Configure Local User Account with DSC

talkbubble Yesterday I posted an article on how to use PowerShell and the [ADSI] type accelerator to set a local user account. However, if you are running PowerShell 4.0 you have another option: Desired State Configuration (DSC).

I’m going to assume you have some basic understanding of how DSC works. If not, head over to the Public OneDrive folder for and grab a copy of the free DSC ebook.

DSC ships with a provider resource for user accounts.


Because of the account password, the official stance is to use a certificate to handle encrypting the password. You can read about that on the PowerShell team blog. But that’s more than I want to deal with right now, plus I trust the security of my local test network so my configurations will store the passwords as plain text in the resulting MOFs. I suppose I should show you the script I came up with.

This script is intended to define a set of MOFs for computers in my Globomantics domain that all start with “CHI”. The script takes an array of computernames. From there it defines the configuration, defines the necessary configuration data to allow plain text passwords and then executes the configuration. The configuration also has a Group resource to add the account to the local Administrators group. Note the DependsOn setting in the group configuration. This ensures that the account will be set up before adding it to the group.

To create the configurations I run my script specifying the computer names.

PowerShell will prompt me for the credentials. When finished I am left with a MOF file for each computer under C:\Scripts\LocalUserAccounts, because I specified an output path. When I’m ready, I can push the configuration to the servers:

And that’s it! I can verify using the NET USER command in a remote session.


DSC promises to change the way IT Pros get their work done, and in a positive way!

Set Local User Account with PowerShell

halfuser The other day I received an email from a student asking for some help in using PowerShell to take care of a user account on a local computer. He not only wanted to be able to set the password, which he had already figured out, but also how to enable or disable the account, which is not obvious or intuitive without experience using ADSI and the WinNT provider. I sent him some suggestions to get him started down the right path. But I realized, I should wrap up this functionality in a PowerShell tool since his task is something I assume many of you need and there are no cmdlets from Microsoft for managing local user accounts.

First, let me point out that it is actually quite easy to manage local user accounts on remote computers using PowerShell. All you need to do is learn how to use the NET USER command and execute it using Invoke-Command.



The LocalAdmin account on CHI-CORE01 is currently disabled (account active is equal to no). But it is pretty easy to enable and set a new password.

However, this doesn’t scale well and the capabilities of the NET USER command might vary by operating system. So here is a PowerShell function that utilizes ADSI to do the same thing.

This function should work in PowerShell 2.0 and later. The help content includes some usage examples. You can use this command to simply change the user password, or change the password while enabling or disabling the account. Enabling and disabling is accomplished with a bitwise operation with the userflags value and a constant flag that indicates the account is disabled.

There is probably more that could be added to the command such as setting the comment property and when the account expires. But I’ll leave those changes to you for now.

Save the PowerShell Children

PowerShell Deep Dives I just received the royalty statement for Q4 2013 on the PowerShell Deep Dives book. While I appreciate every sale, I know the community can do better. In case you didn’t know, this book is a compilation of PowerShell nuggets you won’t find anywhere else. Chapters were contributed by MVPs, leaders in the PowerShell community as well as Microsoft specialists. Nobody received any financial compensation for this project. All proceeds go to Save the Children. For Q4 2013 they received a check for $1,848.

Net sales for Q4 were 257 copies. Since I’ve never returned a purchased book I have no idea why there are any returns. Since publication we’ve sold 1733 copies. I have to believe there are more than 1700 people in the PowerShell community who would enjoy this book. Perhaps they simply don’t know about it.

If you don’t have your own copy you can get it from Amazon or Manning. If you are after a digital copy, you will need to get those from Manning. And if you already own a copy, please consider leaving a review on Amazon and encourage your friends and colleagues to get their own copies. They will pick up some great PowerShell knowledge and make the world a better place.

Advice, solutions, tips and more for the lonely Windows administrator with too much to do and not enough time.

%d bloggers like this: