Local account management (not domain) via the built-in *-LocalUser / *-LocalGroup cmdlets.
Changes need an elevated prompt.
List local users
Get-LocalUser
Get-LocalUser | Select-Object Name, Enabled, LastLogon, PasswordExpires
Members of the Administrators group
Get-LocalGroupMember -Group Administrators
Enabled accounts only
Get-LocalUser | Where-Object Enabled -eq $true
Create a local user (admin)
$pw = Read-Host -AsSecureString "New password"
New-LocalUser -Name "svc_backup" -Password $pw -FullName "Backup Service" -Description "Service account"
Add a user to a group (admin)
Add-LocalGroupMember -Group Administrators -Member "svc_backup"
Disable or remove a user (admin)
Disable-LocalUser -Name "olduser"
Remove-LocalUser -Name "olduser"
Notes: these are the Microsoft.PowerShell.LocalAccounts cmdlets, included on Windows 10/11
and Server 2016+ (Windows PowerShell 5.1). They manage local accounts only — for domain
accounts use the ActiveDirectory module (Get-ADUser, etc.). Never hard-code a plaintext password;
Read-Host -AsSecureString or a stored credential keeps it out of your history.