Public/Set-LocalUserAccount.ps1
<# .SYNOPSIS Manages user accounts on a local or remote computer. .DESCRIPTION This function enables or disables user accounts, and manages their membership in specified groups. It normalizes account paths to ensure accurate membership verification. .PARAMETER ComputerName Specifies the target computer(s). .PARAMETER UserName Specifies the username(s) to manage. .PARAMETER GroupName Specifies the group to modify membership. Defaults to "Administrators". .PARAMETER EnableAccount If specified, enables the user account. .PARAMETER DisableAccount If specified, disables the user account. .PARAMETER AddToGroup If specified, adds the user to the specified group. .PARAMETER RemoveFromGroup If specified, removes the user from the specified group. .EXAMPLE To enable a user account and add it to the Administrators group Set-LocalUserAccount -ComputerName "VDURXD7COEP0008" -UserName "admin" -EnableAccount -AddToGroup -Verbose To disable a user account and remove it from the Administrators group Set-LocalUserAccount -ComputerName "VDURXD7COEP0008" -UserName "admin" -DisableAccount -RemoveFromGroup -Verbose .NOTES Author: Sundeep Eswarawaka #> function Set-LocalUserAccount{ [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [string[]]$ComputerName, [Parameter(Mandatory = $true)] [string[]]$UserName, [Parameter(Mandatory = $false)] [string]$GroupName = "Administrators", [switch]$EnableAccount, [switch]$DisableAccount, [switch]$AddToGroup, [switch]$RemoveFromGroup ) process { foreach ($comp in $ComputerName) { foreach ($user in $UserName) { $userPath = "WinNT://$comp/$user,user" $userPathNormalized = Convert-ADsPath -path $userPath if (-not [ADSI]::Exists($userPath)) { Write-Warning "User $user does not exist on $comp." continue } $userAccount = [ADSI]$userPath if ($EnableAccount) { $userAccount.UserFlags.value = $userAccount.UserFlags.value -band (-bnot 0x0002) $userAccount.SetInfo() Write-Verbose "Enabled account: $user on $comp" } elseif ($DisableAccount) { $userAccount.UserFlags.value = $userAccount.UserFlags.value -bor 0x0002 $userAccount.SetInfo() Write-Verbose "Disabled account: $user on $comp" } $groupPath = "WinNT://$comp/$GroupName,group" if (-not [ADSI]::Exists($groupPath)) { Write-Warning "Group $GroupName does not exist on $comp." continue } $localGroup = [ADSI]$groupPath $members = $localGroup.Invoke("Members") | ForEach-Object { Convert-ADsPath -path ($_.GetType().InvokeMember("ADsPath", 'GetProperty', $null, $_, $null)) } Write-Verbose "Members found in $GroupName on $comp : $($members -join ', ')" if ($AddToGroup -and ($userPathNormalized -notin $members)) { $localGroup.Add($userPath) Write-Verbose "Added $user to $GroupName on $comp." } elseif ($RemoveFromGroup -and ($userPathNormalized -in $members)) { $localGroup.Remove($userPath) Write-Verbose "Removed $user from $GroupName on $comp." } elseif ($AddToGroup) { Write-Verbose "$user is already a member of $GroupName on $comp." } elseif ($RemoveFromGroup) { Write-Verbose "$user is not a member of $GroupName on $comp." } } } } } |