How To Manage Local Users And Groups Using PowerShell

Managing local users and groups can be a bit of a chore, especially on a computer running the Server Core version of Windows Server. The LocalAccounts module of PowerShell, included in Windows Server 2016 and Windows Server 2019 by default, makes this process a lot simpler.

For example, to see all the local users on a specific computer, run the command

Get-LocalUser

You’ll notice there that I’ve already renamed the local Administrator account on this particular computer to Admin. I do that because it’s a lab machine and renaming the account from Administrator means that it won’t default to the local Admin account when I want to sign on as the default Domain Admin account, which is also named Administrator.

To view the local groups on a computer, run the command

Get-LocalGroup

To view the members of a specific group, use the Get-LocalGroupMember cmdlet. For example, to figure out who is a member of the local Administrators group, run the command Get-LocalGroupMember Administrators.

You can create a new local user using the New-LocalUser cmdlet. When creating a new local user, first create a password variable using $Password = Read-Host -AsSecureString and this will allow you to enter the password assigned to the user. For example, to create a new user named Optimus, enter the following commands:

$Password = Read-Host -AsSecureString New-LocalUser -Name Optimus -Description “Second Admin Account” -Password $Password

Resetting a user password is a little more involved. To do this requires three steps. The first step is to write a password from the prompt to a variable using $Password = Read-Host -AsSecureString. The second is to assign the properties of the user account whose password you want to change to a variable using $UserAccount = Get-LocalUser -Name AccountName. Once you’ve done that, you can use the $UserAccount | Set-LocalUser -Password $Password command to assign the new password.

You use the Add-LocalGroupMember cmdlet to add members to a local group. For example, to add the Optimus account that was created in the last example to the local Administrators group, run the command:

Add-LocalGroupMember -Group “Administrators” -Member Optimus

You can use the same command to add domain accounts to local groups. For example, to add the Maximus account from the Contoso domain to the local Administrators group, run the command:

Add-LocalGroupMember -Group “Administrators” -Member “ContosoMaximus”

You can also use the same command to add domain groups to a local group. For example, to add the ITOps group from the Contoso domain to the local Administrators group, run the command:

Add-LocalGroupMember -Group “Administrators” -Member “ContosoITOps”

You can remove users or groups from a local group using the Remove-LocalGroupMember cmdlet. For example, to remove the Optimus account from the local Administrators group, run the command:

Remove-LocalGroupMember -Group “Administrators” -Member Optimus

You can find out more about the cmdlets that you use to manage local users and groups, including how to add and remove local groups as well as remove local user accounts in the following Docs article: PowerShell Local Accounts.

This article was originally published by Microsoft's Azure Blog. You can find the original article here.Tags: How To, Windows Server

Related Posts

• Windows Subsystem for Linux for testing Windows 10 PTP Client
• Windows Server 2025 SMB Compression #ws2025 #winserv #SMB
• Windows Server 2025 Hyper-V Workgroup Cluster with Certificate-Based Authentication
• Windows Server 2016/2019 Cluster Resource / Resource Types
• Windows Server 101: Hardening IIS via Security Control Configuration