User & Group Management

Users

Account can be categorized as:

1. Service accounts

2. Built-in accounts

   1. Administrator (sysadmin tasks on the host)

   2. Default (multi-user authentication apps)

   3. Guest (disabled by default)

   4. WDGUtility (Defender's account)

3. Local users

4. Domain users

• The management of AD-objects is done via the ActiveDirectory Powershell module.

• Domain users can access any domain-joined host, while local users are restricted only on the host they are created in.

Commands

• The Get, New, and Set verbs are used to find, create, and modify users and groups.

• LocalUser, LocalGroup, ADUser, and ADGroup.

Local

# Listing local (host's) users
Get-LocalUser
# Creating a new local user
New-LocalUser -Name "x7331" -NoPassword
# Adding a password to the user (prompt for entering a password)
$password = Read-Host -AsSecureString
Set-LocalUser -Name "x7331" -Password $password -Description "etile"

# Listing local groups
Get-LocalGroup
# Listing group members
Get-LocalGroupMember -Name "Users"
# Adding a user to the group
Add-LocalGroupMember -Group "Remote Desktop Users" -Member "x7331"

Domain

We must first install the ActiveDirectory module which is a part of the Remote System Administration Tools (RSAT).

# Installing all RSAT features, including AD module
Get-WindowsCapability -Name RSAT* -Online | Add-WindowsCapability -Online
# Checking if it's there
Get-Module -Name ActiveDirectory -ListAvailable

# Listing AD users
Get-ADUser -Filter *
# Specify an AD user by GUID, objectSid, SamAccountName, or distinguished name
Get-ADUser -Identity x7331
# Filter users based on an attribute
Get-ADUser -Filter {EmailAddress -Like '*domain.com'}
Get-ADUser -Filter {GivenName -eq 'x7331'}
# Creating a new user
New-ADUser -Name "x7332" -Surname "x7333" -GivenName "Mori" -Office "Security" -OtherAttributes @{'title'="Sensei";'mail'="MTanaka@greenhorn.corp"} -Accountpassword (Read-Host -AsSecureString "AccountPassword") -Enabled $true
# Validating the user
Get-ADUser -Identity x7331 -Properties * | Format-Table Name,Enabled,GivenName,Surname,Title,Office,Mail
# Modifying user's description
Set-ADUser -Identity x7331 -Description "the best"