Skip to content

Local Users and Groups

Local users and groups form the foundation of identity and access control on standalone Windows systems and on domain‑joined machines where local accounts still play an important administrative role. PowerShell provides a structured, predictable, and scriptable interface for managing these accounts, allowing administrators to create users, modify group membership, enforce security policies, and audit access configurations without relying on graphical tools.

This section explains how local accounts and groups are organized, how PowerShell interacts with them, and how to manage them safely and effectively.

1. Understanding Local Accounts and Groups

Windows maintains two layers of identity:

  1. Local accounts, stored on the individual machine.
  2. Domain accounts, stored in Active Directory (if the machine is domain‑joined).

Local accounts are used for:

  • Administrative access to standalone systems
  • Break‑glass access when domain authentication is unavailable
  • Running scheduled tasks or services under controlled identities
  • Managing workgroup environments

Local groups provide a way to assign permissions to multiple users at once. For example:

  • Administrators — full control over the system
  • Users — standard user privileges
  • Remote Desktop Users — permission to sign in via RDP
  • Backup Operators — ability to back up and restore files

PowerShell exposes these accounts and groups as objects, allowing you to inspect and modify them programmatically.

2. PowerShell Tools for Managing Local Accounts

Windows provides two primary modules for managing local users and groups:

  • Microsoft.PowerShell.LocalAccounts — modern cmdlets such as Get-LocalUser and Add-LocalGroupMember
  • Legacy WMI / ADSI interfaces — used for older systems or advanced scenarios

For modern Windows systems, the LocalAccounts module is the recommended approach.

3. Inspecting Local Users

To understand the current configuration of a system, you begin by listing existing local accounts.

Retrieving all local users

Get-LocalUser

This returns objects representing each user, including:

  • Name
  • Enabled/disabled status
  • Password expiration settings
  • Account description

Inspecting a specific user

Get-LocalUser -Name "Administrator"

This allows you to examine the configuration of a particular account, such as whether it is enabled or when the password was last set.

4. Creating and Managing Local Users

PowerShell allows you to create new local accounts with explicit control over their properties.

Creating a new user

$password = Read-Host "Enter password" -AsSecureString
New-LocalUser -Name "MaintenanceUser" -Password $password -Description "Account for scheduled maintenance tasks"

This creates a new user with a secure password and a descriptive label.

The password is stored as a secure string, ensuring it is not exposed in plain text.

Enabling or disabling accounts

Disable-LocalUser -Name "MaintenanceUser"
Enable-LocalUser  -Name "MaintenanceUser"

Disabling accounts is a common security practice when an account is temporarily not needed.

Setting or resetting passwords

Set-LocalUser -Name "MaintenanceUser" -Password $password

This updates the password while preserving the rest of the account configuration.

5. Inspecting Local Groups

Local groups define collections of permissions. Understanding group membership is essential for auditing and security.

Listing all local groups

Get-LocalGroup

This returns groups such as:

  • Administrators
  • Users
  • Remote Desktop Users
  • Guests

Inspecting a specific group

Get-LocalGroup -Name "Administrators"

This retrieves the group definition, including its description and security identifier (SID).

6. Managing Group Membership

Group membership determines what users can do on the system. PowerShell provides clear and explicit commands for modifying membership.

Viewing group members

Get-LocalGroupMember -Group "Administrators"

This reveals which accounts—local or domain—have administrative privileges.

Adding a user to a group

Add-LocalGroupMember -Group "Administrators" -Member "MaintenanceUser"

This grants the user administrative rights.

Removing a user from a group

Remove-LocalGroupMember -Group "Administrators" -Member "MaintenanceUser"

This revokes elevated privileges, restoring a more secure configuration.

7. Working with Domain Accounts in Local Groups

Even on domain‑joined systems, local groups often contain domain accounts. PowerShell handles this seamlessly.

Example: adding a domain user to a local group

Add-LocalGroupMember -Group "Remote Desktop Users" -Member "CONTOSO\jdoe"

This grants the domain user permission to sign in via Remote Desktop.

8. Auditing Local Accounts and Groups

Regular auditing is essential for maintaining a secure environment.

Identifying disabled accounts

Get-LocalUser | Where-Object { $_.Enabled -eq $false }

Listing all local administrators

Get-LocalGroupMember -Group "Administrators"

This is one of the most important security checks on any Windows system.

Finding accounts with passwords that never expire

Get-LocalUser | Where-Object { $_.PasswordExpires -eq $false }

Accounts with non‑expiring passwords should be reviewed carefully.

9. Practical Administrative Scenarios

Creating a service account

$password = Read-Host "Enter password" -AsSecureString
New-LocalUser -Name "ServiceAccount" -Password $password -Description "Local service account"
Add-LocalGroupMember -Group "Users" -Member "ServiceAccount"

Preparing a machine for remote administration

Add-LocalGroupMember -Group "Remote Management Users" -Member "CONTOSO\AdminTeam"

Locking down a system by auditing administrators

Get-LocalGroupMember -Group "Administrators" |
    Where-Object { $_.ObjectClass -eq "User" }

This identifies all user accounts with administrative privileges.

10. Summary

Local users and groups form the backbone of access control on Windows systems. PowerShell provides a clear, structured, and scriptable interface for managing them, enabling administrators to:

  • Inspect and create local accounts
  • Modify passwords and enable or disable accounts
  • Inspect and manage local groups
  • Control group membership with precision
  • Integrate domain accounts into local security structures
  • Audit access configurations for security and compliance

By mastering these tools, you gain fine‑grained control over identity and permissions on Windows systems, enabling secure and consistent administrative practices.

© TutoriaLibre. All rights reserved.

Submit feedback / Report issue

Privacy Policy

Terms of Use