top of page

PowerShell | Local Account Management

Local User Account Management in a Domain Environment

Effective local user account management is crucial for maintaining the security and efficiency of a domain environment. Proper management practices help prevent unauthorized access, reduce security vulnerabilities, and ensure that only necessary accounts are active. Here are some best practices for local user account management within a domain:

​

Disable Default Guest Account

The default guest account is created on all Windows systems to allow temporary access without requiring a user to authenticate. However, this account can be a security risk if enabled. It's essential to disable the default guest account to prevent unauthorized access.

​

Steps to Disable Guest Account:

  1. Open the Local Users and Groups manager.

  2. Locate the "Guest" account under the "Users" folder.

  3. Right-click the "Guest" account and select "Properties."

  4. Check the "Account is disabled" box and click "OK."

Regular Password Resets

Regularly resetting passwords is a fundamental security practice. It reduces the risk of password-based attacks and ensures that compromised passwords do not remain in use for long periods. Implementing a password reset policy within the domain can help maintain account security.

Best Practices for Password Resets:

  • Enforce password expiration policies to prompt users to change their passwords at regular intervals.

  • Educate users on creating strong, complex passwords.

  • Utilize password history settings to prevent users from reusing old passwords.

​

Delete Unused Accounts

Unused accounts can be a security liability. They may be forgotten by administrators and users, making them potential entry points for malicious actors. Regularly auditing and deleting unused accounts helps keep the system secure.

Steps to Identify and Delete Unused Accounts:

  1. Use PowerShell scripts or built-in tools to list accounts that have not been used for a specified period.

  2. Verify with department heads or account owners if the accounts are still needed.

  3. Delete or disable accounts that are confirmed to be unnecessary.

​

Maintain Only Necessary Accounts

Limiting the number of local accounts to those that are strictly necessary reduces the attack surface and simplifies account management. Each account should have a clear purpose and owner.

Managing Necessary Accounts:

  • Conduct regular reviews of all local accounts.

  • Ensure each account has a specific, documented use case.

  • Remove accounts that no longer serve a purpose or are duplicated.

​

Domain-Only User Accounts

In a domain environment, it is best practice to use domain accounts exclusively. This ensures centralized management and consistent application of security policies. Local accounts should be reserved for situations where domain accounts are impractical or unnecessary.

Domain Account Best Practices:

  • Enforce domain authentication for accessing resources.

  • Limit local accounts to administrative purposes only when necessary.

  • Apply group policies to enforce security settings uniformly across the domain.

​

Conclusion

Managing local user accounts within a domain environment requires diligent application of security best practices. By disabling the default guest account, regularly resetting passwords, deleting unused accounts, maintaining only necessary accounts, and favoring domain accounts, you can enhance the security and efficiency of your IT infrastructure. Implementing these strategies helps protect against unauthorized access, ensures compliance with security policies, and simplifies account management for administrators.

Delete Local Account

# Import List of Computers and Accounts
$MyData=Import-CSV C:\TEMP\Remove_LocalAccount.csv
# Loop through records
Foreach($Item in $MyData){  
    # Command to delete local computer account
    $MyCommand={Net USER $Args /Delete}  
    # Executes command on machines from file
    Invoke-Command $Item.Server -ScriptBlock $MyCommand -ArgumentList $Item.Account

Delete.PNG
Disable \ Enable Local Account

# Import List of Computers and Accounts
$MyData=Import-CSV C:\TEMP\LocalAccount.csv
# Command to Enable Local Computer Account
$MyCommand={

#If you want to Disable Change this to /active:no
Net User $Args /active:yes
Get-WMIObject Win32_UserAccount -Filter "Name='$Args'" | Select Caption, Disabled  
}

# Loop through records
Foreach($Item in $MyData){
# Executes command on machine from file
Invoke-Command $Item.Server -ScriptBlock $MyCommand -ArgumentList $Item.Account | Format-Table | Out-File C:\temp\MyFile.csv -Append
}

Delete.PNG
Get-LocalUser & Set Password on Remote Systems

$Account= Read-Host "Enter UserName"

Invoke-command -ComputerName "AddCompName" -ScriptBlock{
    $MyNewPassword = "P@ssword1" | ConvertTo-SecureString -AsPlainText -Force    
    Get-LocalUser -Name $Args | Set-LocalUser -Password $MyNewPassword 
} -ArgumentList $Account

DirectoryService Object Test Local Password on Remote System

$TestPassword={
   #Paramater for inbound Data
   Param($PassedArray)
    Add-Type -AssemblyName System.DirectoryServices.AccountManagement
   $obj = New-Object System.DirectoryServices.AccountManagement.PrincipalContext('machine',$Env:Computername)
    $PasswordResetResult=$obj.ValidateCredentials($PassedArray[0], $PassedArray[1]) 
   If($PasswordResetResult){
       $PasswordResetResultText="Account / Password Check Passed"
   }Else{
       $PasswordResetResultText="Account / Password Check Failed"
   }
   return $PasswordResetResultText
}
#Decalre Array to Pass
$PassedArray=@()
#Get Input From Users
$PassedArray+= Read-host "Enter Username to Check"
$PassedArray+= Read-Host "Enter Password"
$ServerName= Read-host "Enter Remote Server Name"
#Execute Command 
Invoke-Command $ServerName -ScriptBlock $TestPassword -ArgumentList @(,$PassedArray) 

bottom of page