Mastering User Account Management in Windows with PowerShell

Key takeaways:

  • Automated control: The script automates the process of enabling or disabling Microsoft account creation, enhancing efficiency in user account management.
  • Security enhancement: By controlling account creation, the script significantly improves the security posture of Windows environments.
  • Parameter flexibility: Offers customization through parameters like Allow, BlockLogin, and ForceReboot, adapting to different administrative requirements.
  • Registry key modification: It operates by modifying specific registry keys that govern account creation and usage policies.
  • Compatibility considerations: Primarily designed for Windows 10 and potentially Windows 11, its compatibility with other versions isn’t assured.
  • Real-world application: Ideal for enforcing corporate policies on user account creation and management, particularly in larger organizations.
  • Script vs. manual Control: Offers a more efficient and less error-prone solution compared to manual registry edits or group policy adjustments.
  • Testing importance: Essential to test the script in a controlled setting before wide-scale implementation to avoid unintended consequences.
  • Balancing security and usability: Critical to ensure that security measures do not impede legitimate users’ access and workflow.
  • Integration with management Tools: Can be effectively integrated with IT management solutions like NinjaOne for enhanced deployment and monitoring capabilities.

Introduction

User account management is a critical aspect of IT administration, directly impacting system security and user accessibility. Controlling the creation of new user accounts, particularly Microsoft accounts, is an essential task for IT professionals and Managed Service Providers (MSPs). A PowerShell script that automates this process not only enhances security but also saves time and resources.

Background

The script provided is a PowerShell-based tool designed to enable or disable the creation of Microsoft accounts on Windows systems. Its relevance in IT stems from the need to maintain control over user access in corporate environments. By restricting the creation of new Microsoft accounts, IT professionals can prevent unauthorized access, ensure compliance with company policies, and maintain a secure computing environment.

The script:

#Requires -Version 5.1 -RunAsAdministrator

<#
.SYNOPSIS
    Block or Allow the ability to create Microsoft Accounts.
.DESCRIPTION
    Block or Allow the ability to create Microsoft Accounts.
.EXAMPLE
    PS C:\> Disable-MicrosoftAccountCreation.ps1
    Blocks creation of Microsoft Accounts.
PARAMETER: -Allow
    Allows creation of Microsoft Accounts.
.EXAMPLE
    PS C:\> Disable-MicrosoftAccountCreation.ps1
    Allows creation of Microsoft Accounts.
PARAMETER: -ForceReboot
    Blocks creation of Microsoft Accounts and reboot after 2 minutes.
.EXAMPLE
    PS C:\> Disable-MicrosoftAccountCreation.ps1 -ForceReboot
    Blocks creation of Microsoft Accounts and reboot after 2 minutes.
.INPUTS
    None
.OUTPUTS
    String[]
.NOTES
    Release Notes: Renamed Script, updated Set-ItemProp
    Only usable on Windows 10, possible Windows 11(UNTESTED/UNVERIFIED).
By using this script, you indicate your acceptance of the following legal terms as well as our Terms of Use at https://www.ninjaone.com/terms-of-use.
    Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms. 
    Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party. 
    Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library or website belonging to or under the control of any other software provider. 
    Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations. 
    Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks. 
    Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script. 
    EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).
.COMPONENT
    LocalBuiltInAccountManagement
#>

[CmdletBinding()]
param (
    [Parameter()]
    [switch]
    $Allow,
    [switch]
    $BlockLogin,
    [switch]
    $ForceReboot
)

begin {
    function Set-ItemProp {
        param (
            $Path,
            $Name,
            $Value,
            [ValidateSet("DWord", "QWord", "String", "ExpandedString", "Binary", "MultiString", "Unknown")]
            $PropertyType = "DWord"
        )
        if (-not $(Test-Path -Path $Path)) {
            # Check if path does not exist and create the path
            New-Item -Path $Path -Force | Out-Null
        }
        if ((Get-ItemProperty -Path $Path -Name $Name -ErrorAction SilentlyContinue)) {
            # Update property and print out what it was changed from and changed to
            $CurrentValue = (Get-ItemProperty -Path $Path -Name $Name -ErrorAction SilentlyContinue).$Name
            try {
                Set-ItemProperty -Path $Path -Name $Name -Value $Value -Force -Confirm:$false -ErrorAction Stop | Out-Null
            }
            catch {
                Write-Error "[Error] Unable to Set registry key for $Name please see below error!"
                Write-Error $_
                exit 1
            }
            Write-Host "$Path\$Name changed from $CurrentValue to $($(Get-ItemProperty -Path $Path -Name $Name -ErrorAction SilentlyContinue).$Name)"
        }
        else {
            # Create property with value
            try {
                New-ItemProperty -Path $Path -Name $Name -Value $Value -PropertyType $PropertyType -Force -Confirm:$false -ErrorAction Stop | Out-Null
            }
            catch {
                Write-Error "[Error] Unable to Set registry key for $Name please see below error!"
                Write-Error $_
                exit 1
            }
            Write-Host "Set $Path\$Name to $($(Get-ItemProperty -Path $Path -Name $Name -ErrorAction SilentlyContinue).$Name)"
        }
    }
    if ($env:allowCreation -like "Allow") {
        $Allow = $true
    }
    elseif ($env:allowCreation -like "Block Creation" -or $env:allowCreation -like "Block Creation And Login") {
        $Allow = $false
    }
    if ($env:forceReboot -like "true") {
        $ForceReboot = $true
    }
}
process {
    if ($Allow) {
        # Allow
        Set-ItemProp -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "NoConnectedUser" -Value 0
        Set-ItemProp -Path "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Settings\AllowYourAccount" -Name "value" -Value 1
        Remove-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\MicrosoftAccount" -Name "DisableUserAuth" -ErrorAction SilentlyContinue

        Write-Host "Allowing Microsoft accounts to be created."
    }
    else {
        # Block
        if ($env:allowCreation -like "Block Creation And Login" -or $BlockLogin) {
            # Block MS Account Creation and Login
            Set-ItemProp -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "NoConnectedUser" -Value 3
            Set-ItemProp -Path "HKLM:\Software\Policies\Microsoft\MicrosoftAccount" -Name "DisableUserAuth" -Value 1
        }
        else {
            # Block MS Account Creation
            Set-ItemProp -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "NoConnectedUser" -Value 1
        }
        Set-ItemProp -Path "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Settings\AllowYourAccount" -Name "value" -Value 0

        Write-Host "Blocking Microsoft accounts from being created."
    }

    if ($ForceReboot) {
        # Reboot
        shutdown.exe -r -t 60
    }
    else {
        # Do not reboot
        Write-Host "Please restart $([System.Net.Dns]::GetHostName())"
    }
}
end {
    
    
    
}

 

Access over 300+ scripts in the NinjaOne Dojo

Get Access

Detailed breakdown

The script operates by modifying specific registry keys that control the ability to create and use Microsoft accounts in Windows 10 and potentially Windows 11. The script’s parameters (Allow, BlockLogin, ForceReboot) offer flexibility in implementation, catering to various administrative needs.

  • Setting up environment: The script starts by defining a custom function Set-ItemProp to create or modify registry keys and values.
  • Parameter handling: It then evaluates environmental variables and script parameters to determine the action – allowing or blocking the creation of Microsoft accounts.
  • Execution logic: Based on the parameters provided, the script modifies the relevant registry keys. If the Allow switch is set, it enables the creation of Microsoft accounts. Conversely, if not set, it disables this feature. The BlockLogin parameter can further restrict account usage.
  • System response: Depending on the ForceReboot parameter, the script may initiate a system reboot to ensure changes take effect immediately.

Potential use cases

An IT administrator at a large corporation may use this script to enforce a policy that prevents employees from using personal Microsoft accounts on corporate devices. This ensures that only accounts managed by the organization are used, enhancing security and compliance.

Comparisons

Traditional methods of user account control often involve manual registry edits or group policy configurations. The script offers a more streamlined and scriptable solution that can be deployed quickly and uniformly across multiple systems.

FAQs

  • Can this script be used on all Windows versions?
    • The script is designed for Windows 10 and possibly Windows 11, but compatibility with other versions isn’t guaranteed.
  • How does this script affect existing Microsoft accounts?
    • The script does not impact existing accounts but controls the creation of new ones and, optionally, their ability to log in.

Implications

Using such a script can significantly enhance an organization’s security posture by controlling user access. However, it’s crucial to balance security with usability, ensuring that legitimate users are not hindered.

Recommendations

Always test the script in a controlled environment before broad deployment. Be mindful of the needs of different user groups within the organization and adjust the script’s parameters accordingly.

Final thoughts

Integrating this PowerShell script into a comprehensive IT management solution like NinjaOne can streamline user account management. NinjaOne provides the tools for deploying, monitoring, and managing such scripts across a distributed IT environment, ensuring consistency and reliability in administrative tasks.

Next Steps

Building an efficient and effective IT team requires a centralized solution that acts as your core service deliver tool. NinjaOne enables IT teams to monitor, manage, secure, and support all their devices, wherever they are, without the need for complex on-premises infrastructure.

Learn more about NinjaOne Remote Script Deployment, check out a live tour, or start your free trial of the NinjaOne platform.

Categories:

You might also like

×

See NinjaOne in action!

By submitting this form, I accept NinjaOne's privacy policy.

NinjaOne Terms & Conditions

By clicking the “I Accept” button below, you indicate your acceptance of the following legal terms as well as our Terms of Use:

  • Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms.
  • Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party.
  • Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library belonging to or under the control of any other software provider.
  • Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations.
  • Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks.
  • Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script.
  • EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).