Upcoming Webinar
Cayosoft Shows How Forest Recovery Tech Addresses Survey Issues
Join this webinar and not only learn about what your peers are doing, but also learn about a new patent-pending modern approach to AD forest recovery from Cayosoft.
New episode!
The Scoop on Loop: The Latest Innovations Directly From Microsoft!
Darrell Webster speaks to Rebecca Keys, a Program Manager from the Microsoft Loop team.
Turn Data Protection into an MRR Growth Engine
Security for your customers, revenue for your MSP practice. Access key insights on how to scale your practice with SkyKick’s new eGuide.
MSP eGuide to Package, Sell and Deliver M365 Security Services
Based on input from our top-performing MSPs, SkyKick prepared the MSP Guide to help you navigate the security landscape.

Managing Local User Accounts with Windows PowerShell

In my previous article, I demonstrated how to create a local user account with Windows PowerShell. In today’s article, I want to cover some basic management tasks that can be done with PowerShell.

Using ADSI

The first step is to use ADSI and get the local user account object.

PS C:\> [ADSI]$HelpDesk="WinNT://CHI-FP01/HelpDesk,User"

Remember, the WinNT moniker is case sensitive.

Changing Password

One task you are most likely to need is changing the local account password. If you pipe the ADSI object to Get-Member, you won’t see any methods; you just have to know they are there, such as SetPassword(). This is the same method we called when we set up the account.

PS C:\> $HelpDesk.SetPassword("P@ssw0rd")

The change is immediate and there is no need to call SetInfo(). By the way, if you want to see how old a password is, you can look at the PasswordAge property.

PS C:\> $helpDesk.PasswordAge
1775

This is a value in seconds. So if you wanted to get the age in days all you need to do is divide it by 86400.

PS C:\> [ADSI]$Admin="WinNT://CHI-FP01/Administrator,user"
PS C:\> $admin.PasswordAge.value/86400
269.749664351852

Changing Group Membership

When I set up the HelpDesk local account, I added it to the Power Users group. Well, the account needs to belong to the local Administrators group so I need to fix group membership. First, I’ll remove the account from the Power Users group.

PS C:\> [ADSI]$power="WinNT://CHI-FP01/Power Users,group"
PS C:\> $power.Remove($HelpDesk.Path)

The change is immediate. Now I’ll get a reference to the local administrators group and add the Help Desk account.

PS C:\> [ADSI]$Admins="WinNT://CHI-FP01/Administrators,group"
PS C:\> $Admins.Add($HelpDesk.path)

I don’t think it can get any easier.

Disabling the Account

There may come a time when you need to disable the local account. This is part of the accounts’ userflags bitmask value, which requires some little bitwise operations. We’ll need to work with the value that indicates if an account is disabled.

PS C:\> $AccountDisable=0x0002

First, I’ll verify the account is currently enabled by performing a bitwise AND operation:

PS C:\> ($HelpDesk.UserFlags.Value -band $AccountDisable) -as [boolean]
False

I cast the result as a Boolean to make it easier to interpret the results. To disable the account, I’ll need to do a bitwise OR and assign the value to the userflags property.

PS C:\> $new=$HelpDesk.UserFlags.Value -bor $AccountDisable
PS C:\> $HelpDesk.put("userflags",$new)
PS C:\> $HelpDesk.SetInfo()

I can verify by refreshing my cached copy of the object and re-running my –band expression.

PS C:\> $helpdesk.refreshcache()
PS C:\> ($HelpDesk.UserFlags.Value -band $AccountDisable) -as [boolean]
True

To re-enable it almost uses the same steps, except you need to use a bitwise XOR operation.

PS C:\> $new=$HelpDesk.UserFlags.Value -bxor $AccountDisable
PS C:\> $HelpDesk.put("userflags",$new)
PS C:\> $HelpDesk.SetInfo()
PS C:\> $helpdesk.refreshcache()
PS C:\> ($HelpDesk.UserFlags.Value -band $AccountDisable) -as [boolean]
False

Deleting the Account

Finally, the day may come when you want to delete the account all together. Remember, the account is a child object of the computer so that’s where we need to do the deletion. First, get an ADSI object for the computer.

PS C:\> [ADSI]$server="WinNT://CHI-FP01"

Then call the Delete() method, specifying the type of object and its name.

PS C:\> $server.delete("user",$helpdesk.name.value)

The change is immediate and there is no need to call SetInfo().

Overview

Managing local user accounts obviously can also be done just as easily with the legacy NET commands, which you could easily incorporate into a PowerShell remoting command or session. If you have a larger PowerShell based task that involves local user accounts, using ADSI object is the right approach.

by Jeff Hicks
May 17, 2012

Jeffery Hicks is an IT veteran with over 30 years of experience, much of it spent as an IT infrastructure consultant specializing in Microsoft server technologies with an emphasis on automation and efficiency. He is a multi-year recipient of the Micr...

How to Connect to Exchange Online Using PowerShell

Jun 9, 2023
Dec 05, 2023
Master the Power of File and Directory Management with Get-ChildItem in PowerShell

Oct 16, 2023
Get-ADComputer: The PowerShell Command for Managing Active Directory Computers

Nov 15, 2023

Take our survey

PETRI NEWSLETTERS

Join Petri Insider

Create a free account today to participate in forum conversations, comment on posts and more.