fbpx
Active Directory & Office 365 Reporting Tool

Net User Command – Manage Local Windows Users Accounts. While Windows offers an array of native command lines and tools, the net command is one of the most simplistic. Net commands have been around since Windows NT and have continued to stay with Windows ever since. 

The net command suite allows admins to quickly manage various tasks via cmd prompt and helps admins automate tedious tasks. Net commands are also heavily used by bad actors (Living of the land), so knowing net command knowledge doesn’t just benefit your platform team. They help your incident response team also. 

Despite net commands having a broad reach, In this post, we dive specifically into the top net commands for managing local accounts on Windows, illustrating various examples to show how these commands work.

For the full list of commands, check out Microsofts Documentation.

Creating, Modifying and Delete Users using Net User Command

Net user is where we begin, and is the most well known. For those with engineering experience under their belt, this command is very familiar.

Creating A New User using Net User

Attackers look for these commands as the password is in plaintext. Remember to clear the history once running this command, and understand that this is in the Windows Event Logs

				
					net user [username] [password] /add
				
			

Viewing All Users

This command allows you to view all users on the host. This is useful when wanting to see how many, or what user accounts are present on the host. 

				
					net user
				
			

Viewing Specific User Details

Instead of listing all users, target a specific user. This allows you to see various information about the user, including group membership, password and usage details.

				
					net user [username]
				
			

Changing A Users Password

Here you can modify, and reset the user’s password. This can only be done by the person themselves, or those with admin rights.

				
					net user [username] [newpassword]
				
			

Enabling A User

This command enables the account, if currently disabled. This allows the account to be used on the host. 

				
					net user [username] /active:yes
				
			

Disabling A user

This disables the account so that it is no longer used on the host. 

				
					net user [username] /active:no
				
			

Setting Account Expiration

If you don’t wish to manually disable an account, you could instead set an interval for it to be expired. This allows some form of automation, especially for temp accounts.

				
					net user [username] /expires:01/01/2024
				
			

Deleting A User

Once finished with the account, it’s good practice to remove them completely. This reduces unexpected outcomes should they be reenabled accidentally.

				
					net user [username] /delete
				
			

Try our Active Directory & Office 365 Reporting & Auditing Tools

Try us out for Free.  100’s of reports available to gain control of your IAM.

Improve your AD & Entra ID security & compliance.

Managing Local Groups

Here we look at commands that interact with local groups.

Listing All Local Groups

This command allows you to view all current local groups on the host. In most cases, the admin would be aware of this output as the majority of default groups have been consistent throughout the years.

				
					net localgroup
				
			

Creating A Local Group

If you don’t want to use the default groups, create your own and start nesting. Managing access via a group is good practice.

				
					net localgroup [groupname] /add
				
			

Adding A Member To A Group

This command allows you to manage group membership and add users to the group.

				
					net localgroup [groupname] [username] /add
				
			

Listing Group Membership

This commands allows your to view current membership of a group.

				
					net localgroup [groupname]
				
			

Removing Group Membership

This command removes the user from the group.

				
					net localgroup [groupname] [username] /delete
				
			

Deleting A Group

This command allows you to remove the group when no longer required. 

				
					net localgroup [groupname] /delete
				
			

Managing Local User Accounts Policies

Here we look at commands that tailor account policies for your local users. 

Displaying Local Account Policies

This command shows you what your current account policies are and what is being applied. 

				
					net accounts
				
			

Set The Minimum Password Length

This allows to enforce stronger passwords. Most security frameworks have highlighted the importance of length to deter brute force or password cracking attacks

				
					net accounts /minpwlen:14
				
			

Set The Maximum Password Age

This command is for the maximum password age. In this example, once 30 days has passed, the user is required to change their password. 

				
					net accounts /maxpwage:30
				
			

Set The Minimum Password Age

This command sets the minimum password age to 2 days meaning the user must first wait 2 days before they are allowed to change their password. 

				
					net accounts /minpwage:2
				
			

Set The Uniqueness Requirement

This command sets the uniqueness requirement of the password. This means the system remembers the last X passwords and prevent the user from reusing. 

				
					net accounts /uniquepw:5
				
			

Set The Lockout Threshold

This command sets the lockout threshold to X. This means if the users passwords is entered X amount of times, their account is locked out. An admin must then unlock the user before they use, or after the lockout duration. 

				
					net accounts /lockoutthreshold:3
				
			

Set The Lockout Duration

If you want to automate unlocking locked accounts, set the duration. Here the account is automatically unlocked once the duration is met. In the example below, it is 30 minutes.

				
					net accounts /lockoutduration:30
				
			

Thank you for your time. Net User Command – Manage Local Windows Users Accounts

Net User Command – Manage Local Windows Users Accounts Conclusion

The arsenal of net commands in Windows unveils a powerful, scriptable interface for managing local accounts and system configurations. These commands help admins manage their local accounts in a potential automated fashion. Whilst Windows engineering may have many options to manage these accounts such as PowerShell, the consistency and simplicity of net commands still have it high on the list.

InfraSOS-AD-Tools

Try InfraSOS for FREE

Try InfraSOS Active Directory, Azure AD & Office 365 Reporting & Auditing Tool

Ashley Moran

Ashley Moran

I am a seasoned Security Engineer with several years of experience, primarily in the healthcare industry.

Leave a comment

Your email address will not be published. Required fields are marked *