You can use the built-in PowerShell module, Microsoft.PowerShell.LocalAccounts, to manage local users and groups in Windows. This module allows you to create or delete local users and security groups, and add or remove users from groups. The module is available on Windows Server 2016 and Windows 10 and newer versions. In older versions of Windows, this module can be installed with Windows Management Framework 5.1 when you upgrade your PowerShell version.
There are 15 cmdlets in the LocalAccounts module. You can display a complete list of module cmdlets as follows:
Get-Command -Module Microsoft.PowerShell.LocalAccounts
Add-LocalGroupMember– add a user to the local security group;Disable-LocalUser– Disable a local user account;Enable-LocalUser– Enable a local user account;Get-LocalGroup– Get information about a local group;Get-LocalGroupMember– View a list of users in a local group;Get-LocalUser– Show information about a local user;New-LocalGroup– create a new local group;New-LocalUser– Create a local user;Remove-LocalGroup– Delete a local group;Remove-LocalGroupMember– remove a member from a local group;Remove-LocalUser– Delete a local user;Rename-LocalGroup– Rename a local group;Rename-LocalUser– Change the name of a user;Set-LocalGroup– Change group settings;Set-LocalUser– Change user settings.
Let’s take a look at some specific tasks for managing local users and groups on a Windows computer using PowerShell cmdlets from the LocalAccounts module.
Previously, the Local Users and Groups Management graphical MMC snap-in (lusrmgr.msc), The net user And net localgroup The command was commonly used to manage local users and groups in Windows.
Create a new local user with PowerShell
Use the New-LocalUser cmdlet to quickly create a new local user account in Windows:
New-LocalUser -Name "TestUser1" -FullName "Test User" -Description "User for tests"
Specify a password for the new user:
If you want to use the New-LocalUser cmdlet to automatically create new local users from a PowerShell script, you can predefine the default user’s password in the script code. The plaintext password must be converted to a secure string:
$pass = ConvertTo-SecureString "[email protected]!" -AsPlainText -Force
New-LocalUser -Name TestUser2 -Password $password
To add the user to the local Administrators group, run the command:
Add-LocalGroupMember -Group Administrators -Member TestUser2
You can also use the following options when creating a local Windows user account:
-AccountExpires– set the account expiration date, after which the account will be automatically deactivated (by default, New-LocalUser creates an account that does not expire);-AccountNeverExpires-Disabled– Disable account after creation;-PasswordNeverExpires– Set the user’s password to never expire;-UserMayNotChangePassword– User cannot change account password.
Managing Local User Accounts in Windows via PowerShell
To list all local Windows users on the current computer, run:
Get-LocalUser
As you can see, there are 6 local accounts on the computer, 4 of which are disabled (enabled=False), including the built-in Windows Administrator.
To display all the properties of a local account (similar to the Get-ADUser cmdlet that is used to display information about AD domain users), run this command:
Get-LocalUser -Name root | Select-Object *
AccountExpires :
Description :
Enabled : True
FullName :
PasswordChangeableDate : 3/12/2019 10:14:29 PM
PasswordExpires :
UserMayChangePassword : True
PasswordRequired : False
PasswordLastSet : 3/11/2019 10:14:29 PM
LastLogon : 3/11/2019 4:18:17 PM
Name : root
SID : S-1-5-21-2605456602-2293283241-3832290805-1001
PrincipalSource : Local
ObjectClass : User
Look at the PrincipalSource attribute. Contains the type of user account. It could have been:
- Local Windows User (principal source: Local)
- Microsoft Accounts (primary source: Microsoft Account)
- Azure AD users (primary source: AzureAD)
To get the value of a specific user attribute, such as the last password change date:
Get-LocalUser -Name root | Select-Object PasswordLastSet
Use the command to change the password of the user (we assume that you have already changed the new password to SecureString):
Set-LocalUser -Name john -Password $UserPassword –Verbose
To set the “password never expires” flag for a user use the command:
Set-LocalUser -Name john –PasswordNeverExpires $False
Disable local account:
Disable-LocalUser -Name john
Enable local user:
Enable-LocalUser -Name john
To remove a local user:
Remove-LocalUser -Name john -Verbose
How to create and manage local groups using PowerShell?
You can list the local groups on your Windows device using the command:
Get-LocalGroup
Let’s create a new local group:
New-LocalGroup -Name RemoteSupport -Description 'Remote Support Group'
Now let’s add some local accounts and a group of local administrators to the new group:
Add-LocalGroupMember -Group 'RemoteSupport' -Member ('john','root','Administrators') -Verbose
You can add a user to groups using the following pipeline (in this example, we’ll add the user to a local group that allows them to access the computer’s desktop remotely over RDP):
Get-Localuser -Name TestUser2 | Add-LocalGroupMember -Group 'Remote Desktop Users'
Display a list of users in a local group:
Get-LocalGroupMember -Group 'RemoteSupport'
If your computer is AD domain joined, you can add domain accounts and groups to your local groups. Use the following syntax: domain name \ johnhl Or domainname\”domain admin\”,
You can add not only local accounts (PrincipalSource – Local), but also domain accounts (Domain), Microsoft accounts (MicrosoftAccount), and Azure accounts (AzureAD) to local groups.
Use the following syntax to add a Microsoft or AzureAD user to a local group
Add-LocalGroupMember -Group 'RemoteSupport' -Member ('MicrosoftAccount\[email protected]','AzureAD\[email protected]') –Verbose
To list the local groups that a specific user is a member of, run the following script (the script checks membership for each local group):
$user="john"
foreach ($LocalGroup in Get-LocalGroup)
{
if (Get-LocalGroupMember $LocalGroup -Member $user –ErrorAction SilentlyContinue)
{
$LocalGroup.Name
}
}
To remove a user from a group, execute the command:
Remove-LocalGroupMember -Group 'RemoteSupport' –Member john
To manage local users on a remote computer, you can connect to the computer through WinRM by using the Invoke-Command or Enter-PSSession cmdlets.
For example, you may want to get a list of accounts in a local group on a remote computer:
$winrm_ssn = new-pssession -computer Lon-Srv01,Lon-Srv02,Lon-Srv03
invoke-command -scriptblock {Get-LocalGroupMember -Group 'RemoteSupport'} -session $winrm_ssn -hidecomputername | select * -exclude RunspaceID | out-gridview -title "LocalAdmins"
Leave a Comment