Manage NT accounts using NET USER commandline utility


The net user command duplicates the full functionality
of User Manager for Domains with commandline syntax allowing for scripting. For
commandline types like me, it is extremely useful. Combined with AT or soon, it is a good way to
change all builtin administrator passwords, for example. The pattern is:

soon \\ntmachine cmd /c “net user administrator newpassword”

If you are logged on as domain admin, you could issue the command from the
commandline over and over and over or built it into a script and execute the
script:

soon \\ntmachine1 cmd /c “net user administrator
newpassword”
soon \\ntmachine1 cmd /c “net user administrator newpassword”


Modify slightly to automate a sweep through change in any passwords on
workstations, memberservers or domain controllers.

You should built in error checking and logging but this is the core of a
script to do the job and is based on soon and net user. If you don’t have the NT Resource Kit, you can use
AT instead of soon.

You can use the following command to get the last logon date/time for an
account and is the core of line for a script to get this information on any or
all accounts of interest:

net user accountyouwanttoquery /domain|find /i “last logon”

The output of the net help user follows:

The syntax of this command is:

net user [username [password | *] [options]] [/DOMAIN]
username {password | *} /ADD [options] [/DOMAIN]
username [/DELETE] [/DOMAIN]

NET USER creates and modifies user accounts on computers. When used
without switches, it lists the user accounts for the computer. The
user account information is stored in the user accounts database.

This command works only on servers.

username Is the name of the user account to add, delete, modify, or
view. The name of the user account can have as many as
20 characters.
password Assigns or changes a password for the user’s account.
A password must satisfy the minimum length set with the
/MINPWLEN option of the NET ACCOUNTS command. It can have as
many as 14 characters.
* Produces a prompt for the password. The password is not
displayed when you type it at a password prompt.
/DOMAIN Performs the operation on the primary domain controller of
the current domain.

This parameter applies only to Windows NT
Workstation computers that are members of
a Windows NT Server domain. By default,
Windows NT Server computers perform
operations on the primary domain controller.
/ADD Adds a user account to the user accounts database.
/DELETE Removes a user account from the user accounts database.

Options Are as follows:

Options Description
——————————————————————–
/ACTIVE:{YES | NO} Activates or deactivates the account. If
the account is not active, the user cannot
access the server. The default is YES.
/COMMENT:”text” Provides a descriptive comment about the
user’s account (maximum of 48 characters).
Enclose the text in quotation marks.
/COUNTRYCODE:nnn Uses the operating system country code to
implement the specified language files for a
user’s help and error messages. A value of
0 signifies the default country code.
/EXPIRES:{date | NEVER} Causes the account to expire if date is
set. NEVER sets no time limit on the
account. An expiration date is in the
form mm/dd/yy or dd/mm/yy, depending on the
country code. Months can be a number,
spelled out, or abbreviated with three
letters. Year can be two or four numbers.
Use slashes(/) (no spaces) to separate
parts of the date.
/FULLNAME:”name” Is a user’s full name (rather than a
username). Enclose the name in quotation
marks.
/HOMEDIR:pathname Sets the path for the user’s home directory.
The path must exist.
/PASSWORDCHG:{YES | NO} Specifies whether users can change their
own password. The default is YES.
/PASSWORDREQ:{YES | NO} Specifies whether a user account must have
a password. The default is YES.
/PROFILEPATH[:path] Sets a path for the user’s logon profile.
/SCRIPTPATH:pathname Is the location of the user’s logon
script.
/TIMES:{times | ALL} Is the logon hours. TIMES is expressed as
day[-day][,day[-day]],time[-time][,time
[-time]], limited to 1-hour increments.
Days can be spelled out or abbreviated.
Hours can be 12- or 24-hour notation. For
12-hour notation, use am, pm, a.m., or
p.m. ALL means a user can always log on,
and a blank value means a user can never
log on. Separate day and time entries with
a comma, and separate multiple day and time
entries with a semicolon.
/USERCOMMENT:”text” Lets an administrator add or change the User
Comment for the account.
/WORKSTATIONS:{computername[,…] | *}
Lists as many as eight computers from
which a user can log on to the network. If
/WORKSTATIONS has no list or if the list is *,
the user can log on from any computer.

NET HELP command | MORE displays Help one screen at a time.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top