Public/Manage-LocalUserAccount.ps1
function Normalize-ADsPath { param ( [string]$path, [switch]$KeepUserSuffix # New parameter to control whether to keep the ',user' suffix ) # Normalize the path by removing protocol and converting all characters to lowercase for consistent comparison $normalizedPath = $path -replace 'winnt://', '' -replace '/', '\' -replace '^\\+', '' -replace '\\+$', '' $normalizedPath = $normalizedPath.ToLower().Trim() # Optionally keep the ',user' suffix based on the function call parameter if (-not $KeepUserSuffix) { $normalizedPath = $normalizedPath -replace ',user$', '' # Remove ',user' suffix if not required to keep it } # Removing any domain/subdomain prefix $parts = $normalizedPath -split '\\' if ($parts.Count -gt 2) { # Assuming the format might be domain\computer\username, return only relevant parts $relevantParts = $parts[-2..-1] -join '\' return $relevantParts } return $normalizedPath } function Manage-LocalUserAccount { <# .SYNOPSIS Manages user accounts on a local or remote computer. .DESCRIPTION This function enables or disables user accounts, and manages their membership in specified groups. It normalizes account paths to ensure accurate membership verification. .PARAMETER ComputerName Specifies the target computer(s). .PARAMETER UserName Specifies the username(s) to manage. .PARAMETER GroupName Specifies the group to modify membership. Defaults to "Administrators". .PARAMETER EnableAccount If specified, enables the user account. .PARAMETER DisableAccount If specified, disables the user account. .PARAMETER AddToGroup If specified, adds the user to the specified group. .PARAMETER RemoveFromGroup If specified, removes the user from the specified group. .EXAMPLE To enable a user account and add it to the Administrators group Manage-LocalUserAccount -ComputerName "VDURXD7COEP0008" -UserName "admin" -EnableAccount -AddToGroup -Verbose To disable a user account and remove it from the Administrators group Manage-LocalUserAccount -ComputerName "VDURXD7COEP0008" -UserName "admin" -DisableAccount -RemoveFromGroup -Verbose #> [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [string[]]$ComputerName = $env:COMPUTERNAME, [Parameter(Mandatory = $true)] [string[]]$UserName, [Parameter(Mandatory = $false)] [string]$GroupName = "Administrators", [switch]$EnableAccount, [switch]$DisableAccount, [switch]$AddToGroup, [switch]$RemoveFromGroup ) process { foreach ($comp in $ComputerName) { foreach ($user in $UserName) { $userPath = "WinNT://$comp/$user,user" $userPathNormalized = Normalize-ADsPath -path $userPath if (-not [ADSI]::Exists($userPath)) { Write-Warning "User $user does not exist on $comp." continue } $userAccount = [ADSI]$userPath if ($EnableAccount) { $userAccount.UserFlags.value = $userAccount.UserFlags.value -band (-bnot 0x0002) $userAccount.SetInfo() Write-Verbose "Enabled account: $user on $comp" } elseif ($DisableAccount) { $userAccount.UserFlags.value = $userAccount.UserFlags.value -bor 0x0002 $userAccount.SetInfo() Write-Verbose "Disabled account: $user on $comp" } $groupPath = "WinNT://$comp/$GroupName,group" if (-not [ADSI]::Exists($groupPath)) { Write-Warning "Group $GroupName does not exist on $comp." continue } $localGroup = [ADSI]$groupPath $members = $localGroup.Invoke("Members") | % { Normalize-ADsPath -path ($_.GetType().InvokeMember("ADsPath", 'GetProperty', $null, $_, $null)) } Write-Verbose "Members found in $GroupName on $comp : $($members -join ', ')" if ($AddToGroup -and ($userPathNormalized -notin $members)) { $localGroup.Add($userPath) Write-Verbose "Added $user to $GroupName on $comp." } elseif ($RemoveFromGroup -and ($userPathNormalized -in $members)) { $localGroup.Remove($userPath) Write-Verbose "Removed $user from $GroupName on $comp." } elseif ($AddToGroup) { Write-Verbose "$user is already a member of $GroupName on $comp." } elseif ($RemoveFromGroup) { Write-Verbose "$user is not a member of $GroupName on $comp." } } } } } |