Summary: Microsoft Scripting Guy Ed Wilson shows how to use Windows PowerShell to create local user accounts.
Hey, Scripting Guy! I need to be able to create some local user accounts. We are still using Windows PowerShell 1.0 on our Windows 2008 servers, and on our Windows Vista workstations. Therefore, using Windows PowerShell 2.0 is not an option now. We are hoping to upgrade next year. However, we cannot make any changes now due to this being the end of the year. Can you help me?
— TS
Hello TS, Microsoft Scripting Guy Ed Wilson here. I remembered writing about this topic previously, and I decided to take a look at the Windows PowerShell Scripting Guide book that I wrote for Microsoft Press, and excerpt a portion of one of the chapters in that most excellent book.
Portions of today’s article are excerpted from Ed Wilson’s Windows PowerShell Scripting Guide, Microsoft Press, 2008.
There are two methods to create a local user account. You can use net user, or you can use Active Directory Service Interfaces (ADSI). Of course, you can still use the graphical tool seen in the following figure.
We will use ADSI to create local users and groups. To create local user accounts, we have to use the WinNT ADSI provider. Local user accounts do not have as many attributes as domain user accounts have, and so the process of creating them locally is not very difficult.
We begin the CreateLocalUser.ps1 script with the param statement where we define four parameters: -computer, -user, -password, and –help. This line of code is seen here.
param($computer=”localhost“, $user, $password, $help)
The next section of code we have is the funhelp function. The funhelp function is used to print the help text. In Windows PowerShell 2.0, of course, there is the comment based help, but in Windows PowerShell 1.0 you must create the help text yourself. This is seen here.
function funHelp()
{
$helpText=@”
DESCRIPTION:
NAME: CreateLocalUser.ps1
Creates a local user on either a local or remote machine.
PARAMETERS:
-computer Specifies the name of the computer upon which to run the script
-user Name of user to create
-help prints help file
SYNTAX:
CreateLocalUser.ps1
Generates an error. You must supply a user name
CreateLocalUser.ps1 -computer MunichServer -user myUser
-password Passw0rd^&!
Creates a local user called myUser on a computer named MunichServer
with a password of Passw0rd^&!
CreateLocalUser.ps1 -user myUser -password Passw0rd^&!
with a password of Passw0rd^&!
Creates a local user called myUser on local computer with
a password of Passw0rd^&!
CreateLocalUser.ps1 -help ?
Displays the help topic for the script
“@
$helpText
exit
}
To determine whether we have to display help we check for the presence of the $help variable. If the $help variable is present, then we will display a string message that states we are obtaining help, and then we call the funhelp function. This line of code is seen here.
if($help){ “Obtaining help …” ; funhelp }
Now we have to make sure that both the –user and the –password parameters of the script contain values. We do not check password length, or user naming convention. However, we could do those kinds of things here. Instead, we just accept the user name and the password that are passed to the script when it is run. If these values are not present, then we use the throw statement to generate an error and to halt execution of the script. In Windows PowerShell 2.0, I would just mark the parameter as mandatory and therefore I could avoid this step. This section of code is seen here.
if(!$user -or !$password)
{
$(Throw ‘A value for $user and $password is required.
Try this: CreateLocalUser.ps1 -help ?’)
}
After we have determined that the user name value and the password string were supplied to the script, we use the [ADSI] type accelerator to connect to the local machine account database. We then use the create() method to create a user with the name supplied in the $user variable. We then call the setpassword() method to set the password. We then call the setinfo() method to write the changes to the database. Next we set the description property, and once again call setinfo(). This section of code is seen here.
$objOu = [ADSI]”WinNT://$computer“
$objUser = $objOU.Create(“User“, $user)
$objUser.setpassword($password)
$objUser.SetInfo()
$objUser.description = “Test user“
$objUser.SetInfo()
The completed CreateLocalUser.ps1 script is seen here.
CreateLocalUser.ps1
param($computer=”localhost“, $user, $password, $help)
function funHelp()
{
$helpText=@”
DESCRIPTION:
NAME: CreateLocalUser.ps1
Creates a local user on either a local or remote machine.
PARAMETERS:
-computer Specifies the name of the computer upon which to run the script
-user Name of user to create
-help prints help file
SYNTAX:
CreateLocalUser.ps1
Generates an error. You must supply a user name
CreateLocalUser.ps1 -computer MunichServer -user myUser
-password Passw0rd^&!
Creates a local user called myUser on a computer named MunichServer
with a password of Passw0rd^&!
CreateLocalUser.ps1 -user myUser -password Passw0rd^&!
with a password of Passw0rd^&!
Creates a local user called myUser on local computer with
a password of Passw0rd^&!
CreateLocalUser.ps1 -help ?
Displays the help topic for the script
“@
$helpText
exit
}
if($help){ “Obtaining help …” ; funhelp }
if(!$user -or !$password)
{
$(Throw ‘A value for $user and $password is required.
Try this: CreateLocalUser.ps1 -help ?’)
}
$objOu = [ADSI]”WinNT://$computer“
$objUser = $objOU.Create(“User“, $user)
$objUser.setpassword($password)
$objUser.SetInfo()
$objUser.description = “Test user“
$objUser.SetInfo()
TS, that is all there is to using Windows PowerShell to create a local user account. Because Windows PowerShell is forward compatible, this script will work on Windows PowerShell 1.0, or on Windows PowerShell 2.0. Local users week will continue tomorrow when I will talk about how to create local groups.
I invite you to follow me on Twitter or Facebook. If you have any questions, send email to me at scripter@microsoft.com or post them on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.
Ed Wilson, Microsoft Scripting Guy
0 comments