# encoding: ascii # api: powershell # title: Set-LocalUserAccount # description: Sets properties for a given user local username. # version: 0.1 # type: function # author: Andy Arismendi # license: CC0 # function: Set-LocalUserAccount # x-poshcode-id: 4514 # x-archived: 2016-04-12T16:14:32 # x-published: 2016-10-09T15:30:00 # # Description, Full Name, Password # Change password at next logon # User cannot change password # Password never expires # Enable/Disable the account # Unlock the account # Reset all account flags # function Set-LocalUserAccount { param ( [parameter(Mandatory=$true)] [string] $Username, [string] $Description, [string] $FullName, [string] $ComputerName = $env:COMPUTERNAME, [system.Security.SecureString] $Password, [switch] $PasswordChangeAtNextLogon, [switch] $CannotChangePassword, [switch] $PasswordNeverExpires, [switch] $Enable, [switch] $Disable, [switch] $UnLock, [switch] $ResetAllFlags ) try { if ($Enable -and $Disable) { Write-Warning "Please use only -Enable or -Disable."; return } if ($Password) { $pass = [Runtime.InteropServices.marshal]::PtrToStringAuto([Runtime.InteropServices.marshal]::SecureStringToBSTR($Password)) } $AccountOptions = @{ ACCOUNTDISABLE = 2; LOCKOUT = 16; PASSWD_CANT_CHANGE = 64; NORMAL_ACCOUNT = 512; DONT_EXPIRE_PASSWD = 65536 } $user = [ADSI] "WinNT://$ComputerName/$Username" if ($Description) {$user.Description = $Description} if ($FullName) {$user.FullName = $FullName} if ($pass) { $user.psbase.invoke("SetPassword", $pass) $user.psbase.CommitChanges() } if ($ResetAllFlags) { $user.UserFlags = $user.UserFlags.Value -band $AccountOptions.NORMAL_ACCOUNT } else { # Disables "User cannot change password" and "Password never expires" if ($PasswordChangeAtNextLogon) { $user.UserFlags = $AccountOptions.PASSWD_CANT_CHANGE -band $AccountOptions.DONT_EXPIRE_PASSWD $user.PasswordExpired = 1 } else { if ($CannotChangePassword) { $user.PasswordExpired = 0 $user.UserFlags = $user.UserFlags.Value -bor $AccountOptions.PASSWD_CANT_CHANGE } if ($PasswordNeverExpires) {$user.UserFlags = $user.UserFlags.Value -bor $AccountOptions.DONT_EXPIRE_PASSWD} } if ($Enable) {$user.InvokeSet("AccountDisabled", "False")} if ($Disable) {$user.InvokeSet("AccountDisabled", "True")} if ($UnLock) {$user.IsAccountLocked = $false} } $user.SetInfo() } catch { throw 'Failed to set local user account properties. The error was: "{0}".' -f $_ } }