How to Manage Local Users and Groups using PowerShell

This post has been republished via RSS; it originally appeared at: ITOps Talk Blog articles.

 

Managing local users and groups can be a bit of a chore, especially on a computer running the Server Core version of Windows Server. The LocalAccounts module of PowerShell, included in Windows Server 2016 and Windows Server 2019 by default, makes this process a lot simpler.

For example, to see all the local users on a specific computer, run the command

 

Get-LocalUser

Get-LocalUser.png

 

You’ll notice there that I’ve already renamed the local Administrator account on this particular computer to Admin. I do that because it’s a lab machine and renaming the account from Administrator means that it won’t default to the local Admin account when I want to sign on as the default Domain Admin account, which is also named Administrator.

 

To view the local groups on a computer, run the command

 

Get-LocalGroup

Local-Groups.png

 

To view the members of a specific group, use the Get-LocalGroupMember cmdlet. For example, to figure out who is a member of the local Administrators group, run the command Get-LocalGroupMember Administrators.

 

Image-3.png

 

You can create a new local user using the New-LocalUser cmdlet. When creating a new local user, first create a password variable using $Password = Read-Host -AsSecureString and this will allow you to enter the password assigned to the user. For example, to create a new user named Optimus, enter the following commands:

 

$Password = Read-Host -AsSecureString
New-LocalUser -Name Optimus -Description “Second Admin Account” -Password $Password

Image-4.png

 

Resetting a user password is a little more involved. To do this requires three steps. The first step is to write a password from the prompt to a variable using $Password = Read-Host -AsSecureString. The second is to assign the properties of the user account whose password you want to change to a variable using $UserAccount = Get-LocalUser -Name AccountName. Once you’ve done that, you can use the $UserAccount | Set-LocalUser -Password $Password command to assign the new password.

 

image-5.png

 

You use the Add-LocalGroupMember cmdlet to add members to a local group. For example, to add the Optimus account that was created in the last example to the local Administrators group, run the command:

 

Add-LocalGroupMember -Group “Administrators” -Member Optimus

image-6.png

 

You can use the same command to add domain accounts to local groups. For example, to add the Maximus account from the Contoso domain to the local Administrators group, run the command:

 

Add-LocalGroupMember -Group “Administrators” -Member “Contoso\Maximus”

image-7.png

You can also use the same command to add domain groups to a local group. For example, to add the ITOps group from the Contoso domain to the local Administrators group, run the command:

 

Add-LocalGroupMember -Group “Administrators” -Member “Contoso\ITOps”

image-8.png

 

You can remove users or groups from a local group using the Remove-LocalGroupMember cmdlet. For example, to remove the Optimus account from the local Administrators group, run the command:

 

Remove-LocalGroupMember -Group “Administrators” -Member Optimus

image-9.png

You can find out more about the cmdlets that you use to manage local users and groups, including how to add and remove local groups as well as remove local user accounts in the following Docs article: PowerShell Local Accounts.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.