Local Account Management PowerShell Module

20/02/2012

7 comments

Microsoft PowerShell version 2 is a powerful tool and has many useful cmdlets, nevertheless the absence of account management cmdlets is eminent. Microsoft has published an Active Directory Module with windows 2008 R2, but you must follow this condition :

 “If you want to use the Active Directory module in Windows 7 to remotely manage an Active Directory domain, an AD LDS instance or configuration set, or an Active Directory Database Mounting Tool instance, you must have at least one Windows Server 2008 R2 domain controller in your domain or at least one instance in an AD LDS configuration set that is running on a Windows Server 2008 R2 server”.

Quest ActiveRoles Management Shell for Active Directory  is a very good alternative, easy to use, very powerful, well documented and supports Active directory 2003.

Occasionally I need to administer local accounts on my servers and workstations for instance, change local admin password, add new local admins, create local application users (even though I don’t like it סמיילי very much) , check local groups membership and so on. I thought if Microsoft cannot help I should do it myself and I wrote my own module סמיילי.

 

Local Account Management Functions

The Local Account Management Module contains the following functions:

C:\PS> Get-Command –Module LocalAccountManagement

image

 

  • Get-LocalAccountPolicy – Get Account Policy from a local or remote system.
    • This command uses Administrator account to collect the policy information, you can use an alternate user account by using the UserName switch.  

C:\PS> Get-LocalAccountPolicy –ComputerName MyComputer

image

 

  • Get-LocalGroupMembers – Get local group members from a local or remote system.
    • Gets the following information: source ComputerName, source GroupName, GroupMember name, UserType (local or domain), ObjectType (User or Group)
    • You can use ActiveRoles Management Shell for Active Directory to get more information about nested groups

C:\PS>  Get-LocalGroupMembers Administrators |Where-Object {$_.ObjectType -eq “group”} | Foreach {Get-QADGroupMember -Identity $_.Identity}

    • The command bellow gets MyGroup members, filters users only and format the result as table

C:\PS>  Get-LocalGroupMembers –GroupName MyGroup | Where-Object{$_.ObjectType –eq “User”} | Format-Table 

image

 

  • Add-LocalGroupMember –  Add local users, domain users and domain groups to local group on local or remote system.
    • You can add the following account types : local user, domain  user and domain group
    • Add local user Admin1,Admin2 to the Administrators local group using the command bellow:

C:\PS> Add-LocalGroupMember –UserName Admin1,Admin2 –GroupName Administrators

image

 

  • Remove-LocalGroupMember – Remove users and domain groups from local group on local or remote system.

C:\PS> Remove-LocalGroupMember –UserName Admin1,Admin2 –GroupName Administrators

image

 

  • Get-LocalGroup – Get local group account information from a local or remote system.
    • You can use wildcards to get local groups information
    • Using the following command , You can get from several computers, a list of all their local groups:

    C:\PS>  “Computer1″,”Computer2″,Computer3” | Get-LocalGroup

    OR you can use computer list text file –

    C:\PS>  Get-Content d:\ComputerList.txt | Get-LocalGroup

    • The command bellow gets all the groups which their names start with app, from the local computer and remote computer Dolav-LT

C:\PS>  Get-LocalGroup -GroupName App* -ComputerName Dolav-LT

image

 

  • Disable-LocalUser – Disable local user account on a local or remote system.

C:\PS>  Disable-LocalUser -UserName Sauron -ComputerName Middle-earth

  • Enable-LocalUser – Enable local user account on a local or remote system.
  • Get-LocalUser – Get local user account information from a local or remote system.
    • You can use wildcards to get local users information
    • The command provides information such as : UserName, Description, PasswordAge (in Days), password policy, user profile, home directory and more
    • Assuming you want to disable all users named user1 through UserN, you can use the following command:

C:\PS>  Get-LocalUser User* | Disable-LocalUser

image

 

  • New-LocalGroup –  Create local group account on local or remote system.
  • New-LocalUser – Create local user account on local or remote system.
    • At the minimum you need to specify UserName and Password
    • The default value of the user FullName is the UserName
    • For the switches PasswordNeverExpires, CannotChangePassword and MustChangePassword you must set a value of true or false
    • “What you get you can create” : UserName, Description, PasswordAge (in Days), password policy, user profile, home directory and more

C:\PS>  New-LocalUser -UserName MyUser -Password Pass -HomeDirectory c:\MyFolder -MustChangePassword

image

 

  • Remove-LocalGroup – Remove local group account from a local or remote system.
  • Remove-LocalUser – Remove Local User account from a local or remote system.
    • To remove User6 and User3 type the following command

C:\PS>  Remove-LocalUser -UserName User4,User3

image

נורת חשמל To avoid confirmation write the following command: Remove-LocalUser -UserName User4,User3 –Confirm:$False

  • Rename-LocalGroup – Rename local group account on a local or remote system.
  • Rename-LocalUser – Rename local user account from a local or remote system.

C:\PS>  Rename-LocalUser -UserName User2 -NewUserName User4

image

 

  • Set-LocalGroup – Change the local group settings on local or remote system.
  • Set-LocalUser – Change the local user account settings on local or remote system.
    • What you get you can set : UserName, Description, PasswordAge (in Days), password policy, user profile, home directory and more
    • For the switches PasswordNeverExpires, CannotChangePassword and MustChangePassword you must set a value of true or false
    • You can also use this command to unlock users

C:\PS>  Set-LocalUser -UserName MyUser –PasswordNeverExpires $true -CannotChangePassword $true

image

 

נורת חשמל Use “Run as Administrator” to run writeable command (Set,Rename,Remove,Add…) on the local computer

 

Creating or setting a user based on a CSV file

  • Create a CSV file (Save the file as unicode)
  • Use parameter names as columns (ComputerName,UserName,FullName, Password, LogoinScript…)

image

  • You must specify ComputerName, UserName and password
  • Import the file with Import-Csv and Pipe the output to the desired function

C:\PS>  Import-Csv D:\UserList.Csv | New-LocalUser

image

 

Function Help

Use get-help to get help on any of the module functions

C:\PS> Get-Help Rename-LocalGroup –Full

image

 

How to use

  1. Download and run the setup file
  2. Load the module – Import-Module LocalAccountManagement

 

Special Thanks

Special thanks to my reviewer and editor Omer Riff חיוך קורץ

Add comment
facebook linkedin twitter email

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*

7 comments

  1. Doron 23/02/2012 ב 12:26

    Like !!

    Reply
  2. Michael Smith04/10/2012 ב 00:23

    where does your install put the module? I’m trying to verify the install but can’t figure out where on windows 7 Pro your setup installs the module.

    Reply
  3. Peter23/10/2012 ב 08:13

    How do I manage “local” server groups remotely?

    Reply
  4. Jon06/02/2013 ב 14:16

    All I get is the following error;

    The user name could not be found

    Regardless of syntax, even as simple as-

    Add-LocalGroupMember -GroupName Administrators -DomainGroup “Domain Users”

    Reply
  5. Jon06/02/2013 ב 14:28

    Nevermind. It just doesn’t work on Powershell v3. Thanks!

    Reply
  6. cpfudxn@gmail.com21/04/2013 ב 01:40

    Local Account Management PowerShell Module – Dolav Hadas

    Reply
  7. John28/08/2013 ב 13:38

    Can this be used to script finding locked local accounts, and then unlock them via scheduled task?

    Reply