How to Disable a Local Account in Windows Using PowerShell

IT professionals and Managed Service Providers (MSPs) know the drill: Sometimes you have to disable a local account on a Windows machine for security, compliance, or other operational reasons. Sure, there are built-in GUI tools for this, but when you’re managing multiple systems, automation is key. Today, we’ll delve into a PowerShell script designed to automate this task, making it faster, more secure, and easily repeatable.

The script allows you to disable a local account on Windows through PowerShell. This PowerShell script specifically targets those searching for how to disable a Windows OS user through PowerShell or those wondering how to disable a local account on Windows. So, without further ado, let’s break down this script.

The Script

#Requires -Version 5.1

<#
.SYNOPSIS
    Disable a local account
.DESCRIPTION
    Disable a local account
.EXAMPLE
     -UserName "AdminTest"
    Disables the account AdminTest
.EXAMPLE
    PS C:> Disable-LocalAdminAccount.ps1 -UserName "Administrator"
    Disables the account AdminTest
.OUTPUTS
    None
    String[]
.NOTES
    Minimum OS Architecture Supported: Windows 10, Windows Server 2016
    Release Notes:
    Initial Release
    (c) 2023 NinjaOne
    By using this script, you indicate your acceptance of the following legal terms as well as our Terms of Use at https://www.ninjaone.com/terms-of-use.
    Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms. 
    Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party. 
    Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library or website belonging to or under the control of any other software provider. 
    Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations. 
    Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks. 
    Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script. 
    EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).
.COMPONENT
    LocalBuiltInAccountManagement
#>

[CmdletBinding()]
param (
    # User name of a local account
    [Parameter(Mandatory = $true)]
    [String]
    $UserName
)

begin {
    function Test-IsElevated {
        $id = [System.Security.Principal.WindowsIdentity]::GetCurrent()
        $p = New-Object System.Security.Principal.WindowsPrincipal($id)
        if ($p.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator))
        { Write-Output $true }
        else
        { Write-Output $false }
    }
}
process {
    if (-not (Test-IsElevated)) {
        Write-Error -Message "Access Denied. Please run with Administrator privileges."
        exit 1
    }
    if ($(Get-Command -Name "Disable-LocalUser" -ErrorAction SilentlyContinue)) {
        # Disables $UserName using Disable-LocalUser
        try {
            Disable-LocalUser $UserName -Confirm:$false
        }
        catch {
            Write-Error $_
            exit 1
        }
    }
    else {
        # Disables $UserName using net.exe
        net.exe user $UserName /active:no
        if ($LASTEXITCODE -gt 0) {
            exit 1
        }
    }
}
end {}

 

Access over 300+ scripts in the NinjaOne Dojo

Get Access

Understanding the Script

Here’s a quick synopsis:

  • The script starts by testing if it’s running with administrative privileges. If not, it stops and throws an error message.
  • It checks for the presence of the built-in Disable-LocalUser command. If it exists, it uses that. Otherwise, it resorts to the net.exe user command to disable the user account.

The script mandates that the $UserName variable must be populated. This is the local account you intend to disable.

Prerequisites

  • OS Requirements: Minimum OS architecture supported includes Windows 10 and Windows Server 2016.
  • PowerShell Version: Requires at least PowerShell 5.1.

Backup & Restore: Proceed with Caution

Before running any PowerShell script that modifies system settings, it’s crucial to back up your existing settings or, better yet, the whole system. This ensures that you can revert to the previous state should anything go wrong. Here are a couple of backup methods you can use:

System Restore Point

Creating a system restore point is an easy and effective way to back up your current settings. Here’s how:

  • Open the Start menu and search for “Create a restore point.”
  • Click on the matching result to open the System Properties window.
  • Go to the “System Protection” tab and click “Create.”
  • Name your restore point and save it.

How to Perform a Complete System Backup

For a full backup, you can create a system image:

  • Open Control Panel.
  • Navigate to “System and Security” > “Backup and Restore (Windows 7).”
  • On the left pane, click “Create a system image.”
  • Follow the wizard to complete the backup.

Note: Always test the restore process to ensure your backup is valid.

Error Handling: What To Do When Things Go Wrong

The PowerShell script includes basic error handling, but as with any script, errors can occur. Below are some common errors and troubleshooting tips:

“Access Denied. Please run with Administrator privileges.”

This error will occur if you try to run the script without administrative rights. Make sure to right-click the PowerShell window and choose “Run as administrator.”

User Account Doesn’t Exist

If you input a username that doesn’t exist, the script will throw an error. Double-check the username and try again.

Script Doesn’t Execute

If your script doesn’t execute, check your PowerShell execution policy settings. You may need to change the policy to allow the script to run. Use the following command to change it:

Set-ExecutionPolicy RemoteSigned

Remember to set it back to its original setting after running your script.

Catch-All Error Handling

If you’d like to extend the script to log errors into a text file for auditing, you can modify the catch block in the script like so:

catch { Write-Error $_ “Error: $_” | Out-File “C:pathtoerrorlog.txt” -Append exit 1 }

Note: Replace “C:pathtoerrorlog.txt” with your desired log file path.

By incorporating these backup and error-handling methods, you add an extra layer of safety and reliability when running the script.

How is This Helpful?

For IT Professionals:

  • Security: If you’re managing an organization’s IT infrastructure, knowing how to disable a local account on Windows is crucial. Unauthorized or redundant accounts are security risks.
  • Compliance: Regulatory compliance often necessitates the disabling of certain accounts. Automating this process ensures that no steps are missed.
  • Automation and Scalability: The script can be included as part of a larger automation sequence, making it easy to disable accounts across many machines simultaneously.

For MSPs:

  • Multi-Tenancy: MSPs can easily integrate this script into their centralized management systems. This simplifies the management of multiple clients from a single dashboard.
  • Operational Efficiency: The automation capability of this PowerShell script reduces the operational overhead.
  • SLAs and Customer Satisfaction: Automation ensures quicker response times and adherence to SLAs, directly translating into customer satisfaction.

Final Thoughts

When it comes to managing local accounts, the Disable-LocalAdminAccount.ps1 script is a powerful tool to have in your arsenal. Harness the power of automation and enhance your security measures by integrating this script into your workflows. After all, in today’s fast-paced IT landscape, automation isn’t just a luxury—it’s a necessity.

Next Steps

Building an efficient and effective IT team requires a centralized solution that acts as your core service deliver tool. NinjaOne enables IT teams to monitor, manage, secure, and support all their devices, wherever they are, without the need for complex on-premises infrastructure.

Learn more about NinjaOne Remote Script Deployment, check out a live tour, or start your free trial of the NinjaOne platform.

Categories:

You might also like

×

See NinjaOne in action!

By submitting this form, I accept NinjaOne's privacy policy.

NinjaOne Terms & Conditions

By clicking the “I Accept” button below, you indicate your acceptance of the following legal terms as well as our Terms of Use:

  • Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms.
  • Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party.
  • Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library belonging to or under the control of any other software provider.
  • Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations.
  • Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks.
  • Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script.
  • EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).