Windows Admin

Manage local users and groups

Practical Windows guide: manage local users and groups without the usual guesswork.

10 min read Beginner Updated 9 Jun 2026
Windows library Start the guide

Step-by-step guide

Work through each section in order. Stop when your issue is resolved — you do not need every step for every situation.

What you will achieve

Create, modify, and disable local user accounts and group memberships on Windows 11/10 Pro using Settings and Computer Management.

1) Add a user from Settings

  1. Settings → Accounts → Other users (Windows 11) → Add account.
  2. Choose I don't have this person's sign-in information → Add a user without a Microsoft account for a local account.
  3. Set username and password, then change account type to Standard or Administrator as needed.

2) Manage with lusrmgr.msc (Pro)

  1. Press Win + R, type lusrmgr.msc.
  2. Users — right-click to rename, disable, or set password.
  3. Groups — open Administrators, add or remove members (keep at least one enabled admin).

3) Command-line equivalents

net user Alice StrongPass123! /add
net localgroup Administrators Alice /add
net user Guest /active:no

4) Disable built-in Administrator safely

  1. The hidden Administrator account should stay disabled unless troubleshooting — enable only offline if needed: net user Administrator /active:yes.
  2. Set a strong password immediately if enabled, then disable after use: net user Administrator /active:no.

5) Password policy basics

  1. Local Security Policy (secpol.msc, Pro only): minimum length, complexity, lockout threshold.
  2. Home edition: rely on Microsoft account password strength or strong local passphrases manually.

6) Rename user folder caveat

  1. Renaming account in lusrmgr does not rename C:\Users\oldname — create new account and migrate data for clean paths.

7) Built-in groups reference

  1. Users — standard rights. Power Users — legacy, not elevated on modern Windows. Remote Desktop Users — RDP only, not admin.

8) Password never expires flag

net user ServiceAccount /expires:never

Service accounts locally should use long random passwords stored in vault — not shared human passwords.

Verification checklist

New standard user logs in successfully. Same user cannot open Computer Management without elevation — confirms not in Administrators group.

  1. Reboot once after changes that affect services, drivers, or firmware.
  2. Confirm the original problem is resolved under normal daily use, not only immediately after the fix.
  3. Note date, Windows version (Settings → System → About), and what changed in your personal runbook for next time.

Quick reference paths

  • lusrmgr.msc
  • net user
  • Settings → Accounts → Other users
  • Admin tools: press Win + X for Terminal (Admin), Device Manager, and Computer Management.

Rename the built-in Guest account to Disabled status and ensure it stays off — Guest is rarely needed on modern standalone or domain-joined clients. Document every local admin in your asset register so offboarding reviews stay complete.

Related guides

groups local manage users windows

Related guides

Continue with these next if you are building a fuller setup or troubleshooting path.

Admin
Group Policy basics (Pro/Enterprise)
Practical Windows guide: group Policy basics (Pro/Enterprise) without the usual guesswork.
Read guide
Admin
Set up Remote Desktop securely
Practical Windows guide: set up Remote Desktop securely without the usual guesswork.
Read guide