How to Create, Change, and Remove Local Users or Groups with PowerShell

You can use the built-in PowerShell module, Microsoft.PowerShell.LocalAccounts, to manage local users and groups in Windows. This module allows you to create or delete local users and security groups, and add or remove users from groups. The module is available on Windows Server 2016 and Windows 10 and newer versions. This module is installed with the Windows Management Framework 5.1 in earlier versions of Windows when you upgrade your PowerShell version.

There are 15 cmdlets in the LocalAccounts module. You can display the full list of module cmdlets as follows:

Get-Command -Module Microsoft.PowerShell.LocalAccounts

• Add-LocalGroupMember – add a user to a local security group;
• Disable-LocalUser – disable a local user account;
• Enable-LocalUser – enable a local user account;
• Get-LocalGroup – get information about a local group;
• Get-LocalGroupMember – view the list of users in a local group;
• Get-LocalUser – show information about a local user;
• New-LocalGroup – create a new local group;
• New-LocalUser – create a local user;
• Remove-LocalGroup – delete a local group;
• Remove-LocalGroupMember – remove a member from a local group;
• Remove-LocalUser – delete a local user;
• Rename-LocalGroup – rename a local group;
• Rename-LocalUser – rename a user;
• Set-LocalGroup – change group settings;
• Set-LocalUser – change user settings.

Let’s look at some typical tasks for managing local users and groups on a Windows computer by using the PowerShell cmdlets from the LocalAccounts module.

Create a New Local User with PowerShell

Use the New-LocalUser cmdlet to quickly create a new local user account in Windows:

New-LocalUser -Name "TestUser1" -FullName "Test User" -Description "User for tests"

Specify a password for the new user:

If you want to use the New-LocalUser cmdlet to automatically create new local users from PowerShell scripts, you can predefine the default user’s password in the script code. The plaintext password must be converted to a secure string:

$pass = ConvertTo-SecureString "WOS_hubP@ss2023!" -AsPlainText -Force
New-LocalUser -Name TestUser2 -Password $password

To add a user to the local Administrators group, run the command:

Add-LocalGroupMember -Group Administrators -Member TestUser2

You can also use the following options when creating a local Windows user account:

• -AccountExpires – set the expiration date of the account, after which the account will be automatically deactivated (by default, New-LocalUser creates an account that never expires);
• -AccountNeverExpires
• -Disabled – disable an account after creation;
• -PasswordNeverExpires – set a user’s password to never expire;
• -UserMayNotChangePassword – the user cannot change the account password.

Managing Local User Accounts in Windows via PowerShell

To list all local Windows users on the current computer, run:

Get-LocalUser

As you can see, there are 6 local accounts on the computer, 4 of which are disabled (Enabled=False), including the built-in Windows Administrator.

To display all the properties of a local account (similar to the Get-ADUser cmdlet that is used to display information about AD domain users), run this command:

Get-LocalUser -Name root | Select-Object *

AccountExpires :
Description :
Enabled : True
FullName :
PasswordChangeableDate : 3/12/2019 10:14:29 PM
PasswordExpires :
UserMayChangePassword : True
PasswordRequired : False
PasswordLastSet : 3/11/2019 10:14:29 PM
LastLogon : 3/11/2019 4:18:17 PM
Name : root
SID : S-1-5-21-2605456602-2293283241-3832290805-1001
PrincipalSource : Local
ObjectClass : User

Look at the PrincipalSource attribute. It contains the type of the user account. It could be:

• Local Windows user (PrincipalSource: Local)
• Microsoft accounts (PrincipalSource: Microsoft Account)
• Azure AD users (PrincipalSource: AzureAD)

To get the value of a specific user attribute, like the last password change date:

Get-LocalUser -Name root | Select-Object PasswordLastSet

To change (reset) the user’s password use the command (we suppose that you have already converted the new password to a SecureString):

Set-LocalUser -Name john -Password $UserPassword –Verbose

To set the “Password never expires” flag for the user, use the command:

Set-LocalUser -Name john –PasswordNeverExpires $False

Disable the local account:

Disable-LocalUser -Name john

Enable the local user:

Enable-LocalUser -Name john

To remove a local user:

Remove-LocalUser -Name john -Verbose

How to Create and Manage Local Groups Using PowerShell?

You can list the local groups on your Windows device using the command:

Get-LocalGroup

Let’s create a new local group:

New-LocalGroup -Name RemoteSupport -Description 'Remote Support Group'

Now let’s add a couple of local accounts and a group of local administrators to the new group:

Add-LocalGroupMember -Group 'RemoteSupport' -Member ('john','root','Administrators') -Verbose

You can also add a user to groups using the following pipeline (in this example, we will add the user to a local group that allows them to access the computer’s desktop remotely over RDP):

Get-Localuser -Name TestUser2 | Add-LocalGroupMember -Group 'Remote Desktop Users'

Display the list of users in the local group:

Get-LocalGroupMember -Group 'RemoteSupport'

If your computer is joined to the AD domain, you can add domain accounts and groups to your local group. Use the following syntax: DomainName\jonhl or DomainName\’domain admins’.

You can add not only local accounts (PrincipalSource – Local), but also domain accounts (Domain), Microsoft accounts (MicrosoftAccount), and Azure accounts (AzureAD) to the local groups.

Use the following syntax to add a Microsoft or AzureAD user to a local group:

Add-LocalGroupMember -Group 'RemoteSupport' -Member ('MicrosoftAccount\[email protected]','AzureAD\[email protected]') –Verbose

To list the local groups that a specific user is a member of, run the following script (the script checks membership for each local group):


$user='john'
foreach ($LocalGroup in Get-LocalGroup)
{
if (Get-LocalGroupMember $LocalGroup -Member $user –ErrorAction SilentlyContinue)
{
$LocalGroup.Name
}
}

To remove a user from a group, execute the command:

Remove-LocalGroupMember -Group 'RemoteSupport' –Member john

To manage local users on a remote computer, you can connect to the computer through WinRM by using the Invoke-Command or Enter-PSSession cmdlets.

For example, you might want to get a list of accounts in the local group on remote computers:

$winrm_ssn = new-pssession -computer Lon-Srv01,Lon-Srv02,Lon-Srv03
invoke-command -scriptblock {Get-LocalGroupMember -Group 'RemoteSupport'} -session $winrm_ssn -hidecomputername | select * -exclude RunspaceID | out-gridview -title "LocalAdmins"