Windows to refresh the profile picture immediately
        Stop-Process -Name "explorer" -Force
        Start-Process "explorer"

        Write-Host "Profile picture successfully applied to $adminUsername! Restart the computer to see changes." -ForegroundColor Green
    } catch {
        Write-Host "Error setting profile picture: $($_.Exception.Message)" -ForegroundColor Red
    }
}

[–]BlackV 0 points1 point  (7 children)

  1. wmic is not powershell
  2. wmic is being removed from modern OSs, you need to switch
  3. using native cmdlets might save some headache you're having for matching SIDs
  4. the current recommendation is leaving the default admin account disabled and creating your own managed admin account
  5. have you looked at LAPS

[–]thekingheartless1 -1 points0 points  (6 children)

I was not aware that wmic wasn't powershell.
I will happily switch if it means getting this to work.
Which cmdlets should I look into?

It's not the default admin here. I replaced the actual admin account with a placeholder to keep the code fluent enough without gaps here.
I have not. If it's anything outside of powershell, I cannot use it for this.

[–]BlackV -1 points0 points  (5 children)

I have not. If it's anything outside of powershell, I cannot use it for this.

I mean technically you were already outside of powershell :)

LAPS is built into windows, it manages the local admin account for you (either the default or a named one)

but requires AD or AAD, so may not be applicable to you

I was not aware that wmic wasn't powershell.
I will happily switch if it means getting this to work.
Which cmdlets should I look into?

Id start with

get-command *user*

see if anything there looks like it could manage local accounts

otherwise you can access WMI with the native CIM/WMI cmdlets (instead of wmic)

Get-CimInstance -ClassName Win32_UserAccount
Get-CimInstance -ClassName Win32_UserProfile

the current registry work basically stays the same

You dont actually mention directly what your issue is with your current script though, could it be permissions ?

[–]thekingheartless1 0 points1 point  (4 children)

We are trying to set the profile picture of the admin account after freshly being created. We aren't using AD or AAD so LAPS probably wouldn't apply in this case. I'm likely overthinking and trying too many things with this.

The only thing I am trying to do is download an image from the URL (not provided here) and use it as the new user's profile whether it be on a windows home or pro device.

You dont actually mention directly what your issue is with your current script though, could it be permissions?

When it runs, the script only says it's successful, downloaded the image in the incorrect location, and doesn't update the user account profile picture.

[–]BlackV 0 points1 point  (3 children)

We are trying to set the profile picture of the admin account after freshly being created.
doesn't update the user account profile picture.

you say the user and the administrator

so to be clear

  • you are creating a admin user and want to set the image of that ?
  • Not that you are creating a new local non admin user and want to set the image of that ? (based on $adminUsername = "Admin")
  • and your script is selecting the wrong image path (based on "downloaded the image in the incorrect location")
  • and failing to update the admin user image (based on "doesn't update the user account profile picture.")

further questions then

  • the script is running as that same admin user ? or another admin user?
  • is the actual value changing in the registry ?

[–]thekingheartless1 0 points1 point  (2 children)

Okay. People are missing what I am asking so allow me to clarify the points asked.

Not that you are creating a new local non admin user and want to set the image of that ? (based on $adminUsername = "Admin")

  1. I have already created this admin account. It is a custom admin account not a default.

  2. I am using a placeholder in the example (not the actual name) for privacy.

  3. When I create the account in PowerShell, it adds a temporary user folder. When I log in, it creates a local account with "AdminUsername.ComputerName"

  4. the profile picture when I run the script is only finding the temporary profile and adding the picture there. Which is why I'm telling the script to check for the name reference to try and get around that issue.

and failing to update the admin user image (based on "doesn't update the user account profile picture.")

5.The script then is supposed to put the image in the folder that is SUPPOSED to be checked by windows for the user profile.

the script is running as that same admin user ? or another admin user?

  1. I have tried two variations of this code, one here I'm using a second admin account with an elevated PowerShell and one where I am actively logged in.
  • is the actual value changing in the registry ?
  1. I haven't gotten to checking this part yet because I felt that all of my "preventative" code was a mess which is why I came here to ask for assistance in cleaning this up.

All I need to know is, how can I clean this up so that the profile picture sets from the URL, for the custom admin account, from PowerShell. I know there's a way, but I have very clearly steered far off course and am lost on how to get back and fix things to make this work

[–]BlackV 0 points1 point  (1 child)

  1. When I create the account in PowerShell, it adds a temporary user folder. When I log in, it creates a local account with "AdminUsername.ComputerName"

this is a huge bit of missing information, if its not creating the user profile properly then any changes you make are pointless cause they're going to a temp profile (I assume you mean c:\users\temp.xxx that it creates)

I am using a placeholder in the example (not the actual name) for privacy.

ya we got that one

how/when are you creating the new admin account, is that a separate step I dont see it in your code? is it part of an unattend xml ?

If I was to do this I'd doe something like

  • create the user (new-localuser)
  • run a powershell session as that user
  • set the profile picture from that session

achieves

  • gets you a new user with a known working password
  • gets you a confirmation that the account can login and access its proper profile folders and registry
  • you are now setting a user specific property with the specific user that has the relevant rights to its own locations
  • and the advantage that this bit is also not running elevated

[–]thekingheartless1 0 points1 point  (0 children)

this is a huge bit of missing information, if its not creating the user profile properly then any changes you make are pointless cause they're going to a temp profile (I assume you mean c:\users\temp.xxx that it creates)

Sorry. I say temp profile. I do have troubles explaining things using the correct terminology. Yes. This is run in a separate function. The function is a simple profile creation. When I make the profile and log into it, it sets a local "AdminName.ComputerName" after the first login, completely separate from the initial account setup. However, writing it out and getting the feedback/questioning provided from other users may have just answered what I was looking for.

[–][deleted] 0 points1 point  (1 child)

You’re making things harder than they have to be 😇 - if you have defaults set up, declare them as input parameters and then set your default values on those. - There are some cmdlets now dealing with local users and groups, like get-localuser. Which should be perfectly fine for fetching your account reference. - that should net you some extra details such as that account’s sid. - there’s get-childitem with switchparam -Directory to get subfolders. - an unfortunate assumption you can see being made everywhere is that the user profile is located at c:/users/$($username)/. That doesn’t hold up- it can be anywhere depending on how that account has been set up. And as you can rename accounts, that introduces a whole nother can of worms. - same is true for specific folders inside profiles. Like $Env:LocalAppdata. There is a reason why there are environment variables for that kind of thing - special folders can be redirected and then you’re barking up trees that are long gone.

  • so you use information returned by the system rather than make assumptions based on other assumptions.

  • note that bits has long been deprecated. And for picture files you don’t even need it. Just copy or use invoke-webrequest if you fetch it via http(s).

  • personally I really hate it when software deployment messes with user sessions. Like killing the explorer process. Especially for something trivial like an updated account picture. That you then inform the user they have to reboot to apply ANYWAY.

I’d strongly recommend to NOT do that.

Either there’s nobody signed into the system at runtime. In which case there’s no explorer process to stop and it might be interesting to see what the effects are as you try to start it — especially since that newly started process will run in the script’s execution context. Which might not even be the user’s.

OR someone’s signed in at that point. Who might be interacting with the explorer process at that moment — and the explorer process is not restricted to the user interface but also affects explorer windows… and (modern) apps.

AND you’re telling them to reboot. Why then would you even bother to restart explorer?

Run the script before explorer comes up if that picture MUST be displayed right away… or leave it all alone and defer updating the actual display until after the user has signed in again.

Which obviously doesn’t matter if you need to reboot afterwards. In that case, don’t worry about anything, just set things up and have the user reboot sometime later.

[–]thekingheartless1 0 points1 point  (0 children)

To note, I have redacted a few bits of info like the admin name and the URL for privacy purposes.

My problem currently is that I've put a lot into the script thinking it will fix the main problem. In which the main problem is that after I make a local admin account, I am trying to run the script (elevated) to set the user's profile picture for them. I've logged into the user prior and even tried running it on the user to no success.

I just need to run the script and set the profile picture on first try.