Public/Set-LocalUserAccount.ps1


<#
.SYNOPSIS
    Manages user accounts on a local or remote computer.
 
.DESCRIPTION
    This function enables or disables user accounts, and manages their membership in specified groups. It normalizes account paths to ensure accurate membership verification.
 
.PARAMETER ComputerName
    Specifies the target computer(s).
 
.PARAMETER UserName
    Specifies the username(s) to manage.
 
.PARAMETER GroupName
    Specifies the group to modify membership. Defaults to "Administrators".
 
.PARAMETER EnableAccount
    If specified, enables the user account.
 
.PARAMETER DisableAccount
    If specified, disables the user account.
 
.PARAMETER AddToGroup
    If specified, adds the user to the specified group.
 
.PARAMETER RemoveFromGroup
    If specified, removes the user from the specified group.
 
.EXAMPLE
    To enable a user account and add it to the Administrators group
    Set-LocalUserAccount -ComputerName "VDURXD7COEP0008" -UserName "admin" -EnableAccount -AddToGroup -Verbose
 
    To disable a user account and remove it from the Administrators group
    Set-LocalUserAccount -ComputerName "VDURXD7COEP0008" -UserName "admin" -DisableAccount -RemoveFromGroup -Verbose
 
.NOTES
    Author: Sundeep Eswarawaka
#>


function Set-LocalUserAccount{
    [CmdletBinding()]
    param (
        [Parameter(Mandatory = $true)]
        [string[]]$ComputerName,

        [Parameter(Mandatory = $true)]
        [string[]]$UserName,

        [Parameter(Mandatory = $false)]
        [string]$GroupName = "Administrators",

        [switch]$EnableAccount,
        [switch]$DisableAccount,
        [switch]$AddToGroup,
        [switch]$RemoveFromGroup
    )

    process {
        foreach ($comp in $ComputerName) {
            foreach ($user in $UserName) {
                $userPath = "WinNT://$comp/$user,user"
                $userPathNormalized = Convert-ADsPath -path $userPath

                if (-not [ADSI]::Exists($userPath)) {
                    Write-Warning "User $user does not exist on $comp."
                    continue
                }

                $userAccount = [ADSI]$userPath

                if ($EnableAccount) {
                    $userAccount.UserFlags.value = $userAccount.UserFlags.value -band (-bnot 0x0002)
                    $userAccount.SetInfo()
                    Write-Verbose "Enabled account: $user on $comp"
                } elseif ($DisableAccount) {
                    $userAccount.UserFlags.value = $userAccount.UserFlags.value -bor 0x0002
                    $userAccount.SetInfo()
                    Write-Verbose "Disabled account: $user on $comp"
                }

                $groupPath = "WinNT://$comp/$GroupName,group"
                if (-not [ADSI]::Exists($groupPath)) {
                    Write-Warning "Group $GroupName does not exist on $comp."
                    continue
                }

                $localGroup = [ADSI]$groupPath
                $members = $localGroup.Invoke("Members") | ForEach-Object {
                    Convert-ADsPath -path ($_.GetType().InvokeMember("ADsPath", 'GetProperty', $null, $_, $null))

                }

                Write-Verbose "Members found in $GroupName on $comp : $($members -join ', ')"

                if ($AddToGroup -and ($userPathNormalized -notin $members)) {
                    $localGroup.Add($userPath)
                    Write-Verbose "Added $user to $GroupName on $comp."
                } elseif ($RemoveFromGroup -and ($userPathNormalized -in $members)) {
                    $localGroup.Remove($userPath)
                    Write-Verbose "Removed $user from $GroupName on $comp."
                } elseif ($AddToGroup) {
                    Write-Verbose "$user is already a member of $GroupName on $comp."
                } elseif ($RemoveFromGroup) {
                    Write-Verbose "$user is not a member of $GroupName on $comp."
                }
            }
        }
    }
}