Managing Local User Accounts with Windows PowerShell

In my previous article, I demonstrated how to create a local user account with Windows PowerShell. In today’s article, I want to cover some basic management tasks that can be done with PowerShell.

Using ADSI

The first step is to use ADSI and get the local user account object.

​PS C:\> [ADSI]$HelpDesk="WinNT://CHI-FP01/HelpDesk,User"

Remember, the WinNT moniker is case sensitive.

Changing Password

One task you are most likely to need is changing the local account password. If you pipe the ADSI object to Get-Member, you won’t see any methods; you just have to know they are there, such as SetPassword(). This is the same method we called when we set up the account.

Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

​PS C:\> $HelpDesk.SetPassword("[email protected]")

The change is immediate and there is no need to call SetInfo(). By the way, if you want to see how old a password is, you can look at the PasswordAge property.

​PS C:\> $helpDesk.PasswordAge

This is a value in seconds. So if you wanted to get the age in days all you need to do is divide it by 86400.

​PS C:\> [ADSI]$Admin="WinNT://CHI-FP01/Administrator,user"
PS C:\> $admin.PasswordAge.value/86400

Changing Group Membership

When I set up the HelpDesk local account, I added it to the Power Users group. Well, the account needs to belong to the local Administrators group so I need to fix group membership. First, I’ll remove the account from the Power Users group.

​PS C:\> [ADSI]$power="WinNT://CHI-FP01/Power Users,group"
PS C:\> $power.Remove($HelpDesk.Path)

The change is immediate. Now I’ll get a reference to the local administrators group and add the Help Desk account.

​PS C:\> [ADSI]$Admins="WinNT://CHI-FP01/Administrators,group"
PS C:\> $Admins.Add($HelpDesk.path)

I don’t think it can get any easier.

Disabling the Account

There may come a time when you need to disable the local account. This is part of the accounts’ userflags bitmask value, which requires some little bitwise operations. We’ll need to work with the value that indicates if an account is disabled.

​PS C:\> $AccountDisable=0x0002

First, I’ll verify the account is currently enabled by performing a bitwise AND operation:

​PS C:\> ($HelpDesk.UserFlags.Value -band $AccountDisable) -as [boolean]

I cast the result as a Boolean to make it easier to interpret the results. To disable the account, I’ll need to do a bitwise OR and assign the value to the userflags property.

​PS C:\> $new=$HelpDesk.UserFlags.Value -bor $AccountDisable
PS C:\> $HelpDesk.put("userflags",$new)
PS C:\> $HelpDesk.SetInfo()

I can verify by refreshing my cached copy of the object and re-running my –band expression.

​PS C:\> $helpdesk.refreshcache()
PS C:\> ($HelpDesk.UserFlags.Value -band $AccountDisable) -as [boolean]

To re-enable it almost uses the same steps, except you need to use a bitwise XOR operation.

​PS C:\> $new=$HelpDesk.UserFlags.Value -bxor $AccountDisable
PS C:\> $HelpDesk.put("userflags",$new)
PS C:\> $HelpDesk.SetInfo()
PS C:\> $helpdesk.refreshcache()
PS C:\> ($HelpDesk.UserFlags.Value -band $AccountDisable) -as [boolean]

Deleting the Account

Finally, the day may come when you want to delete the account all together. Remember, the account is a child object of the computer so that’s where we need to do the deletion. First, get an ADSI object for the computer.

​PS C:\> [ADSI]$server="WinNT://CHI-FP01"

Then call the Delete() method, specifying the type of object and its name.

​PS C:\> $server.delete("user",$helpdesk.name.value)

The change is immediate and there is no need to call SetInfo().


Managing local user accounts obviously can also be done just as easily with the legacy NET commands, which you could easily incorporate into a PowerShell remoting command or session. If you have a larger PowerShell based task that involves local user accounts, using ADSI object is the right approach.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

13 Email Threat Types to Know About Right Now

As email threats evolve and multiply, keeping track of them all—and staying protected against the many different types—becomes a complex challenge. Today, that requires more than just the traditional email gateway solution that used to be good enough.

In this eBook you will learn:

  • What are the most common and challenging email attacks for organizations?
  • How to defend against sophisticated email threats, such as spoofing, social engineering, and fraud
  • How to protect employees at the inbox level with the right technologies and security-awareness training
  • How to use a multilayered protection strategy to reduce susceptibility to email attacks and better defend your business and employees

Sponsored by: