User Management with PowerShell
PowerShell is a powerful tool for managing users and groups in Windows and Active Directory. It allows you to create and delete user accounts, reset passwords, manage group memberships, and much more.
Overview of Active Directory
Active Directory (AD) is a directory service developed by Microsoft and is a component of the Windows Server operating system. It provides a centralized database for all domain-joined devices, users, printers, applications, and other resources on your network.
With Active Directory, you can create, manage, and delete user accounts from a single central location. It also allows you to perform actions like resetting user passwords, enforcing password policies, and managing user profiles and access permissions.
Group policies allow you to apply the same settings to multiple users or devices easily. Through these policies, you can ensure consistency in areas such as software distribution, desktop settings, and security settings, and control user and computer behavior.
Active Directory is scalable from small networks to large enterprise networks, supporting thousands of users and devices, and can expand your infrastructure as needed.
RSAT
RSAT, short for Remote Server Administration Tools, is a Microsoft technology that allows you to manage remote Windows Servers from a computer running the Windows operating system.
RSAT includes various server management tools, some of which are graphical user interface (GUI) tools, while others are offered as PowerShell cmdlets.
Through modules installed as part of RSAT, PowerShell provides an extensive set of commands for server management. These modules include cmdlets specific to server roles and features.
Installation
Open the Start menu.
Go to Settings.
Select Apps.
Click on Apps & features.
In the right panel, find "Optional features".
Click on "Add a feature".
In the window that opens, search for "RSAT".
Select the result from the search.
Click "Install".
User and Group Management
Why should we list and identify users and groups?
By listing users, groups, and their permissions, you can identify potential security weaknesses on the network and Active Directory/Windows machines. For example, you can find user accounts with excessive permissions or groups with unwanted members.
Remember that these commands require elevated privileges. If you encounter errors while trying these commands on your machine, open PowerShell as an administrator.
Local Users
Get-LocalUser
Retrieves user accounts. Lists all users if no parameter is specified.
PS C:\Windows\system32> Get-LocalUser
Name Enabled Description
---- ------- -----------
Administrator False Built-in account for administering the computer/domain
DefaultAccount False A user account managed by the system.
Guest False Built-in account for guest access to the computer/domain
user True
WDAGUtilityAccount False A user account managed and used by the system for Windows Defender Application Guard scenarios.New-LocalUser
Creates a new local user account on the computer.
PS C:\Windows\system32> New-LocalUser -Name "j.doe" -Password (ConvertTo-SecureString -String 'password123' -AsPlainText -Force)
Name Enabled Description
---- ------- -----------
j.doe TrueSet-LocalUser
Modifies properties of an existing local user account.
Set-LocalUser -Name "j.doe" -Description "This is a test user."Disable-LocalUser
Disables a local user account.
Disable-LocalUser -Name "j.doe"Enable-LocalUser
Re-enables a disabled local user account.
Enable-LocalUser -Name "j.doe"Remove-LocalUser
Deletes a local user account from the computer.
Remove-LocalUser -Name "j.doe"Local Groups
Get-LocalGroup
Lists all local groups on the computer.
Get-LocalGroupNew-LocalGroup
Creates a new local group on the computer.
New-LocalGroup -Name "Students"Set-LocalGroup
Modifies properties of an existing local group.
Set-LocalGroup -Name "Students" -Description "Improvise. Adapt. Overcome."Add-LocalGroupMember
Adds a user or another group to a specified local group.
Add-LocalGroupMember -Group "Students" -Member "j.doe"Remove-LocalGroupMember
Removes a user or another group from a specified local group.
Remove-LocalGroupMember -Group "Students" -Member "j.doe"Remove-LocalGroup
Deletes a local group from the computer.
Remove-LocalGroup -Name "Students"Active Directory Users
Get-ADUser
Queries and retrieves information about one or more user accounts from Active Directory.
Search by a specific username:
Get-ADUser "j.doe"List all users:
Get-ADUser -Filter *New-ADUser
Creates a new user account in Active Directory.
New-ADUser -Name "j.doe" -SamAccountName j.doe -AccountPassword (ConvertTo-SecureString "sifre123!" -AsPlainText -Force)Set-ADUser
Modifies properties of an existing user account in Active Directory.
Change the user's surname:
Set-ADUser -Identity "j.doe" -Surname "doe"Remove-ADUser
Deletes a user account from Active Directory.
Remove-ADUser "j.doe"Active Directory Groups
Get-ADGroup
Queries and retrieves information about one or more security groups from Active Directory.
Search by a specific group name:
Get-ADGroup "Students"List all security groups:
Get-ADGroup -Filter *New-ADGroup
Creates a new security group in Active Directory.
This example uses the "Universal" group scope. Other scopes can be selected based on need.
New-ADGroup -Name "Students" -GroupScope UniversalSet-ADGroup
Modifies properties of an existing security group in Active Directory.
Change the group's description:
Set-ADGroup -Identity "Students" -Description "Learn as if you were to live forever"Get-ADGroupMember
Displays members of a specified security group in Active Directory.
List members of the "Students" group:
Get-ADGroupMember -Identity "Students"Add-ADGroupMember
Adds a user to a security group.
Add-ADGroupMember -Identity "Students" -Members j.doeRemove-ADGroupMember
Removes a user or another group from a specified security group.
Remove-ADGroupMember -Identity "Students" -Member "j.doe"Remove-ADGroup
Deletes a security group from Active Directory.
Remove-ADGroup "Students"Last updated