Windows Local Users and Groups Administration

Overview

This document covers the different methods and commands for managing local users and groups in Windows environments.

Local Users and Groups Manager (GUI Method)

The Local Users and Groups Manager provides a graphical interface for user and group management.

Accessing the Local Users and Groups Manager

Press Win + R to open the Run dialog
Type lusrmgr.msc and press Enter
The Local Users and Groups Manager will open with two folders: Users and Groups

User Management

To create a new user:

Navigate to the Users folder
Right-click on an empty area and select New User
Enter the required user details
Click Create

To modify an existing user:

Right-click on the user and select Properties
Make your changes in the properties dialog
Click Apply and then OK

Group Management

To create a new group:

Navigate to the Groups folder
Right-click on an empty area and select New Group
Enter the group name and description
Add members using the Add button
Click Create

To modify group membership:

Right-click on the group and select Properties
Use the Add or Remove buttons to modify membership
Click Apply and then OK

Command Prompt Administration

The Windows Command Prompt provides command-line tools for managing users and groups.

User Management with net user

Create a new user:

net user username password /add

Create a user and prompt for password (more secure):

net user username /add *

Delete a user:

net user username /delete

Get details about a specific user:

net user username

List all users:

net user

Modify user properties:

net user username /option:value

Optional Parameters for User Creation (net user)

Option	Description
`/active:{no \| yes}`	Enables/disables the account. Default: `yes`.
`/comment:"<Text>"`	Adds a comment (max 48 characters). Enclose in quotes.
`/countrycode:<NNN>`	Sets language files using Country/Region codes. Default: `0`.
`/expires:<Date \| never>`	Sets account expiration date. Use `MM/DD/YYYY`, `DD/MM/YYYY`, or `mmm,dd,YYYY`. Default: none.
`/fullname:"<Name>"`	Specifies the user’s full name. Enclose in quotes.
`/homedir:<Path>`	Sets the user’s home directory. Path must exist.
`/passwordchg:{yes \| no}`	Allows/disallows users to change their password. Default: `yes`.
`/passwordreq:{yes \| no}`	Specifies if a password is required. Default: `yes`.
`/profilepath:<Path>`	Sets the path for the user’s logon profile.
`/scriptpath:<Path>`	Sets the path for the user’s logon script (relative to `%systemroot%\System32\Repl\Import\Scripts`).
`/times:<Day,Time \| all>`	Specifies allowed logon times. Use `all` for unrestricted access.
`/usercomment:"<Text>"`	Adds/changes the “User comment” for the account. Enclose in quotes.
`/workstations:<List>`	Lists up to 8 workstations for logon. Use `*` for any computer.

Group Management with net localgroup

Create a new group:

net localgroup groupname /add

Delete a group:

net localgroup groupname /delete

List all groups:

net localgroup

List members of a group:

net localgroup groupname

Add a user to a group:

net localgroup groupname username /add

Remove a user from a group:

net localgroup groupname username /delete

Online References

PowerShell Administration

PowerShell provides modern cmdlets for managing local users and groups.

User Management

Create a user without a password:

New-LocalUser -Name "username" -Description "Description" -NoPassword

Create a user with a password:

$Password = Read-Host -AsSecureString
New-LocalUser -Name "username" -Password $Password -Description "Description"

Create a user with a predefined password (not secure for production):

$Password = ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force
New-LocalUser -Name "username" -Password $Password -Description "Description"

Delete a user:

Remove-LocalUser -Name "username"

Get user details:

Get-LocalUser -Name "username"

List all users:

Get-LocalUser

Modify user properties:

Set-LocalUser -Name "username" -Description "Updated description"

Change a user’s password:

$NewPassword = ConvertTo-SecureString "NewP@ssw0rd" -AsPlainText -Force
Set-LocalUser -Name "username" -Password $NewPassword

Enable or disable a user account:

# Disable an account
Disable-LocalUser -Name "username"

# Enable an account
Enable-LocalUser -Name "username"

Rename a user:

Rename-LocalUser -Name "oldUsername" -NewName "newUsername"

New-LocalUser Common Parameters

Parameter	Description
`-Name`	Specifies the name of the user account
`-FullName`	Specifies the full name for the user account
`-Description`	Provides a description for the user account
`-Password`	Specifies the password for the user account (secure string)
`-AccountExpires`	Sets the expiration date for the account
`-AccountNeverExpires`	Sets the account to never expire
`-Disabled`	Creates the account in a disabled state
`-NoPassword`	Creates the account without a password (not recommended)
`-PasswordNeverExpires`	Sets the password to never expire
`-UserMayNotChangePassword`	Prevents the user from changing their password
`-PasswordChangeRequired`	Requires password change at next logon

Group Management

Create a new group:

New-LocalGroup -Name "GroupName" -Description "Group Description"

Delete a group:

Remove-LocalGroup -Name "GroupName"

List all groups:

Get-LocalGroup

Add a user to a group:

Add-LocalGroupMember -Group "GroupName" -Member "username"

Add multiple users to a group:

Add-LocalGroupMember -Group "GroupName" -Member "user1", "user2", "user3"

Remove a user from a group:

Remove-LocalGroupMember -Group "GroupName" -Member "username"

Get all members of a group:

Get-LocalGroupMember -Group "GroupName"

Check if a user is a member of a specific group:

Get-LocalGroupMember -Group "GroupName" | Where-Object { $_.Name -like "*username*" }

Online References

Example Snippets

Create a temporary user with an expiration date:

$Password = ConvertTo-SecureString "TempP@ssw0rd" -AsPlainText -Force
New-LocalUser -Name "TempUser" -Password $Password -AccountExpires (Get-Date).AddDays(30)

Find which groups a user belongs to:

$User = "username"
Get-LocalGroup | ForEach-Object {
    $GroupName = $_.Name
    $Members = Get-LocalGroupMember -Group $GroupName -ErrorAction SilentlyContinue
    if ($Members -match $User) {
        Write-Output "User $User is a member of group $GroupName"
    }
}

Find inactive, enabled users (30 days) and export CSV report to desktop:

$InactiveSince = (Get-Date).AddDays(-30)

$AllUsers = Get-LocalUser | Where-Object { $_.Enabled -eq $true }

$InactiveUsers = $AllUsers | Where-Object {
    ($_.LastLogon -ne $null) -and ($_.LastLogon -lt $InactiveSince)
}

$NeverLoggedIn = $AllUsers | Where-Object { $_.LastLogon -eq $null }

$Results = $InactiveUsers + $NeverLoggedIn | Select-Object Name, FullName, Description,
    @{Name="LastLogon"; Expression={if ($_.LastLogon) {$_.LastLogon} else {"Never"}}},
    @{Name="DaysSinceLogon"; Expression={if ($_.LastLogon) {((Get-Date) - $_.LastLogon).Days} else {"N/A"}}}

$Results | Sort-Object -Property @{Expression={if($_.LastLogon -eq "Never"){[DateTime]::MaxValue}else{$_.LastLogon}}; Ascending=$true} |
    Format-Table -AutoSize

Write-Host "Total inactive users found: $($Results.Count)" -ForegroundColor Yellow
Write-Host "Users who have never logged in: $($NeverLoggedIn.Count)" -ForegroundColor Yellow
Write-Host "Users inactive for 30+ days: $($InactiveUsers.Count)" -ForegroundColor Yellow

$Results | Export-Csv -Path "$env:USERPROFILE\Desktop\InactiveLocalUsers.csv" -NoTypeInformation