PowerShell – Working with User Accounts

email me

This post details some of the user account basics, such as removing a user from a group, and deleting a user account from the local computer.

# Computer name
$ComputerName = $env:COMPUTERNAME

# User to remove
$User = "JDoe"

# Group name to remove user from
$GroupName = "Administrators"

# ---------------

$ADObject = [ADSI]("WinNT://$ComputerName,computer")
$Group = $ADObject.PSBase.Children.Find("$GroupName")

$ErrorActionPreference = "SilentlyContinue"
[System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms") | Out-Null

# return members of admin group
Get-WmiObject Win32_Group -Filter "LocalAccount=True" | foreach { $_.Name }
Write-Host ""

# Remove from admin group
$Group.Remove("WinNT://$User") 
Write-Host "Removed $User from $GroupName"
Write-Host ""

# Delete account from computer
$ADObject.Delete('User',$User)
Write-Host "Deleted $User from $ComputerName"
Write-Host ""

$ComputerName = ""
$User = ""
$ADObject = ""
$Group = ""
$GroupName = ""

 

Notes

Get_ADUser

ADS_USER_FLAG_ENUM enumeration

#list users in domain admins group
Get-ADGroupMember -identity "domain admins" | Get-ADUser -Property DisplayName | Select Name

#list all user account properties
Get-ADUser username -Properties * | Select *

#remove a list of users
ForEach ($User in (Get-Content "C:\_PowerShell\users.txt"))
{ $Group.Remove("WinNT://$User")
}

#multiple computers
$ComputerNames = "PC1","PC2","PC3","PC4"

#Disable Account
$newuser.userflags.value = $newuser.UserFlags.value -BOR $Disabled
$newUser.SetInfo()

#Enable Account
$newuser.userflags.value = $newuser.UserFlags.value -BXOR $Disabled
$newUser.SetInfo()

#Force Change
$newUser.PasswordExpired = 1
$newUser.SetInfo()

$Computername = $env:COMPUTERNAME
$ADSIComp = [adsi]"WinNT://$Computername"
$ADSIComp.Delete('User','UserToDelete')

#Create password
$Password = Read-Host -Prompt "Enter password for $Username" -AsSecureString
$BSTR = [system.runtime.interopservices.marshal]::SecureStringToBSTR($Password)

#Set password on account
$_password = [system.runtime.interopservices.marshal]::PtrToStringAuto($BSTR)
$NewUser.SetPassword(($_password))
$NewUser.SetInfo()

#Cleanup
[Runtime.InteropServices.Marshal]::ZeroFreeBSTR($BSTR)
Remove-Variable Password,BSTR,_password