Net User Command – Manage Local Windows Users Accounts. While Windows offers an array of native command lines and tools, the net command is one of the most simplistic. Net commands have been around since Windows NT and have continued to stay with Windows ever since.
The net command suite allows admins to quickly manage various tasks via cmd prompt and helps admins automate tedious tasks. Net commands are also heavily used by bad actors (Living of the land), so knowing net command knowledge doesn’t just benefit your platform team. They help your incident response team also.
Despite net commands having a broad reach, In this post, we dive specifically into the top net commands for managing local accounts on Windows, illustrating various examples to show how these commands work.
For the full list of commands, check out Microsofts Documentation.
Creating, Modifying and Delete Users using Net User Command
Net user is where we begin, and is the most well known. For those with engineering experience under their belt, this command is very familiar.
Creating A New User using Net User
Attackers look for these commands as the password is in plaintext. Remember to clear the history once running this command, and understand that this is in the Windows Event Logs.
net user [username] [password] /add
Viewing All Users
This command allows you to view all users on the host. This is useful when wanting to see how many, or what user accounts are present on the host.
net user
Viewing Specific User Details
Instead of listing all users, target a specific user. This allows you to see various information about the user, including group membership, password and usage details.
net user [username]
Changing A Users Password
Here you can modify, and reset the user’s password. This can only be done by the person themselves, or those with admin rights.
net user [username] [newpassword]
Enabling A User
This command enables the account, if currently disabled. This allows the account to be used on the host.
net user [username] /active:yes
Disabling A user
This disables the account so that it is no longer used on the host.
net user [username] /active:no
Setting Account Expiration
If you don’t wish to manually disable an account, you could instead set an interval for it to be expired. This allows some form of automation, especially for temp accounts.
net user [username] /expires:01/01/2024
Deleting A User
Once finished with the account, it’s good practice to remove them completely. This reduces unexpected outcomes should they be reenabled accidentally.
net user [username] /delete
Try our Active Directory & Office 365 Reporting & Auditing Tools
Try us out for Free. 100’s of reports available to gain control of your IAM.
Improve your AD & Entra ID security & compliance.
Managing Local Groups
Here we look at commands that interact with local groups.
Listing All Local Groups
This command allows you to view all current local groups on the host. In most cases, the admin would be aware of this output as the majority of default groups have been consistent throughout the years.
net localgroup
Creating A Local Group
If you don’t want to use the default groups, create your own and start nesting. Managing access via a group is good practice.
net localgroup [groupname] /add
Adding A Member To A Group
This command allows you to manage group membership and add users to the group.
net localgroup [groupname] [username] /add
Listing Group Membership
This commands allows your to view current membership of a group.
net localgroup [groupname]
Removing Group Membership
This command removes the user from the group.
net localgroup [groupname] [username] /delete
Deleting A Group
This command allows you to remove the group when no longer required.
net localgroup [groupname] /delete
Managing Local User Accounts Policies
Here we look at commands that tailor account policies for your local users.
Displaying Local Account Policies
This command shows you what your current account policies are and what is being applied.
net accounts
Set The Minimum Password Length
This allows to enforce stronger passwords. Most security frameworks have highlighted the importance of length to deter brute force or password cracking attacks.
net accounts /minpwlen:14
Set The Maximum Password Age
This command is for the maximum password age. In this example, once 30 days has passed, the user is required to change their password.
net accounts /maxpwage:30
Set The Minimum Password Age
This command sets the minimum password age to 2 days meaning the user must first wait 2 days before they are allowed to change their password.
net accounts /minpwage:2
Set The Uniqueness Requirement
This command sets the uniqueness requirement of the password. This means the system remembers the last X passwords and prevent the user from reusing.
net accounts /uniquepw:5
Set The Lockout Threshold
This command sets the lockout threshold to X. This means if the users passwords is entered X amount of times, their account is locked out. An admin must then unlock the user before they use, or after the lockout duration.
net accounts /lockoutthreshold:3
Set The Lockout Duration
If you want to automate unlocking locked accounts, set the duration. Here the account is automatically unlocked once the duration is met. In the example below, it is 30 minutes.
net accounts /lockoutduration:30
Thank you for your time. Net User Command – Manage Local Windows Users Accounts
Net User Command – Manage Local Windows Users Accounts Conclusion
The arsenal of net
commands in Windows unveils a powerful, scriptable interface for managing local accounts and system configurations. These commands help admins manage their local accounts in a potential automated fashion. Whilst Windows engineering may have many options to manage these accounts such as PowerShell, the consistency and simplicity of net commands still have it high on the list.
Try InfraSOS for FREE
Try InfraSOS Active Directory, Azure AD & Office 365 Reporting & Auditing Tool
- Free 15-Days Trial
- SaaS AD Reporting & Auditing Solution