As a Windows Server Administrator we often need to manage local user accounts and groups on servers.It could be very tedious when you need to manage this on hundreds or thousands of servers. However, we can make it less tedious and more efficient by using scripts.
Today, I am going to share a powershell script I used sometimes back. It helped me to set up few local groups and users on a list of remote servers quickly.
My first requirement was to create a script which will check if a local user already exists on the server. If not, it will create it, set it’s password, description and set “Password Never Expires” flag (You can skip this step if you don’t need it).
My second requirement was to create a local group if it is not already exists through the same script. After that, set a group description and finally add user from the previous step to the group if it is not already added to the group.
I used Microsoft ADSI WinNT provider to remotely connect servers/ groups/ users etc. Refer here to learn more about it. If you are using this method and script, make sure, you have connectivity to remote servers and authorization to run those commands provided in the script.
In this script I am defining some variables and assigning values in the script. Feel free to change those as parameters. You can also set the script to read those values from a file if you have a list of servers with different values. I am avoiding those just to keep the script simple for now.
# declare all required variables and assign values
$ADS_UF_DONT_EXPIRE_PASSWD = 0x10000 # property value to set password never expire for the userid
$serverName = "<server name or FQDN>"
$userName = "<local userid to create on the server>"
$groupName = "<local group name to add member or create , then add member>"
$password = "<your complex password for user>"
$userDesc = "<a brief descriptin of the local user.e.g, web server admin>"
$groupDesc = "<a brief description of the local group.e.g., web server admins group>"
# connect the server using ADSI WinNT provider for Windows OS
$server = [adsi]"WinNT://$serverName"
# check if the userid already exists on the server. If exists, skip creation
if([adsi]::Exists("WinNT://$serverName/$userName")){
Write-Output "User already exists.No need it add."
}
else{
# create user with provided user id
$user = $server.create("User",$userName)
# set password for the user
$user.SetPassword($password)
# add a description to the user id for easy identification
$user.Put('Description',$userDesc)
# set password never expires flag for the local user. You may skip this.
$user.userflags = $user.userflags[0] -bor $ADS_UF_DONT_EXPIRE_PASSWD
# finally, set all properties to the userid created
$user.setinfo()
}
# check if Group exists, if not create. Then add User to the Group
# connet to the group properties user ADSI WinNT provider
$group = [adsi]"WinNT://$serverName/$groupName"
if(!([String]::IsNullOrEmpty($group))){ # if group already exists, skip creation.
Write-Output "Group $groupName already exists on $serverNamse"
# get the list of group members in the group and get just member ids in an arary
$members = $group.Members() | ForEach-Object {$_.GetType().InvokeMember("Adspath", 'GetProperty', $null, $_, $null)}
$members = $members -replace('(WinNT://\w+/)(.*)','$2')
if($members.contains($userName)){ # if the user is already member of the group, skip addition.
Write-Output "User $userName is already member of $groupName Group. No action required!"
}
else{ # add user to the group
$group.Add("WinNT://$userName")
}
}
else{
# careate the group with provided group name
$group = $server.Create("Group",$groupName)
# set a description for the group
$group.Put('Description',$groupDesc)
# set all updated properties to the group
$group.SetInfo()
# finally, add user to the group.
$group.Add("WinNT://$userName")
}That’s it! Let me know if you run into any issue while using this script!