$userFlagLocked = 16 #bit value to check if user is locked (shouldn't be)
$userFlagDontExpirePwd = 65536 #bit value to check if user has not set password to expire (should be)
$userName = "user"
$userPwd = "password"

$hostname = hostname #server name
$user = [ADSI]"WinNT://$hostname/$userName, user" #travers to user
if ($user.Name) { #check if user exists on the server
    $userFlags = $user.UserFlags.Value #value of user flags to determine if user has expired pwd or is locked
    
    if (($userFlags -BAND $userFlagDontExpirePwd) -eq 0) {#check if password set to expire, if yes set to not expire
        $userFlags = $userFlags -BOR $userFlagDontExpirePwd
    }
    
    if (($userFlags -BAND $userFlagLocked) -ne 0) {#check if account is not locked, if yes unlock
        $userFlags = $userFlags -BXOR $userFlagLocked
    }
    $user.UserFlags = $userFlags
    $user.setInfo()

    #check if user is in local admin group
    $inLocalAdmins = net localgroup administrators | Where-Object {$_ -match "^$userName$"}
    if (-not $inLocalAdmins) {
        net localgroup administrators $userName /add
    }

    #set password
    net user $userName $userPwd
}
else {
    net user $userName $userPwd /fullname:"Fullname" /comment:"Description" /add /passwordchg:yes /y
    net localgroup Administrators $userName /add
}