Adding a local user account on Windows Server creates a user that can log in to that specific server using a username and password stored locally — not in Active Directory. Local accounts are useful for service accounts, emergency administrator access, or servers that are not joined to a domain. Here is how to create and manage them.
Add a Local User via Computer Management
- Right-click the Start button and select Computer Management
- Expand Local Users and Groups → Users
- Right-click in the empty space in the Users panel and select New User
- Fill in:
- User name: the login name (no spaces, keep it short)
- Full name: display name (optional but helpful)
- Description: what the account is for
- Password and Confirm password
- Configure the password options:
- User must change password at next logon: tick this for accounts used by real people — forces them to set their own password
- User cannot change password: tick for service accounts where you control the password
- Password never expires: tick for service accounts — untick for regular users
- Account is disabled: creates the account but prevents login until you enable it
- Click Create, then Close
Add a Local User via PowerShell
# Create a new local user
$password = ConvertTo-SecureString "P@ssw0rd!" -AsPlainText -Force
New-LocalUser -Name "svcbackup" -Password $password -Description "Backup service account" -PasswordNeverExpires
# Create a user who must change password at first login
New-LocalUser -Name "jsmith" -Password $password -FullName "John Smith" -Description "IT Admin"Add the User to a Local Group
Creating a user does not give them any access — you need to add them to a group:
- Administrators: full control of the server. Only grant this when genuinely needed.
- Remote Desktop Users: allows RDP login without being a full administrator
- Users: basic access — can log in locally and run applications
In Computer Management: expand Local Users and Groups → Groups, double-click the group, click Add, type the username, click OK.
Via PowerShell:
# Add user to Administrators group
Add-LocalGroupMember -Group "Administrators" -Member "svcbackup"
# Add user to Remote Desktop Users group
Add-LocalGroupMember -Group "Remote Desktop Users" -Member "jsmith"Create a User via Command Prompt (net user)
# Create user
net user jsmith P@ssw0rd! /add
# Add to Administrators group
net localgroup Administrators jsmith /add
# Add to Remote Desktop Users
net localgroup "Remote Desktop Users" jsmith /add
# Set password never expires
wmic useraccount where "Name='jsmith'" set PasswordExpires=FALSEList All Local Users
# PowerShell
Get-LocalUser | Select-Object Name, Enabled, LastLogon, PasswordLastSet, PasswordExpires
# Command Prompt
net userDisable vs Delete an Account
When a user leaves or an account is no longer needed, disable it before deleting it:
# Disable
Disable-LocalUser -Name "jsmith"
# Re-enable
Enable-LocalUser -Name "jsmith"
# Delete
Remove-LocalUser -Name "jsmith"Disabled accounts cannot log in but the account and its SID remain — useful if you need to audit what access the account had. Deletion is permanent. For the built-in Administrator account, disable it rather than delete it.
The Built-In Administrator Account
Every Windows Server has a built-in local Administrator account (SID ending in -500). Best practice is to:
- Rename it from “Administrator” to something less predictable
- Set a strong, unique password and store it in a password manager
- Keep it disabled under normal operations — only enable it for emergency break-glass access
- Create a named personal administrator account for day-to-day admin work so actions are attributable
Local Accounts vs Domain Accounts
On a domain-joined server, local accounts and domain accounts coexist. Local accounts are stored on the server itself; domain accounts are stored in Active Directory and work on any domain-joined machine. For most staff access on domain environments, use domain accounts — local accounts are better suited to service accounts and emergency access.
