Managing Local Users and Groups with PowerShell

Recently Microsoft has added a normal PowerShell module to handle Windows native customers and teams known as Microsoft.PowerShell.LocalAccounts. Earlier you needed to manually obtain and import this module into PowerShell. Now LocalAccounts module is obtainable by default in Windows Server 2016 and Windows 10 as part of PowerShell 5.1. To use it in earlier Windows variations, you could set up Windows Management Framework 5.1.

LocalAccounts PowerShell Module

There are 15 cmdlets within the LocalAccounts module. You can show the total checklist of module cmdlets as follows:

Get-Command -Module Microsoft.PowerShell.LocalAccounts

Get-Command Module Microsoft.PowerShell.LocalAccounts

  1. Add-LocalGroupMember – add a consumer to a neighborhood group;
  2. Disable-LocalUser – disable a neighborhood consumer account;
  3. Enable-LocalUser – allow (unlock) an account;
  4. Get-LocalGroup – get details about a neighborhood group;
  5. Get-LocalGroupMember – show the checklist of customers in a neighborhood group;
  6. Get-LocalUser – present details about a neighborhood consumer;
  7. New-LocalGroup – create a brand new native group;
  8. New-LocalUser – create a neighborhood consumer;
  9. Remove-LocalGroup – delete a neighborhood group;
  10. Remove-LocalGroupMember – take away a member from a neighborhood group;
  11. Remove-LocalUser – delete a neighborhood consumer;
  12. Rename-LocalGroup – rename a neighborhood group;
  13. Rename-LocalUser – rename a consumer;
  14. Set-LocalGroup – modify group settings;
  15. Set-LocalUser – modify consumer settings.

Let’s contemplate some typical duties to handle native customers or teams utilizing PowerShell cmdlets of the LocalAccounts module on a pc working Windows 10.

How to Manage Windows Local Users with PowerShell?

Display the checklist of present native customers in Windows:


Get-LocalUser: display a list of local accounts

As you may see, there are 6 native consumer accounts on the pc, and four of them are disabled (Enabled=False).

To show all properties of a neighborhood account (just like cmdlet used to show details about AD area customers), run this command:

Get-LocalUser -Name root | Select-Object *

AccountExpires :
Description :
Enabled : True
FullName :
PasswordChangeableDate : three/12/2019 10:14:29 PM
PasswordExpires :
UserMayChangePassword : True
PasswordRequired : False
PasswordFinalSet : three/11/2019 10:14:29 PM
LastLogon : three/11/2019 four:18:17 PM
Name : root
SID : S-1-5-21-2605456602-2293283241-3832290805-1001
PrincipalSource : Local
ObjectClass : User

To get the particular consumer attribute, just like the final password change date, run this command:

Get-LocalUser -Name root | Select-Object PasswordFinalSet

Get-LocalUser info from powershell

Let’s create a brand new native consumer with the New-LocalUser cmdlet. This cmdlet lets you create the next kinds of accounts:

  • Windows native accounts;
  • Microsoft accounts;
  • Azure AD accounts.

When making a consumer account with the New-LocalUser cmdlet, you may’t specify the consumer password in plain textual content because the Password argument. You should request the password interactively and convert it to the safe string upfront:

$UserPassword = Read-Host –AsSecureString

Or specify the password immediately within the PoSh console:

$UserPassword = ConvertTo-SecureString "H1PH0Ppa$$" -AsPlainText -Force
New-LocalUser John -Password $UserPassword -FullName "Johh Lennon" -Description "Local Account for Remote Access"

To create a consumer within the AD area, use the cmdlet.

To change the consumer’s password, use the LocalUser cmdlet (we suppose that you’ve got already transformed the brand new password into SecureString):

Set-LocalUser -Name john -Password $UserPassword –Verbose

powershell: create local user (New-LocalUser) ans set password (Set-LocalUser )

To set “Password by no means expires” flag, run this command:

Set-LocalUser -Name john –PasswordNeverExpires $False

As you may see, you don’t have to as when managing the AD consumer object properties .

As you bear in mind, you may login Windows 10 utilizing your Microsoft account. If you need to create a brand new consumer login to a Microsoft account, run this command. (Please, word that you just don’t have to specify an account password since it’s saved in Microsoft.)

New-LocalUser -Name "[email protected]" -Description "This is a Microsoft account"

To create a neighborhood account associated to your Azure AD account (for instance, you might be utilizing Office 365), run the next command:

New-LocalUser -Name "[email protected]" -Description " This is an Azure AD account"

To take away native consumer:

Remove-LocalUser -Name john -Verbose

How to Manage Windows Local Groups Using PowerShell?

Now show the checklist of native teams in your pc:


Get-LocalGroup powershell cmdlet

Create a brand new group:

New-LocalGroup -Name RemoteSupport -Description 'Remote Support Group'

Add some native accounts and the group of native directors to the brand new group:

Add-LocalGroupMember -Group 'RemoteSupport' -Member ('john','root','Administrators') -Verbose

If your pc is be part of to the AD area, you may add area accounts and teams to your native group. To do it, specify them within the following format: AreaNamejonhl or AreaName’area admins’.

create New-LocalGroup and add users Add-LocalGroupMember

You can even add a consumer to teams utilizing the next pipeline (we are going to add a consumer to the native directors group):

Get-Localuser -Name john | Add-LocalGroupMember -Group 'Administrators'

Display the checklist of customers in a neighborhood group:

Get-LocalGroupMember -Group 'RemoteSupport'

As you may see, we’re utilizing solely native accounts (PrincipalSource – Local). However, area accounts (area), Microsoft accounts (MicrosoftAccount) or Azure accounts (AzureAD) may also be used.


To show the checklist of teams, a particular consumer is a member of, you’ll have to test each native group on the pc:

foreach ($LocalGroup in Get-LocalGroup)

To take away a consumer from a gaggle, run this command:

Remove-LocalGroupMember -Group 'RemoteSupport' –Member john

To handle native customers on a distant pc, hook up with it utilizing WinRM and run Invoke-Command or Enter-PSSession cmdlets.

For instance, you might want to create an inventory of accounts in a neighborhood group on distant computer systems:

$winrm_ssn = new-pssession -computer Lon-Srv01,Lon-Srv02,Lon-Srv03
invoke-command -scriptblock -session $winrm_ssn -hidecomputername | choose * -exclude RunspaceID | out-gridview -title "LocalAdmins"

Check Also

How to Use Native SSH Client in Windows 10?

The built-in SSH shopper appeared in Windows 10 and Windows Server 2019. Ssh.exe can be …

Leave a Reply

Your email address will not be published. Required fields are marked *