Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Managing Windows Devices
  3. Accounts

Category filter

Manage local user accounts of Windows devices enrolled in Hexnode UEM

Jump To

Learn how Hexnode UEM helps you manage local users on Windows devices.

Managing local user accounts on corporate assets enhances security by determining user access to devices. Organizations can easily create and maintain user accounts while having centralized control over them with Hexnode’s Local Accounts management for Windows devices. It provides a set of actions for managing user accounts like creating local accounts, syncing user accounts with the portal, unlocking a user account, changing user roles, resetting passwords, disabling/enabling/deleting user accounts, and more. Let’s understand in deeper about how to manage local user accounts on Windows devices with Hexnode UEM.

Note:


The device should have the latest version of the Hexnode UEM app installed.

How to remotely manage local users on Windows?

Hexnode UEM provides a range of remote management options for local users on Windows devices.

Sync Local Accounts

The first step to managing local users on your Windows devices is to execute the Sync Local Accounts action to sync all the accounts on the devices with Hexnode UEM.

  1. Log in to the Hexnode UEM console.
  2. Navigate to the Manage tab and click on the name of the Windows device whose local accounts you want to display.
  3. Click on Actions and choose Sync Local Accounts.
  4. Now click on the Local Accounts tab.

Here, you’ll find a list of all the active users on the Windows device, along with additional details such as:

  • Account name: Shows the username of the users.
  • Role: Indicates whether the user is an Administrator or a Standard user.
  • Account Type: Specifies whether the user is a local user or network user.
  • Status: Indicates whether the user is currently logged in or logged off.

To access inactive or deleted users, simply click on the ‘Show Inactive/Deleted Users’ button located at the bottom of the user accounts list.

List of all active/inactive local user accounts on a Windows device

Clicking on the name of a user will provide you further details, such as:

  • Full name: Displays the complete name of the user.
  • Account name: Displays the username of the user.
  • Account role: Specifies whether the user is an Admin user or a Standard user.
  • Description: Provides details about the created user account.
  • SID (Security Identifier): Represents a unique alphanumeric string assigned to the user account by the Windows operating system.
  • Home directory path: Indicates the location of the user’s home folder.
  • Locked account: Indicates whether the user account is currently locked due to multiple failed login attempts.
  • Password last changed on: Shows the date and time when the account password was last modified.
  • Password hint: Provides the hint for the user’s password.

    Note:


    The password hint should not contain the password.

  • Last successful login: Displays the date and time of the user’s last successful login.
  • Failed login attempts: Indicates the number of failed login attempts since the last successful login.
  • User can change password: Specifies whether the user has permission to change their account password.
  • Password never expires: Indicates whether the user’s password is set to expire or not.
  • Disable account: Indicates whether the user account is currently disabled or not.

Details of a local user account on Windows device

Create User Account

To effectively manage local users on Windows, you can also add more accounts to devices in addition to what already exists. Execute the Create User Account action from the Hexnode console to create new users.

Disclaimer:


Ensure that the new user’s password settings configured here do not conflict with the Windows Password policy. For instance, the options Password never expires, and User cannot change password may conflict with the maximum password age configured in the policy (if any), preventing the user from changing the password or accessing the account altogether. So, it is mandatory to verify the password policy already associated with the device before configuring the user account.

  1. Log in to your Hexnode portal.
  2. Navigate to Manage > Devices.
  3. Select the Windows device to which you want to add a new user.
  4. Click the Local Accounts tab and click the Create User Account icon.
  5. A dialog box opens up. Choose either of the following 2 options and configure various settings that follow.

    1. Choose a user from Hexnode” :

    • Domain
    • User
    • Account Name
    • Full Name
    • Description
    • Account Role
    • Password
    • Verify Password
      • User must change password at next login
      • Password never expires
      • User cannot change password
    • Password Hint
    • Disable Account

    2. Create a new user:

    • Account name
    • Full Name
    • Description
    • Account Role
    • Password
    • Verify Password
      • User must change password at next login
      • Password never expires
      • User cannot change password
    • Password Hint
    • Disable Account
  6. Click on Create to create a new user account.

Check out our detailed guide on creating user accounts
on Windows devices.

OR
  1. Navigate to Manage > Devices.
  2. Select the Windows device to which you want to add a new user.
  3. Click Actions > Create User Account.
  4. Configure various settings as mentioned above and click on Create to create a new user account.

Create a new local user account via the Actions tab on Windows

Force Log Out User

This action will force log out the user from their current active session.

  1. Navigate to Manage > Devices.
  2. Select the Windows device whose user account(s) you want to force log out.
  3. Click the Local Accounts tab.
  4. Click the Power button icon corresponding to the user that you want to force log out which is situated to the left of the horizontal three-button menu.
  5. Click Proceed in the confirmation dialog box.
  6. Click Confirm to force log out the user.

OR
  1. Navigate to Manage > Devices.
  2. Select the Windows device whose user account(s) you want to force log out.
  3. Click the Local Accounts tab.
  4. Click the name of the user that you want to force log out under the Local Accounts tab.
  5. Click the Actions button and choose the Force Log-Out User option.
  6. Click Proceed in the confirmation dialog box.
  7. Click Confirm to force log out the user.

To log out a local user forcefully on Windows devices, use the Force Log Out action

Unlock Account

This action aids you in unlocking user accounts that have been locked due to repeated failed password attempts.

  1. Navigate to Manage > Devices.
  2. Select the Windows device whose user account(s) you want to unlock.
  3. Click the Local Accounts tab.
  4. Click the name of the user that you want to unlock.
  5. Click Actions and choose the Unlock User Account option.
  6. Click Proceed in the confirmation dialog box.
  7. Click Confirm to unlock the user.

OR
  1. Navigate to Manage > Devices.
  2. Select the Windows device whose user account(s) you want to unlock.
  3. Click the Local Accounts tab.
  4. Click the horizontal three-dot menu corresponding to the respective user.
  5. Click the Unlock User Account option from the drop-down menu.
  6. Click Proceed in the confirmation dialog box.
  7. Click Confirm to unlock the user.

Unlock a local user account via Unlock User action on Windows devices

Change User Role

This action allows you to change the role of a user to either Administrator or Standard user.

  1. Navigate to Manage > Devices.
  2. Select the Windows device whose user account(s) role you want to change.
  3. Click the Local Accounts tab.
  4. Click on the name of the user for whom you want to change the role.
  5. Click Actions and choose the Change User Role option.
  6. In the Change User Account Role page, the new role to be assigned for the user will be mentioned. Additionally, you can configure whether the change in user role is temporary by enabling the Change role temporarily checkbox. Specify the duration for the temporary role change next to the Change role for option. Choose 30 minutes, 1 hour, 2 hours, 4 hours, or 12 hours. Click on Proceed.
  7. Click Confirm to change the user role.

OR
  1. Navigate to Manage > Devices.
  2. Select the Windows device whose user account(s) role you want to change.
  3. Click the Local Accounts tab.
  4. Click the horizontal three-dot menu corresponding to the respective user.
  5. Click the Change User Role option.
  6. In the Change User Account Role page, the new role to be assigned for the user will be mentioned. Additionally, you can configure whether the change in user role is temporary by enabling the Change role temporarily checkbox. Specify the duration for the temporary role change next to the Change role for option. Choose 30 minutes, 1 hour, 2 hours, 4 hours, or 12 hours. Click on Proceed.
  7. Click Confirm to change the user role.
    8. Note:


    The changes will be applied upon the subsequent user login.

Change the role of a local user account using Change User Role action on Windows device

Change Password

This action allows you to change the user’s password.

  1. Navigate to Manage > Devices.
  2. Select the Windows device whose user account(s) password you want to change.
  3. Click the Local Accounts tab.
  4. Click the name of the user to which you want to change the password.
  5. Click Actions and choose the Change Password option.
  6. Type in your new password, then re-enter the password for verification, and provide a password hint. There are three checkboxes under Verify Password:
    • User must change password at next logon.
    • Password never expires.
    • User cannot change the password.

      Check the appropriate boxes accordingly, and then click Proceed.

  7. Click Confirm to change the password of the user.

OR
  1. Navigate to Manage > Devices.
  2. Select the Windows device whose user account(s) password you want to change.
  3. Click the Local Accounts tab.
  4. Click the horizontal three-dot menu corresponding to the respective user.
  5. Choose the Change Password option from the drop-down menu.
  6. Type in your new password, then re-enter the password for verification, and provide a password hint. There are three checkboxes under Verify Password:
    • User must change password at next logon.
    • Password never expires.
    • User cannot change the password.

      Check the appropriate boxes accordingly, and then click Proceed.

  7. Click Confirm to change the password of the user.

With the Change Password action, the password for a local user account can be updated on Windows devices

Note:


When setting a password with special characters, it is recommended to exclude characters like ¡, ™, £, ¢, ∞, §, ¶, •, ª, º, –, ≠, «, ‘, “, æ, …, ÷, ≥, ≤.

Disable Account

This action allows you to temporarily restrict a user’s access to the device.

  1. Navigate to Manage > Devices.
  2. Select the Windows device whose user account(s) you want to disable.
  3. Click the Local Accounts tab.
  4. Click on the name of the user that you want to disable.
  5. Click Actions and choose the Disable User option.
  6. Click Proceed in the confirmation dialog box.
  7. Click Confirm to disable the user.

OR
  1. Navigate to Manage > Devices.
  2. Select the Windows device whose user account(s) you want to disable.
  3. Click the Local Accounts tab.
  4. Click the horizontal three-dot menu corresponding to the respective user.
  5. Click the Disable User option from the drop-down menu.
  6. Click Proceed in the confirmation dialog box.
  7. Click Confirm to disable the user.

Disable a local user account using Disable User action on Windows devices

An IT Admin must enable a disabled user from the portal for them to access their device.

Enable Account

This action allows you to enable a user account that was previously disabled using the Disable User action.

  1. Navigate to Manage > Devices.
  2. Select the Windows device whose user account(s) you want to enable.
  3. Click the Local Accounts tab.
  4. Click on the name of the user that you want to enable.
  5. Click Actions and choose the Enable User option.
  6. Click Proceed in the confirmation dialog box.
  7. Click Confirm to enable the user.

OR
  1. Navigate to Manage > Devices.
  2. Select the Windows device whose user account(s) you want to enable.
  3. Click the Local Accounts tab.
  4. Click the horizontal three-dot menu corresponding to the respective user.
  5. Click the Enable User option from the drop-down menu.
  6. Click Proceed in the confirmation dialog box.
  7. Click Confirm to enable the user.

Enable a user account using Enable User action on Windows devices

Delete Account

This action allows you to delete a user from the device.

Note:


The user should be logged out before the action can be executed.

  1. Navigate to Manage > Devices.
  2. Select the Windows device whose user account(s) you want to delete.
  3. Click the Local Accounts tab.
  4. Click on the name of the user that you want to delete.
  5. Click Actions and choose the Delete User option.
  6. Click Proceed in the confirmation dialog box.
  7. Click Confirm to delete the user.

OR
  1. Navigate to Manage > Devices.
  2. Select the Windows device whose user account(s) you want to delete.
  3. Click the Local Accounts tab.
  4. Click the horizontal three-dot menu corresponding to the respective user.
  5. Click the Delete User option from the drop-down menu.
  6. Click Proceed in the confirmation dialog box.
  7. Click Confirm to delete the user.

Delete a user account using Delete User action Windows devices

Report of Local Accounts on Windows devices

Hexnode allows you to retrieve a detailed report outlining all user accounts across various Windows and macOS devices enrolled in Hexnode UEM. The report provides insights into session types, session details, sync dates, login and logout times, session durations, and more for each local user account on your Windows device. To access this report, simply navigate to Reports > Device Reports > Local Accounts.

Generating local accounts reports will help you manage local users on Windows devices

Frequently Asked Questions (FAQs)

1. Can administrators manage or reset the password of a user who logs in with a Microsoft Account?

No. Hexnode UEM exclusively manages Local Accounts for credential reset operations. Microsoft Accounts (MSA) relies on cloud-based authentication, and the Windows operating system delegates the management of these credentials to the cloud service. While Hexnode identifies Microsoft Accounts present on the device, remote actions such as “Change Password” will fail for these account types

2. Why does the “Delete User” action fail even when the user is not currently logged in?

Windows often keeps a “Background Session” or a “Locked” state active even after a user clicks ‘Sign Out’ if certain apps or services (like OneDrive or Windows Update) are still syncing. For a successful deletion, ensure the device has been restarted recently.

3. Can two local accounts be created with the same “Full Name”?

Yes, but the “Account Name” (the username used for login) must be unique. Windows uses the Account Name as the identifier for the directory structure (e.g., C:\Users\AccountName). Hexnode will prevent you from creating a duplicate Account Name to avoid system errors.

Troubleshooting

1. “Create User Account” action shows “Success”, but the user isn’t on the login screen.

Probable Cause:

The “Disable Account” option was checked during the user creation.

Solution:

Click the “Enable User” option either from the Actions menu by clicking on the name of the user or selecting it from the drop-down menu by clicking on the horizontal three-dot menu corresponding to that user.

2. “Sync Local Accounts” action does not help with showing up a newly created user on the device.

Probable Cause:

Local account discovery depends on the Hexnode Agent acting as a bridge to the Windows Accounts CSP (Configuration Service Provider). If the agent is outdated, it may lack the necessary instructions to query the Windows operating system for its local user list.

Solution:

Ensure that both the Hexnode UEM app and the Hexnode Service (Agent) app are updated to the latest versions on the device.

Best Practices

  • Use Temporary Elevation: Instead of permanently granting a user Administrator rights, use the Change User Role action with the “Change role temporarily” option. This limits the window of risk and automatically restores the device to a secure state after the task is finished.
  • Verify Password Complexity: Before resetting a password, check out any active Windows Password policies associated with the device. If the new password does not meet the length or complexity requirements of that policy, the “Change Password” action will fail at the device level.
  • Sync Before Deletion: Always execute the Sync Local Accounts action before deleting a user. This ensures the portal is targeting the correct user account.
Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Managing Windows Devices