How to Add, Delete and Change Local Users and Groups with PowerShell

To help admins manage local users and groups with PowerShell more easily, Microsoft provides a cmdlet collection called Microsoft.PowerShell.LocalAccounts. Previously, you had to download and import it into PowerShell explicitly, and also install Windows Management Framework 5.1; in the Windows Server 2016 and Windows 10 operating systems, the cmdlet collection is included as a standard module.

There are 15 cmdlets in the LocalAccounts module. You can view the full list by running the following command:

Get-Command -Module Microsoft.PowerShell

Account Managing with PowerShell 1

  • Add-LocalGroupMember — Add a user to the local group
  • Disable-LocalUser —Disable a local user account
  • Enable-LocalUser — Enable a local user account
  • Get-LocalGroup — View local group preferences
  • Get-LocalGroupMember — View the list of all local group members
  • Get-LocalUser — View a local user account’s preferences
  • New-LocalGroup — Create a new local group
  • New-LocalUser — Create a new local user account
  • Remove-LocalGroup — Remove a local group
  • Remove-LocalGroupMember — Remove a member from a local group
  • Remove-LocalUser — Remove a local user account
  • Rename-LocalGroup — Rename a local group
  • Rename-LocalUser — Rename a local user account
  • Set-LocalGroup — Change the settings of a local group
  • Set-LocalUser — Change the account settings of a local user

Managing Local User Accounts with PowerShell

Let’s see how you can use these commands to perform common tasks related to managing local users on a Windows 10 computer.

Listing users and their properties with PowerShell

First, let’s get a list of all local user accounts on the machine. We’ll use the Get-LocalUser cmdlet:

Get-LocalUser

Account Managing with PowerShell 2

As you can see, we have two local user accounts, and one of them is disabled (the one that has “False” in the “Enabled” column).

If you want to output all the properties and their values for a local user account, you need to use the Get-LocalUser cmdlet with the following parameters:

Get-LocalUser -Name ‘guest’ | Select-Object *

Account Managing with PowerShell 3

To get the value of a particular local user account attribute, type its name after the Select-Object parameter. In this example, we want to know the value of the PasswordLastSet attribute for the account with the username “administrator”:

Get-LocalUser -Name ‘administrator’ | Select-Object PasswordLastSet

Account Managing with PowerShell 4

Creating a local user with PowerShell

Let’s create a new user with the help of the New-LocalUser cmdlet. This cmdlet can create the following types of user accounts:

  • Windows local user accounts
  • Microsoft accounts
  • Azure Active Directory accounts

When creating a local user account, never type in the password as plain text; always convert it to a secure string using the ?AsSecureString or ?ConvertTo-SecureString parameter. Here’s the command for creating a new local user account:

$UserPassword = Read-Host –AsSecureString
New-LocalUser "Netwrix" -Password $UserPassword -FullName "Netwrix" -Description "CompleteVisibility"

In a Windows 10 environment, users can authorize under their Microsoft accounts, so we can create a new local user account that binds to a Microsoft account’s credentials. Use the following script to do this (note that you don’t need to type in the password because it is stored in the Microsoft cloud):

New-LocalUser -Name "MicrosoftAccount\SomeAccount@outlook.com" -Description "Microsoft Account"

In order to create a local account that binds to your Azure AD, use the following command:

New-LocalUser -Name "AzureAD\Netwrix@enterprise.com" -Description "Azure AD Account"

Changing a local user’s password or password properties with PowerShell

To change the password of a local user account, we need to use the Set-LocalUser cmdlet. Let’s change the local admin password:

$UserPassword = Read-Host –AsSecureString
Set-LocalUser -Name Administrator -Password $UserPassword –Verbose

To set the Password never expires to a local user with PowerShell, we need to run the following script:

Set-LocalUser -Name Netwrix –PasswordNeverExpires $False

Deleting a local user account with PowerShell

To remove a local user account, you need to use the Remove-LocalUser cmdlet:

Remove-LocalUser -Name Netwrix -Verbose

Managing Local Groups with PowerShell

Now let’s turn our attention from local users to local groups.

Reviewing local groups with PowerShell

First, let’s get a list of all groups on our Windows Server:

Get-LocalGroup

Account Managing with PowerShell 5

Adding a local group with PowerShell

Now let’s create a new group:

New-LocalGroup -Name 'Netwrix Users' -Description 'Netwrix Users Group'

Adding users to a local group with PowerShell

To add a user (or a group) to a local group, we need to use the Add-LocalGroupMember cmdlet. For example, suppose we want to add users to the local Administrators group, but we don’t want to add them one by one. Let’s add a group to local Administrators, namely the “Netwrix Users” group:

Add-LocalGroupMember -Group 'Administrators' -Member ('Netwrix',’Netwrix Users') –Verbose

If your computer or server is a part of the domain, you can also add domain account and groups to local groups in order to give those users special local rights on the server. Add them using the format “DomainName\User” (for a user) or “DomainName\Domain Group” (for a group).

Viewing the membership of a particular group with PowerShell

Now let’s list all the members of a particular local group:

Get-LocalGroupMember -Group 'Netwrix Users'

Account Managing with PowerShell 6

As you can see, the command shows all the local account and groups that are members of the group “Netwrix Users”. Although only local accounts and groups are listed here, this command will also show any domain users and group, as well as all Microsoft and Azure AD accounts.

Viewing all groups that a user is a member of using PowerShell

To list all the groups that a particular user is a member of, we’d run the following script:

foreach ($LocalGroup in Get-LocalGroup)
{
if (Get-LocalGroupMember $LocalGroup -Member 'Guest' –ErrorAction SilentlyContinue)
{
$LocalGroup.Name
}
}

Account Managing with PowerShell 7

Removing a local group with PowerShell

To remove a local user account from a group, you need to use the Remove-LocalGroupMember cmdlet:

Remove-LocalGroupMember -Group 'Netwrix Users' –Member 'guest'

Managing local users and groups remotely with PowerShell

If you want to manage local user account and groups remotely, you need to connect to the remote workstations via WinRM using the Invoke-Command and Enter-PSSession cmdlets. For example if we want to output the membership of the local Admin group remotely on multiple computers we need to run the following script:

$search = new-pssession -computer pcname1,pcname2,pcname3
invoke-command -scriptblock {Get-LocalGroupMember -Group 'Administrators'} -session $search -hidecomputername | select * -exclude RunspaceID | out-gridview -title "LocalAdmins"

As you can see, it is rather easy to manage local groups and users via PowerShell, but to ensure security, compliance and business continuity, it’s essential to audit all these changes. To learn about configuring native auditing, please refer to the Windows Server Auditing Quick Reference Guide.