Windows OS Hub
  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange

 Windows OS Hub / PowerShell / Managing Local Users and Groups with PowerShell

April 6, 2019 PowerShellWindows 10Windows Server 2016

Managing Local Users and Groups with PowerShell

Recently Microsoft has added a standard PowerShell module to manage Windows local users and groups called Microsoft.PowerShell.LocalAccounts. Earlier you had to manually download and import this module into PowerShell. Now LocalAccounts module is available by default in Windows Server 2016 and Windows 10 as a part of PowerShell 5.1. To use it in earlier Windows versions, you must install Windows Management Framework 5.1.

Contents:
  • LocalAccounts PowerShell Module
  • How to Manage Windows Local Users with PowerShell?
  • How to Manage Windows Local Groups Using PowerShell?

LocalAccounts PowerShell Module

There are 15 cmdlets in the LocalAccounts module. You can display the full list of module cmdlets as follows:

Get-Command -Module Microsoft.PowerShell.LocalAccounts

Get-Command Module Microsoft.PowerShell.LocalAccounts

  1. Add-LocalGroupMember – add a user to a local group;
  2. Disable-LocalUser – disable a local user account;
  3. Enable-LocalUser – enable (unlock) an account;
  4. Get-LocalGroup – get information about a local group;
  5. Get-LocalGroupMember – display the list of users in a local group;
  6. Get-LocalUser – show information about a local user;
  7. New-LocalGroup – create a new local group;
  8. New-LocalUser – create a local user;
  9. Remove-LocalGroup – delete a local group;
  10. Remove-LocalGroupMember – remove a member from a local group;
  11. Remove-LocalUser – delete a local user;
  12. Rename-LocalGroup – rename a local group;
  13. Rename-LocalUser – rename a user;
  14. Set-LocalGroup – modify group settings;
  15. Set-LocalUser – modify user settings.

Let’s consider some typical tasks to manage local users or groups using PowerShell cmdlets of the LocalAccounts module on a computer running Windows 10.

How to Manage Windows Local Users with PowerShell?

Display the list of existing local users in Windows:

Get-LocalUser

Get-LocalUser: display a list of local accounts

As you can see, there are 6 local user accounts on the computer, and 4 of them are disabled (Enabled=False).

To display all properties of a local account (similar to Get-ADUser cmdlet used to display information about AD domain users), run this command:

Get-LocalUser -Name root | Select-Object *

AccountExpires :
Description :
Enabled : True
FullName :
PasswordChangeableDate : 3/12/2019 10:14:29 PM
PasswordExpires :
UserMayChangePassword : True
PasswordRequired : False
PasswordLastSet : 3/11/2019 10:14:29 PM
LastLogon : 3/11/2019 4:18:17 PM
Name : root
SID : S-1-5-21-2605456602-2293283241-3832290805-1001
PrincipalSource : Local
ObjectClass : User

To get the specific user attribute, like the last password change date, run this command:

Get-LocalUser -Name root | Select-Object PasswordLastSet

Get-LocalUser info from powershell

Let’s create a new local user with the New-LocalUser cmdlet. This cmdlet allows you to create the following types of accounts:

  • Windows local accounts;
  • Microsoft accounts;
  • Azure AD accounts.

When creating a user account with the New-LocalUser cmdlet, you can’t specify the user password in plain text as the Password argument. You must request the password interactively and convert it to the secure string in advance:

$UserPassword = Read-Host –AsSecureString

Or specify the password directly in the PoSh console:

$UserPassword = ConvertTo-SecureString "H1PH0Ppa$$" -AsPlainText -Force
New-LocalUser John -Password $UserPassword -FullName "Johh Lennon" -Description "Local Account for Remote Access"

To create a user in the AD domain, use the New-ADUser cmdlet.

To change the user’s password, use the LocalUser cmdlet (we suppose that you have already converted the new password into SecureString):

Set-LocalUser -Name john -Password $UserPassword –Verbose

powershell: create local user (New-LocalUser) ans set password (Set-LocalUser )

To set “Password never expires” flag, run this command:

Set-LocalUser -Name john –PasswordNeverExpires $False

As you can see, you don’t need to convert the UserAccountControl value as when managing the AD user object properties .

As you remember, you can login Windows 10 using your Microsoft account. If you have to create a new user login to a Microsoft account, run this command. (Please, note that you don’t need to specify an account password since it is stored in Microsoft.)

New-LocalUser -Name "MicrosoftAccount\woshub@outlook.com" -Description "This is a Microsoft account"

To create a local account related to your Azure AD account (for example, you are using Office 365), run the following command:

New-LocalUser -Name "AzureAD\admin@woshub.com" -Description " This is an Azure AD account"

To remove local user:

Remove-LocalUser -Name john -Verbose

How to Manage Windows Local Groups Using PowerShell?

Now display the list of local groups on your computer:

Get-LocalGroup

Get-LocalGroup powershell cmdlet

Create a new group:

New-LocalGroup -Name RemoteSupport -Description 'Remote Support Group'

Add some local accounts and the group of local administrators to the new group:

Add-LocalGroupMember -Group 'RemoteSupport' -Member ('john','root','Administrators') -Verbose

Tip. How to create, remove or add users to the AD domain groups can be found in the article Managing Active Directory Groups Using PowerShell.

If your computer is join to the AD domain, you can add domain accounts and groups to your local group. To do it, specify them in the following format: DomainName\jonhl or DomainName\’domain admins’.

create New-LocalGroup and add users Add-LocalGroupMember

You can also add a user to groups using the following pipeline (we will add a user to the local administrators group):

Get-Localuser -Name john | Add-LocalGroupMember -Group 'Administrators'

Display the list of users in a local group:

Get-LocalGroupMember -Group 'RemoteSupport'

As you can see, we are using only local accounts (PrincipalSource – Local). However, domain accounts (domain), Microsoft accounts (MicrosoftAccount) or Azure accounts (AzureAD) can also be used.

Get-LocalGroupMember

To display the list of groups, a specific user is a member of, you will have to check every local group on the computer:

foreach ($LocalGroup in Get-LocalGroup)
{
if (Get-LocalGroupMember $LocalGroup -Member john –ErrorAction SilentlyContinue)
{
$LocalGroup.Name
}
}

To remove a user from a group, run this command:

Remove-LocalGroupMember -Group 'RemoteSupport' –Member john

To manage local users on a remote computer, connect to it using WinRM and run Invoke-Command or Enter-PSSession cmdlets.

For example, you need to create a list of accounts in a local group on remote computers:

$winrm_ssn = new-pssession -computer Lon-Srv01,Lon-Srv02,Lon-Srv03
invoke-command -scriptblock {Get-LocalGroupMember -Group 'RemoteSupport'} -session $winrm_ssn -hidecomputername | select * -exclude RunspaceID | out-gridview -title "LocalAdmins"

0 comment
0
Facebook Twitter Google + Pinterest
previous post
How to Run Program without Admin Privileges and to Bypass UAC Prompt?
next post
Killing a Windows Service that Hangs on Stopping or Not Responding

Related Reading

How to Sign a PowerShell Script (PS1) with...

February 25, 2021

How to Shadow (Remote Control) a User’s RDP...

February 22, 2021

Configuring PowerShell Script Execution Policy

February 18, 2021

Configuring Proxy Settings on Windows Using Group Policy...

February 17, 2021

Updating Group Policy Settings on Windows Domain Computers

February 16, 2021

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange
  • Windows 10
  • Windows 8
  • Windows 7
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2008 R2
  • PowerShell
  • VMWare
  • MS Office

Recent Posts

  • Accessing USB Flash Drive from VMWare ESXi

    February 26, 2021
  • How to Sign a PowerShell Script (PS1) with a Code Signing Certificate?

    February 25, 2021
  • Change the Default Port Number (TCP/1433) for a MS SQL Server Instance

    February 24, 2021
  • How to Shadow (Remote Control) a User’s RDP session on RDS Windows Server 2016/2019?

    February 22, 2021
  • Configuring PowerShell Script Execution Policy

    February 18, 2021
  • Configuring Proxy Settings on Windows Using Group Policy Preferences

    February 17, 2021
  • Updating Group Policy Settings on Windows Domain Computers

    February 16, 2021
  • Managing Administrative Shares (Admin$, IPC$, C$, D$) in Windows 10

    February 11, 2021
  • Packet Monitor (PktMon) – Built-in Packet Sniffer in Windows 10

    February 10, 2021
  • Fixing “Winload.efi is Missing or Contains Errors” in Windows 10

    February 5, 2021

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Install RSAT Feature on Demand on Windows 10 1809 and Later
  • Get-ADUser: Getting Active Directory Users Info via PowerShell
  • How to Create a UEFI Bootable USB Drive to Install Windows 10 or 7?
  • Get-ADComputer: Find Computer Details in Active Directory with PowerShell
  • Managing Printers and Drivers with PowerShell in Windows 10 / Server 2016
  • How to Find the Source of Account Lockouts in Active Directory domain?
  • PSWindowsUpdate: Managing Windows Updates from PowerShell
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top