We can use the Local Users and Groups Management console (lusrmgr.msc) to manage local user accounts and security groups in all Windows Client OS. But this feature may not be available in the Windows Home edition and we have to either use a third-party app or PowerShell. In this post, we will explore how to manage local users and groups using PowerShell commands.
Summary
- List Local User Accounts
- List Local Security Groups
- Create a New Local User Account
- Modify user account and Reset password
- Enable or Disable Local user account
- Add members to a Local security group
- Remove members from a Local security group
- Get members from a Local security group
List Local User Accounts
Use the Get-LocalUser cmdlet to get the local user accounts or retrieve specific user details by the user’s name.
#List all the local user accounts
Get-LocalUser
Get an account by using its name
This command gets a user account named “TestUser01”.
Get-LocalUser -Name "TestUser01"
List Local Security Groups
We can use the Get-LocalGroup cmdlet to get local security groups. This command gets the default built-in groups and local security groups that are created by you or your admin.
#List all the local security groups
Get-LocalGroup
Find a group by using the group name
This command retrieves the Administrators group details.
Get-LocalGroup -Name "Administrators"
Create a New Local User Account
Use the New-LocalUser cmdlet to create a new local user account using PowerShell. The following command creates an account without a password.
New-LocalUser -Name "TestUser01" -Description "This is a test user account." -NoPassword
Create a user account with password
Use the below commands to read a password as user input, create a user account, and set the password for the account.
$Password = Read-Host -AsSecureString -Prompt "Enter password:"
#$Password = ConvertTo-SecureString "TU2P@ssw$rd123" -AsPlainText -Force
New-LocalUser -Name "TestUser02" -Password $Password -FullName "Test User 02" -Description "This is a test user account #02"
Modify user account and Reset password
We can use the Set-LocalUser cmdlet to modify local user account properties such as Description, AccountExpires, AccountNeverExpires, and PasswordNeverExpires. This command can also reset the password of a local user account.
#Change a description
Set-LocalUser -Name "TestUser01" -Description "This is a test local user account 01."
Change the password on a user account
$Password = Read-Host -AsSecureString -Prompt "Enter new password:"
$UserAccount = Get-LocalUser -Name "TestUser01"
$UserAccount | Set-LocalUser -Password $Password
Set password never expires flag on a user account
Set-LocalUser -Name "TestUser01" -PasswordNeverExpires $True
Enable or Disable Local user account
Use the Enable-LocalUser cmdlet to enable a disabled user account and use the Disable-LocalUser cmdlet to disable the account. When a user account is disabled, the user cannot log on to the local machine.
Enable-LocalUser -Name "TestUser01"
Disable User Account
Disable-LocalUser -Name "TestUser01"
Add members to a Local security group
We can use the Add-LocalGroupMember cmdlet to add users or groups as a member to a local security group.
Add-LocalGroupMember -Group "GroupName" -Member "UserName"
Add multiple users to a group
Add-LocalGroupMember -Group "GroupName" -Member "User1","User2"
Add a member to the Local Administrators group
Use the following command to add a user as a member of the local Administrators group.
Add-LocalGroupMember -Group "Administrators" -Member "AdminUser01"
Remove members from a Local security group
We can use the Remove-LocalGroupMember cmdlet to remove a member (user or group) from a local group.
Remove-LocalGroupMember -Group "GroupName" -Member "UserName"
Use the following command to remove multiple members from a group.
$Members = "AdminUser01", "AdminUser2"
Remove-LocalGroupMember -Group "TestAdminGroup" -Member $Members
Get members from a Local security group
The Get-LocalGroupMember cmdlet gets members from a local group. The below command gets all the members of the local Administrators group.
Get-LocalGroupMember -Group "Administrators"
For other Local user and group management cmdlets, see this page: Microsoft PowerShell LocalAccounts