Windows Tip: Managing local users and groups

October 20, 2006 —

Send your Windows question to Mitch today! | See other Windows tips

Windows basically has two kinds of users and groups. Local user and group accounts are those created on your local computer and are stored in a protected portion of the registry. On standalone computers, for example a computer at home that your family shares, you might create several local users, one for yourself and one for each member of your family. That way, each individual who logs on to the machine has their own desktop and settings.

Domain accounts are only present in a domain environment and are stored in Active Directory, and domain users log onto the network not their machines. Domain accounts let you implement roaming profiles, folder redirection, software installation using Group Policy, and all sorts of cool stuff that enterprises like and need. So in an enterprise environment, only domain accounts are important and local accounts don't matter, right? Wrong!

I recently talked with Ed Wilson, a senior consultant with Microsoft Corp. and the author of Microsoft VBScript Step by Step and the Microsoft Windows Scripting with WMI: Self-Paced Learning Guide from Microsoft Press. Here's what Ed says about the topic of whether being able to easily manage local users and groups using scripts is useful to enterprise administrators: I always get questions from network administrators like "How do I change the local administrator password." This is probably the most important question I get, and one of the most frequent. The next question I get is "How do I know which users are in the local Administrators group on a machine."

"With our growing emphasis at Microsoft on running local machines as non-admins, it will be much more important to be able to manage local users and groups. In fact, one reason that local users and groups are not used as much nowadays is the lack of ability to easily implement management of these accounts. For instance, I see an example of using a script to create local users in order to automate the deployment of laptop machines. For example, you could create a local user account so both helpdesk or the user can log on locally. Creating local groups to facilitate sharing of laptops is another example of the kind of things that one can do, and so on."

That's good advice from Ed, and you can find some sample scripts for managing local accounts in the Script Center Script Repository on Microsoft TechNet under the heading of Other Directory Services. If you know how to script, you can customize these scripts to suit the needs of your environment. And if you don't know how to script, well, why not buy Ed's books?

ITworld.com