BreakGlassAccounts.ps1 (zpäť na zoznam) Hľadanie možných núdzových účtov (zvyčajne built-in adminov) a premenovanie ich na jednotné meno aby boli účty rovnaké na všetkých servroch.
			$builtInAdminName = "admin" #desired name for built-in administrator
$breakGlassAcc = @("adm_1","adm_2","adm_3","adm_4") #list of all possible break glass accounts
$accountsToDisable = @() #list for all break glass accounts presented on the server, filled later in script

$secpolDbPath = "c:\temp\secpol.sdb" #security database location
$secpolImpPath = "C:\temp\secpolImp.inf" #file for importing

$hostname = hostname
$isDC = (Get-WindowsFeature | Where-Object {$_.Name -eq "AD-Domain-Services"}).installed #check if server is domain controller, need for later to check wether to rename newAdministratorName admin or not

#finding built-in admin name
$localAdmins = net localgroup administrators | Where-Object {$_ -AND $_ -notmatch "command completed successfully"} | Select-Object -skip 4
$localAdmins | ForEach-Object {
    $localADSI = [ADSI]"WinNT://$hostname/$user, user"
    if ($localADSI.description.value -match "built-in") {
        $builtinAdmin = $localADSI.name.value
    }
}
Write-Host "Built-in admin name is: $builtinAdmin"

#find which break glass accounts are present on the server and create list to disable them
foreach ($acc in $breakGlassAcc) {
    if ($acc -eq $builtinAdmin) { #skip built in admin account, we would like not to disable it
        continue
    }
    $localUsers = net user | Where-Object {$_ -match "^$acc"}
    if ($localUsers) {
        $accountsToDisable += ,$acc
    }
}
#disable accounts
$accountsToDisable | ForEach-Object {
    $adsiUser = [ADSI]"WinNT://$hostname/$_, user"
    if (-not $adsiUser.Name) { #check if user is on the server
        Write-host "User $_ not found on server"
    }
    else { #set to disable
        $adsiUser.userflags = 2
        $adsiUser.setinfo()
        Write-host "User $_ disabled"
    }
}

#we don't want to rename built-in account on domain controller (eg. hyper-v) to avoid mismatch with login names, domain admin and built-in account is the same on DC
if (-not $isDC) {
    if ($builtInAdminName -eq $builtinAdmin) {
        write-host "Built-in admin already with desired name, will not be renamed"
    }
    else {
        #secpol file creating for build-in administrator
        $secpolString = "NewAdministratorName = $builtInAdminName"
        Add-Content $secpolImpPath "[Unicode]"
        Add-Content $secpolImpPath "Unicode=yes"
        Add-Content $secpolImpPath "[Version]"
        Add-Content $secpolImpPath 'signature="$CHICAGO$"'
        Add-Content $secpolImpPath "Revision=1"
        Add-Content $secpolImpPath "[System Access]"
        Add-Content $secpolImpPath $secpolString

        $output = invoke-expression -command "secedit /configure /db $secpolDbPath /cfg $secpolImpPath" #applying new local policy

    }
}
else {
    write-host "Domain controller, built-in admin will not be renamed"
}