You might need to delete a local user account for various reasons, such as when it’s no longer in use or as part of the account cleanup process across all your organization’s devices. Whatever the case, you can easily delete a local user account on a Windows 10 or Windows 11 device using Intune.
In my previous blog posts, I discussed how to create a local administrator account using Intune and add an existing Entra ID user to the local administrator group using Intune. This post will focus on deletion of local user account.
Contents
Create a Script Package
- Sign in to the Intune admin center > Devices > Scripts and remediations.
- Click on + Create under the Remediations tab.
- Basics: Provide information about the script package, such as its Name, Description, and Publisher.
- Settings: Create a detection script using the PowerShell code below. Save it as DetectLocaluser.ps1.
DetectLocaluser.ps1
$userName = "cloudinfra101"
$Userexist = (Get-LocalUser).Name -Contains $userName
if ($userexist) {
Write-Host "$userName exist"
Exit 1
}
Else {
Write-Host "$userName does not exist"
Exit 0
}
- Create a remediation script using the PowerShell code below. Save it as RemediateLocalUser.ps1.
RemediateLocalUser.ps1
$userName = "cloudinfra101"
$userexist = (Get-LocalUser).Name -Contains $userName
if($userexist) {
try{
Remove-LocalUser -Name $username
Exit 0
}
Catch {
Write-error $_
Exit 1
}
}
- Detection script file – Browse to the Detection script Detectlocaluser.ps1
- Remediation script file – Browse to Remediation script file RemediateLocalUser.ps1
- Run this script using the logged-on credentials – No
- Enforce script signature check – No
- Run script in 64-bit Powershell – Yes
- Assignments: Click Add groups and select the Entra security group containing Windows 10/11 devices.
- Review + Create: Review the deployment and click on Create.
Sync Intune Policies
The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync from the device itself or remotely through the Intune admin center.
Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Restarting the device is another way to trigger the Intune device check-in process.
End User Experience
After the deployment is completed successfully, the specified local user account will be deleted.
- Click on Start > search for Computer Management.
- Then go to Local Users and Groups > Users.
- Check if cloudinfra101 local user account has been deleted.
- If this user were a member of other local groups, such as Administrators or Remote desktop users, it would also be removed from those groups.
Verify Intune Remediation Scripts Status from Logs
You can examine the logs for troubleshooting purposes to confirm whether the detection and remediation scripts were executed successfully. Additionally, you can check the script’s date timestamp from the logs and refer to them if any issues arise during your deployment.
You can find the Intune management extension log file at C:\ProgramData\Microsoft\IntuneManagementExtension\Logs location.
If you find multiple IntuneManagementExtension.log files, you can sort the list by the date modified attribute to identify the most recent or active log file. As shown in the screenshot below, the script detected the cloudinfra101 local user account, resulting in an exit code of 1, triggering the remediation script to delete that particular local user account.
Conclusion
In this blog post, we’ve explored the process of deleting a local user account using Intune. While you can deploy a one-off PowerShell script to achieve this, the proactive remediation script package is often the preferred choice.
This method checks for the existence of the local user account before removing it, making it more efficient. Additionally, proactive remediation runs on a schedule, ensuring that the local account is deleted even if someone recreates it, which offers a more robust and reliable solution.
Thanks for this tutorial, very useful
Just a remark : you made a typo in DetectLocalUser.ps1 : exists should be exist.
Thanks again for this post, it works like a charm !