Skip to content

Windows Toolbox administration webpage

You can access the Windows Toolbox webpage going to windows-toolbox.web.cern.ch & test-toolbox.web.cern.ch (test one will have development features but both share the same server/backend). Accessing this webpage requires two factor authentication.

Replaces the old Windows Services.

Windows features

This webpage will alow users to:

  • Get information about a Windows device
  • Add/Remove local administrators
  • Get LAPS or local password
  • Get Bitlocker key
  • Recreate your account

Usage restrictions

Local Admins

You have to be a NICE administrator
or
You have to be the manager of the device
or
You have to be in the win-users group

LAPS

You have to be a NICE administrator
or
You have to be the manager of the device
or
You have to be in the laps_retriever group

Bitlocker

You have to be a NICE administrator
or
You have to be the manager of the device
or
You have to be in the bitlocker_retriever group

Recreate computer account

You have to be a NICE administrator
or
You have to be the manager of the device
and for both cases
You need the password of the account to recreate

Remote Desktop features

This part of the webpage will alow users to:

  • Get/set users which are allowed to remote login (under development)
  • Log off remote sessions

Remote sessions administrator

You have to be in the remote-admins group

Remote Desktop and future features are under development

Alternatives & workarounds

Add a local admin account

The following command can be executed in an elevated PowerShell prompt, locally on the concerned machine, to add an account as an administrator:

Add-LocalGroupMember -Group "Administrators" -Member "<USERNAME>"

For this command to work, you have to be a local administrator on the machine.

The following command can be used to perform the same action remotely, from another machine inside the CERN network, in a PowerShell prompt logged in as a local administrator of the target machine:

Invoke-Command -ComputerName "<PCNAME>" -Command {Add-LocalGroupMember -Group "Administrators" -Member "<USERNAME>"}

Note however that WinRM must be correctly configured for the remote version to work. winrm quickconfig can be used for this purpose.

To see the list of administrators of a machine, use the following command:

Get-LocalGroupMember -Group "Administrators" | select Name
# or for executing remotely:
# Invoke-Command -ComputerName "<PCNAME>" -Command {Get-LocalGroupMember -Group "Administrators"} | select Name

Alternatively, the Edit local users and groups console (Run lusrmgr.msc) can be used locally on the machine.