cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
How to Manage Local Users and Groups using PowerShell
By
OrinThomas
Published Jul 09 2019 03:46 AM 121K Views
OrinThomas
Microsoft
‎Jul 09 2019 03:46 AM

How to Manage Local Users and Groups using PowerShell

‎Jul 09 2019 03:46 AM

 

Managing local users and groups can be a bit of a chore, especially on a computer running the Server Core version of Windows Server. The LocalAccounts module of PowerShell, included in Windows Server 2016 and Windows Server 2019 by default, makes this process a lot simpler.

For example, to see all the local users on a specific computer, run the command

 

Get-LocalUser

Get-LocalUser.png

 

You’ll notice there that I’ve already renamed the local Administrator account on this particular computer to Admin. I do that because it’s a lab machine and renaming the account from Administrator means that it won’t default to the local Admin account when I want to sign on as the default Domain Admin account, which is also named Administrator.

 

To view the local groups on a computer, run the command

 

Get-LocalGroup

Local-Groups.png

 

To view the members of a specific group, use the Get-LocalGroupMember cmdlet. For example, to figure out who is a member of the local Administrators group, run the command Get-LocalGroupMember Administrators.

 

Image-3.png

 

You can create a new local user using the New-LocalUser cmdlet. When creating a new local user, first create a password variable using $Password = Read-Host -AsSecureString and this will allow you to enter the password assigned to the user. For example, to create a new user named Optimus, enter the following commands:

 

$Password = Read-Host -AsSecureString
New-LocalUser -Name Optimus -Description “Second Admin Account” -Password $Password

Image-4.png

 

Resetting a user password is a little more involved. To do this requires three steps. The first step is to write a password from the prompt to a variable using $Password = Read-Host -AsSecureString. The second is to assign the properties of the user account whose password you want to change to a variable using $UserAccount = Get-LocalUser -Name AccountName. Once you’ve done that, you can use the $UserAccount | Set-LocalUser -Password $Password command to assign the new password.

 

image-5.png

 

You use the Add-LocalGroupMember cmdlet to add members to a local group. For example, to add the Optimus account that was created in the last example to the local Administrators group, run the command:

 

Add-LocalGroupMember -Group “Administrators” -Member Optimus

image-6.png

 

You can use the same command to add domain accounts to local groups. For example, to add the Maximus account from the Contoso domain to the local Administrators group, run the command:

 

Add-LocalGroupMember -Group “Administrators” -Member “Contoso\Maximus”

image-7.png

You can also use the same command to add domain groups to a local group. For example, to add the ITOps group from the Contoso domain to the local Administrators group, run the command:

 

Add-LocalGroupMember -Group “Administrators” -Member “Contoso\ITOps”

image-8.png

 

You can remove users or groups from a local group using the Remove-LocalGroupMember cmdlet. For example, to remove the Optimus account from the local Administrators group, run the command:

 

Remove-LocalGroupMember -Group “Administrators” -Member Optimus

image-9.png

You can find out more about the cmdlets that you use to manage local users and groups, including how to add and remove local groups as well as remove local user accounts in the following Docs article: PowerShell Local Accounts.

7 Comments
PaddlePop
Copper Contributor
‎Jul 12 2019 06:14 PM
‎Jul 12 2019 06:14 PM

Informative. Would like to see more basic administration with PowerShell type content.

0 Likes
Like
gtvmark
Copper Contributor
‎Aug 25 2019 05:02 PM
‎Aug 25 2019 05:02 PM
Is it possible to list all groups that a user is a member of?
0 Likes
Like
OrinThomas
Microsoft
‎Aug 25 2019 06:30 PM
‎Aug 25 2019 06:30 PM
Get-LocalGroup | Get-LocalGroupMember will give you a list of all users in all local groups. You could probably play around with filtering the output if there was too much. If you are doing it in a domain, Get-AdPrincipalGroupMembership username | select name will do the job for you.
0 Likes
Like
gtvmark
Copper Contributor
‎Aug 25 2019 08:14 PM
‎Aug 25 2019 08:14 PM
Had to save the group and then add it to the user object; Get-LocalGroup | % { $group = $_; $user= ( $_ | Get-LocalGroupMember ) ; $user | add-member -MemberType NoteProperty -name Group -value $group ; $user } | select group,name Maybe there's an easier way
pascalherms
Copper Contributor
‎Aug 14 2020 05:10 AM
‎Aug 14 2020 05:10 AM

Great article, but what about if you are dealing with localized versions of windows?

For example when your windows is localized in en-US, the localUsers group is called "Users", but when your windows is setup in the nl-NL locale for exmple the users group name is called "Gebruikers".

This makes it hard to reference the Users group if you are dealing with multiple locales.

0 Likes
Like
TheLastBinary
Copper Contributor
‎May 07 2022 09:07 PM
‎May 07 2022 09:07 PM

Hello,

It is all around an excellent article. 

 

The one you mentioned in the comments is not working with PS 5.1 or 7.

Get-LocalGroup | Get-LocalGroupMember

It gives an error: Failed to compare two elements in the array.

 

 

 

Andrew74L
Copper Contributor
‎Dec 22 2022 12:05 AM
‎Dec 22 2022 12:05 AM

@gtvmark "Is it possible to list all groups that a user is a member of?"

 

$LocalUser = $env:USERNAME

foreach ($group in (Get-LocalGroup).Name) {foreach ($member in (Get-LocalGroupMember -Group $group | Where-Object Name -eq "$env:COMPUTERNAME\$LocalUser")) {$group}}

 

0 Likes
Like
Version history
Last update:
‎Jul 09 2019 03:15 PM
Updated by: