Windows Local Account and Group Maintenance

How does one remotely maintain Local Accounts and Groups in a Windows environment?


You can do this with a variety of means. I'd just use a CMD script calling the NET.EXE command-line utility.

To remove the user:

NET USER <username> /DELETE

To create a new user and add it to the Administrators group:

NET USER <username> <password> /ADD
NET LOCALGROUP Administrators <username> /ADD

Be aware that your script will have the password in it in plaintext and protect it accordingly. If you assign the script as an AD startup script (which is what I would do), alter the security permission on the script to include "Domain Computers - Read and Execute" and remove the "Authenticated Users" permission and you'll go a long way to keeping that plaintext password secure.

The script won't hurt anything if you run it multiple times on the same machine. If, however, you'd like to keep track of which machines it has run on, you might consider the following:

  • Create a group in AD-- say "User Creation Script Complete".
  • Modify the permission on the group to include "Domain Computers - Write / Add Self as Member"
  • In the script, above, add the line:

    NET GROUP "User Creation Script Complete" /DOMAIN /ADD %COMPUTERNAME%$

You'll see the group "grow" member computers as it runs on each machine.

If you want to stop the script from running on computers where it's already run, add a permission to the GPO that assigns the startup script "User Creation Script Complete - Deny Apply Group Policy". Then the script will run once on each machine. (I do this kind of "trapdoor" script a lot, actually, for various system administration functions.)


1. The MS way: http://support.microsoft.com/kb/272530

2. The MS hired a genius way: http://technet.microsoft.com/en-gb/sysinternals/bb897553.aspx

3. The GPO way: http://www.gilham.org/Blog/Lists/Posts/Post.aspx?List=aab85845-88d2-4091-8088-a6bbce0a4304&ID=505

4. The machines are off at times way: Use SMS/SCCM to advertise a cmd to change the pass warning: this leaves the pass in clear text, so script to remove the file when it's done


I recommend using Restricted Groups for adding the user to the Administrators group, as opposed to scripting it. Apply this using a GPO.

Combine it with @MathewC's #3 and you should have a robust solution.