To manage local users and groups in Windows, you can use the built-in PowerShell module Microsoft.PowerShell.LocalAccounts. This module allows you to create or delete local users, create new security groups, and add users to them. The module is available in all versions of Windows starting with Windows Server 2016 and Windows 10. In earlier Windows versions, the module is included with Windows Management Framework 5.1 when updating PowerShell.
To list all cmdlets in the LocalAccounts module, run:
Get-Command -Module Microsoft.PowerShell.LocalAccounts
Microsoft.PowerShell.LocalAccounts Module
– Add-LocalGroupMember — Add a user to a local group
– Disable-LocalUser — Disable a local user account
– Enable-LocalUser — Enable a user account
– Get-LocalGroup — Retrieve information about a local group
– Get-LocalGroupMember — List users in a local group
– Get-LocalUser — Retrieve information about a local user
– New-LocalGroup — Create a new local group
– New-LocalUser — Create a new user
– Remove-LocalGroup — Delete a group
– Remove-LocalGroupMember — Remove a member from a group
– Remove-LocalUser — Delete a user
– Rename-LocalGroup — Rename a group
– Rename-LocalUser — Rename a user
– Set-LocalGroup — Modify a group
– Set-LocalUser — Modify a user
Below, we explore common tasks for managing local users and groups on a Windows computer using cmdlets from the LocalAccounts module.
Creating a New Local User with PowerShell
To create a new user, run:
New-LocalUser -Name "TestUser1" -FullName "Test User" -Description "User for tests"
Set a password for the new user:
$pass = ConvertTo-SecureString "softcomputers@ss321!" -AsPlainText -Force
New-LocalUser -Name TestUser2 -Password $pass
To add the user to the local Administrators group immediately:
Add-LocalGroupMember -Group Administrators -Member TestUser2
Additional parameters can be used when creating a user:
– AccountExpires — Sets an expiration date for the account, after which it is automatically disabled (by default, New-LocalUser creates accounts without expiration).
– AccountNeverExpires — Specifies that the account never expires.
– Disabled — Disables the account immediately after creation.
– PasswordNeverExpires — Sets the password to never expire, eliminating the need for periodic changes.
– UserMayNotChangePassword — Prevents the user from changing their password.
To create a new user in an Active Directory domain, use the New-ADUser cmdlet.
Managing Local Windows Users with PowerShell
To list all local users on the current computer:
Get-LocalUser
To display all properties of a specific local user:
Get-LocalUser -Name 'root' | Select-Object *
Note the PrincipalSource attribute, which indicates the account type:
– Local Windows user – (PrincipalSource: Local)
– Microsoft account – (PrincipalSource: MicrosoftAccount)
– Azure AD account – (PrincipalSource: AzureAD)
To retrieve a specific attribute, such as the last password change time:
Get-LocalUser -Name 'root' | Select-Object PasswordLastSet
To change an existing user’s password:
Set-LocalUser -Name TestUser2 -Password $UserPassword -Verbose
To set the “Password never expires” flag:
Set-LocalUser -Name TestUser2 -PasswordNeverExpires $True
To disable a user account:
Disable-LocalUser -Name TestUser2
To enable a user account:
Enable-LocalUser -Name TestUser2
To delete a local user:
Remove-LocalUser -Name TestUser2 -Verbose
Managing Local Groups with PowerShell
To list all local groups on the computer:
Get-LocalGroup
To create a new group:
New-LocalGroup -Name 'RemoteSupport' -Description 'Remote Support Group'
To add users and the local Administrators group to the new group:
Add-LocalGroupMember -Group 'RemoteSupport' -Member ('SIvanov','root', 'Administrators') -Verbose
To add a user to the local group for RDP access:
Get-LocalUser -Name TestUser2 | Add-LocalGroupMember -Group 'Remote Desktop Users'
To list users in a local group:
Get-LocalGroupMember -Group 'RemoteSupport'
Local groups can include not only local accounts (PrincipalSource: Local) but also domain accounts (domain), Microsoft accounts (MicrosoftAccount), and Azure AD accounts (AzureAD).
To add a Microsoft or Azure AD user to a local group:
Add-LocalGroupMember -Group 'RemoteSupport' -Member ('MicrosoftAccount\SomeAccount@outlook.com','AzureAD\itpro@winitpro.ru') -Verbose
Script to list all local groups a user belongs to:
foreach ($LocalGroup in Get-LocalGroup) { if (Get-LocalGroupMember $LocalGroup -Member 'sivanov' -ErrorAction SilentlyContinue) { $LocalGroup.Name } }
To remove a user from a group:
Remove-LocalGroupMember -Group 'RemoteSupport' -Member 'testuser2'
Managing Local Users on a Remote Computer
Connect to a remote computer via WinRM using the Invoke-Command or Enter-PSSession cmdlets. Example command to retrieve the list of accounts in a local group on remote computers:
$s = New-PSSession -ComputerName pc01,pc02,pc03
Invoke-Command -ScriptBlock {Get-LocalGroupMember -Group 'RemoteSupport'} -Session $s -HideComputerName | Select * -ExcludeProperty RunspaceID | Out-GridView -Title "LocalAdmins"
These commands and scripts enable efficient management of users and groups in Windows using PowerShell, automating administrative tasks and enhancing network security.
