Create a Local User and Grant Remote Desktop Access with PowerShell

Published 2026-01-28 by TechNet Team

When setting up a Windows computer for remote access, you'll need to create user accounts and grant them Remote Desktop permissions. This guide provides both a ready-to-use PowerShell script and manual instructions.

Quick Solution: PowerShell Script

Save this script as New-RDPUser.ps1 and run it as Administrator:

#Requires -RunAsAdministrator
# New-RDPUser.ps1
# Creates a local user account and adds it to the Remote Desktop Users group
# Run as Administrator

param(
    [Parameter(Mandatory=$false)]
    [string]$Username,

    [Parameter(Mandatory=$false)]
    [string]$FullName,

    [Parameter(Mandatory=$false)]
    [string]$Description = "Remote Desktop User",

    [Parameter(Mandatory=$false)]
    [switch]$PasswordNeverExpires
)

# Function to create a new RDP user
function New-RDPUser {
    Write-Host "========================================" -ForegroundColor Cyan
    Write-Host "  Create Local User for Remote Desktop  " -ForegroundColor Cyan
    Write-Host "========================================" -ForegroundColor Cyan
    Write-Host ""

    # Get username if not provided
    if (-not $Username) {
        $Username = Read-Host "Enter username"
    }

    # Check if user already exists
    $existingUser = Get-LocalUser -Name $Username -ErrorAction SilentlyContinue
    if ($existingUser) {
        Write-Host "User '$Username' already exists." -ForegroundColor Yellow
        $addToGroup = Read-Host "Add existing user to Remote Desktop Users group? (Y/N)"
        if ($addToGroup -eq 'Y' -or $addToGroup -eq 'y') {
            Add-UserToRDPGroup -Username $Username
        }
        return
    }

    # Get full name if not provided
    if (-not $FullName) {
        $FullName = Read-Host "Enter full name (press Enter to skip)"
        if ([string]::IsNullOrWhiteSpace($FullName)) {
            $FullName = $Username
        }
    }

    # Get password securely
    Write-Host ""
    $Password = Read-Host "Enter password" -AsSecureString
    $ConfirmPassword = Read-Host "Confirm password" -AsSecureString

    # Convert to plain text for comparison
    $BSTR1 = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($Password)
    $BSTR2 = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($ConfirmPassword)
    $PlainPassword1 = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR1)
    $PlainPassword2 = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR2)

    if ($PlainPassword1 -ne $PlainPassword2) {
        Write-Host "Passwords do not match. Aborting." -ForegroundColor Red
        return
    }

    # Clear plain text passwords from memory
    $PlainPassword1 = $null
    $PlainPassword2 = $null

    # Create the user
    Write-Host ""
    Write-Host "Creating user '$Username'..." -ForegroundColor Cyan

    try {
        $userParams = @{
            Name        = $Username
            Password    = $Password
            FullName    = $FullName
            Description = $Description
        }

        if ($PasswordNeverExpires) {
            $userParams.Add("PasswordNeverExpires", $true)
        }

        New-LocalUser @userParams -ErrorAction Stop
        Write-Host "  User created successfully!" -ForegroundColor Green
    }
    catch {
        Write-Host "  Failed to create user: $_" -ForegroundColor Red
        return
    }

    # Add to Remote Desktop Users group
    Add-UserToRDPGroup -Username $Username

    # Summary
    Write-Host ""
    Write-Host "========================================" -ForegroundColor Green
    Write-Host "  User Setup Complete!" -ForegroundColor Green
    Write-Host "========================================" -ForegroundColor Green
    Write-Host ""
    Write-Host "Username:    $Username"
    Write-Host "Full Name:   $FullName"
    Write-Host "Groups:      Remote Desktop Users"
    Write-Host ""
    Write-Host "The user can now connect via Remote Desktop." -ForegroundColor Cyan
}

function Add-UserToRDPGroup {
    param([string]$Username)

    Write-Host "Adding '$Username' to Remote Desktop Users group..." -ForegroundColor Cyan

    try {
        Add-LocalGroupMember -Group "Remote Desktop Users" -Member $Username -ErrorAction Stop
        Write-Host "  Added to Remote Desktop Users group!" -ForegroundColor Green
    }
    catch {
        if ($_.Exception.Message -like "*already a member*") {
            Write-Host "  User is already a member of Remote Desktop Users." -ForegroundColor Yellow
        }
        else {
            Write-Host "  Failed to add to group: $_" -ForegroundColor Red
        }
    }
}

# Run the function
New-RDPUser

How to Use the Script

1. Open Notepad and paste the script above
2. Save as New-RDPUser.ps1
3. Right-click PowerShell and select Run as Administrator
4. Navigate to the script location and run it:

   cd C:\\Scripts
   .\\New-RDPUser.ps1

5. Follow the prompts to enter username, full name, and password

Script Parameters (Optional)

You can also pass parameters directly:

# Create user with parameters
.\\New-RDPUser.ps1 -Username "jsmith" -FullName "John Smith" -PasswordNeverExpires

# Create with description
.\\New-RDPUser.ps1 -Username "contractor1" -Description "Temporary contractor access"

Manual Method: Step-by-Step

If you prefer to do this manually:

Step 1: Create the Local User

1. Press Windows + R, type lusrmgr.msc, press Enter
2. Click Users in the left panel
3. Right-click in the right panel and select New User
4. Enter the username, full name, and password
5. Uncheck "User must change password at next logon" if desired
6. Click Create

Step 2: Add User to Remote Desktop Users Group

1. In the same window, click Groups in the left panel
2. Double-click Remote Desktop Users
3. Click Add
4. Type the username and click Check Names
5. Click OK twice to save

Alternative: Using Command Prompt

You can also use these simple commands:

# Create a new local user
net user newusername P@ssw0rd123 /add /fullname:"New User"

# Add user to Remote Desktop Users group
net localgroup "Remote Desktop Users" newusername /add

# Verify the user was added
net localgroup "Remote Desktop Users"

Quick PowerShell One-Liners

# Create user and add to RDP group in two commands
$Password = ConvertTo-SecureString "P@ssw0rd123" -AsPlainText -Force
New-LocalUser -Name "rdpuser" -Password $Password -FullName "RDP User"
Add-LocalGroupMember -Group "Remote Desktop Users" -Member "rdpuser"

# Verify the user is in the group
Get-LocalGroupMember -Group "Remote Desktop Users"

Enabling Remote Desktop on the Computer

Don't forget to enable Remote Desktop on the target computer:

1. Open Settings -> System -> Remote Desktop
2. Toggle Enable Remote Desktop to On
3. Confirm when prompted

Or via PowerShell:

# Enable Remote Desktop
Set-ItemProperty -Path 'HKLM:\\System\\CurrentControlSet\\Control\\Terminal Server' -Name "fDenyTSConnections" -Value 0

# Enable firewall rule
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

Security Best Practices

• Use strong passwords (12+ characters with mixed case, numbers, symbols)
• Enable Network Level Authentication (NLA) for additional security
• Consider using a VPN instead of exposing RDP directly to the internet
• Implement account lockout policies to prevent brute-force attacks
• Regularly audit who has Remote Desktop access

Need help securing remote access for your organization? Contact TechNet New England for enterprise remote access solutions.