57

I need to create a new local user account, and then add them to the local Administrators group. Can this be done in PowerShell?

EDIT:

# Create new local Admin user for script purposes
$Computer = [ADSI]"WinNT://$Env:COMPUTERNAME,Computer"

$LocalAdmin = $Computer.Create("User", "LocalAdmin")
$LocalAdmin.SetPassword("Password01")
$LocalAdmin.SetInfo()
$LocalAdmin.FullName = "Local Admin by Powershell"
$LocalAdmin.SetInfo()
$LocalAdmin.UserFlags = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$LocalAdmin.SetInfo()

I have this, but was wondering if there is anything more PowerShell-esque.

PnP
  • 3,133
  • 17
  • 62
  • 95
  • 8
    What isn't Powershell-esque about that? Not everything is a cmdlet - but that doesn't mean you can't wrap the code above in a function of your own to make it feel like one. – alroc Mar 02 '13 at 19:58
  • 2
    Powershell-esque is cmdlets & pipelines; this is C++ – bwerks Jan 25 '17 at 16:51
  • 3
    @bwerks - if cmdlets and pipelines are what PowerShell means to you then you're entirely missing out on the "power" part of PowerShell -- .NET, COM Interfaces, Reflection, Platform Invocation, etc. etc. etc. – thepip3r Jul 20 '17 at 22:13
  • I had to use your ADSI method as `New-LocalUser` was throwing errors about not meeting password complexity requirements. – woter324 Nov 09 '21 at 12:37

6 Answers6

75

Another alternative is the old school NET USER commands:

NET USER username "password" /ADD

OK - you can't set all the options but it's a lot less convoluted for simple user creation & easy to script up in Powershell.

NET LOCALGROUP "group" "user" /add to set group membership.

Cristian Ciupitu
  • 20,270
  • 7
  • 50
  • 76
SinisterPenguin
  • 1,610
  • 15
  • 17
  • 3
    Calling out to `net.exe` strikes me as being _less_ "PowerShell-esque" than the original ADSI code; there is nothing indicative of PowerShell in those commands, and you could drop them in, say, a batch file and they'd work just the same. To me, this eschews the **Power** of an object-oriented **Shell** and reverts back to having to deal with application-specific command syntaxes, exit codes, and error messages. To be fair, though, there's really two different questions that have been asked here: "How can I do this in PowerShell?" and "I can do this in PowerShell. How can I do it better?" – Lance U. Matthews Sep 12 '16 at 16:54
  • 2
    FWIW I ran into an issue with a PowerShell function I wrote to wrap "NET USER /ADD" call. Specifically, if the password was longer than 14 characters, the NET USER commandline would prompt for input from the user to confirm Y/N. There is no commandline option in NET USER to provide that confirmation so that will "freeze" PS scripts that are run non-interactively. – Jaans Sep 15 '16 at 04:05
  • 1
    @Jaans, you can override that prompt by issuing /Y at the end: `net user $name $password /add /fullname:$full /passwordchg:no /Y` – Desktop Dec 27 '18 at 08:56
45

As of PowerShell 5.1 there cmdlet New-LocalUser which could create local user account.

Example of usage:

Create a user account

New-LocalUser -Name "User02" -Description "Description of this account." -NoPassword

or Create a user account that has a password

$Password = Read-Host -AsSecureString
New-LocalUser "User03" -Password $Password -FullName "Third User" -Description "Description of this account."

or Create a user account that is connected to a Microsoft account

New-LocalUser -Name "MicrosoftAccount\usr name@Outlook.com" -Description "Description of this account."
codevision
  • 5,165
  • 38
  • 50
12

Try using Carbon's Install-User and Add-GroupMember functions:

Install-User -Username "User" -Description "LocalAdmin" -FullName "Local Admin by Powershell" -Password "Password01"
Add-GroupMember -Name 'Administrators' -Member 'User'

Disclaimer: I am the creator/maintainer of the Carbon project.

Aaron Jensen
  • 25,861
  • 15
  • 82
  • 91
  • Hi, your get carbon was exactly what I was looking for, does it script out the mod-security for asp web sites too on 2k12r2. It would nice tosee some recommendations on security modules etc for IIS and defending the Server. – aggie Dec 08 '15 at 15:33
  • @aggie See the [Carbon docs](http://get-carbon.org/documentation.html) for the full list of its capabilities. – Aaron Jensen Dec 08 '15 at 15:44
  • me likey, looks well maintained. won't be long before i carbonize our base module for deployment scripts. i might have some contribs down the line. thanks @aaronjensen et al! – sonjz May 20 '16 at 16:23
8

As of 2014, here is a statement from a Microsoft representative (the Scripting Guy):

As much as we might hate to admit it, there are still no Windows PowerShell cmdlets from Microsoft that permit creating local user accounts or local user groups. We finally have a Desired State Configuration (DSC ) provider that can do this—but to date, no cmdlets.

Slogmeister Extraordinaire
  • 2,890
  • 2
  • 25
  • 39
rasx
  • 5,288
  • 2
  • 45
  • 60
1
Import-Csv C:\test.csv |
Foreach-Object {
  NET USER    $ _.username   $ _.password /ADD
  NET LOCALGROUP "group" $_.username  /ADD
}

edit csv as username,password and change "group" for your groupname

:) worked on 2012 R2

Piotr Adam Milewski
  • 14,150
  • 3
  • 21
  • 42
Anderson Abu Soares
  • 11
  • 1
0
$sec_pass = ConvertTo-SecureString -String "SomePasword" -AsPlainText -Force
New-LocalUser -Name username -FullName username -PasswordNeverExpires -Password $sec_pass
Add-LocalGroupMember -Group Administrators -Member username
Papa Smurf
  • 41
  • 3