The command Net User allows you to manage your local and even your domain users from the command line. It’s mainly used to quickly add, delete or disable user accounts from the command line. But it can do more than just that. The tool can be used in both command prompt and PowerShell.
For managing domain users, I recommend using the PowerShell ActiveDirectory module. It comes with more options and allows you to filter, copy and search users and set or change all properties. But as mentioned, you can also perform basic tasks with the Net User command for domain users.
In this article
In this article, we are going to take a closer look at the Net User command. I will explain how you can add, and remove accounts, change passwords, and more.
Net User Command
The Net User command is a command-line utility that you can run in any terminal on Windows. But to use it you will need to have Administrator permissions on the computer. Without it, you won’t be able to create new user accounts for example. Also, make sure that you open Windows PowerShell or Windows Terminal in Admin mode.
Note
If you get the error “System error 5 has occurred. Access is denied” Then you haven’t start the command prompt or PowerShell with administrator privileges.
The most important parameters of the Net User command are:
| Parameter | Description |
|---|---|
| <username> | Specify the username to the account you want to perform the action on |
| <password> | Set or change the password for the specified user account. Use * to get a prompt for the password. |
| /domain | Used for managing domain accounts |
| /add | Create a new user account |
| /delete | Delete a user account |
| /active | Enable or disable the user account. Options are yes or no. |
| /expire | Set the date when the account expires |
| /time | Specifies the times that a user is allowed to log in |
| /homedir | Set the home directory path of the user account. |
List all users
When you enter the command Net User without any parameters, then it will list all user accounts on the computer. If you run the command on the Domain Controller, then it will list all domain accounts.
Net User # Or you can also type Net Users
In the first screenshot above you will see the results on a local computer, the second one are all the users from the local domain.
When you specify the username you will see all the details from the user account
# Get the user details for Zoe Tucker net user ztucker
Net User Add Account
The Net User command can be used to create new user accounts on your computer and in your domain. To create a user account you will need to add the /add parameter and specify the username. A password is by default not required on a local computer. For domain accounts, however, you will need to specify the password as well.
# Create a new local user account with the login name lazyadmin Net User /Add lazyadmin
For entering the password you have two options, you can type it in plain text in the command line or use the * which will show you a prompt to enter the password.
# Create a new domain user with username testusr and passswd123 Net User /add /domain testusr passwd123 # Prompt for the password Net User /add /domain testusr *
The new domain user is placed in the built-in OU “Users”.
When creating a user we can also specify login details, home directory path, etc of the user. I will explain each command later in the article. But to give you an idea of the possible options, we are going to create a user with the following details:
- Username: testusr
- Password: prompt
- Full name: Test User
- Password required: yes
- Allowed to login between: Monday to Friday between 08:00 and 17:00
- Home folder directory: \\lazyadmin.local\home\testusr
- Script path: \\lazyadmin.local\netlogon\welcome.bat
Net User /add /domain testusr * /fullname:"Test User" /passwordreq:yes /time:M-F,08:00-17:00 /homedir:"\\lazyadmin.local\home\testusr" /scriptpath:"\\lazyadmin.local\netlogon\welcome.bat"
Net User Delete User Account
We can also use the command line tool to delete user accounts, both local and from the domain. For this, you will need to use the parameter /delete and enter the username. Important to note is that the command tool won’t ask for confirmation. So be careful when using the delete option.
# Delete the local user Lazyadmin Net User /delete lazyadmin # Delete a domain user Net User /delete /domain testusr
Net User Change or Set Password
One of the common tasks for an IT Helpdesk is to reset a user’s password. Of course, you can reset the password in the Active Directory. But it’s also possible with the command Net User. Resetting passwords is not limited to domain accounts, you can also use this method for local computer accounts.
To reset a password you will need to specify the username and then either type in the password or type * after which you can securely type the password:
# Set the password for LazyAdmin to passwd123 Net User LazyAdmin passwd123 # Pormpt for the new password Net User LazyAdmin *
When it’s a domain user, then just add the /domain parameter. Make sure that the password meets the complexity requirements of the domain
# Reset the password for the domain user tesusr Net User /domain testusr *
Enable or Disable User accounts
We can also use the command-line tool to enable and disable accounts. This is particularly useful when a user is locked out or when you quickly need to disable an account. To do this we are going to use the parameter /Active:yes|no
The command can be used for local computer accounts as for domain accounts:
# Disable local account Net User lazyadmin /active:no # Disable domain user account Net User tesusr /Domain /Active:no
To enable an account, simply replace /Active:no with /Active:yes
Set Expire date for User Account
If you know the data that an employee leaves the organization then it’s a good idea to set the expired date for the account. This way the account is automatically locked after the specified data. The date format depends on your region settings, but the options are:
- MM/DD/YYYY
- DD/MM/YYYY
- mmm,dd,YYYY
Account expiration settings are not limited to a domain account, you can also set the expired date on a local Windows 10 or 11 user account.
# Set expire date for local user Net User lazyadmin /expires:21/09/2022 # Set expire data for domain user Net User testusr /domain /expires:09/20/2022
Set login times for User Account
Some accounts are only allowed to be used between specific hours, office hours for example. We can specify these hours with the /time parameter. To specify the time we will need to enter the days and hours between the account is allowed to log in.
You can use different notions for the days and hours (12-hour or 24-hour notation), and we can specify multiple time blocks by separating them with the semi-column ;.
# Allow login during office hours only Net User lazyadmin /time:M-F,08:00-17:00 # Or in 12-hour notation Net User lazyadmin /time:M-F,8am-5pm # Specify multiple blocks Net User lazyadmin /time:M,08:00-17:00;W,08:00-13:00;F,08:00-17:00
Net User Password settings
When you create a new account you can set a password for the account as well. But when it comes to passwords we have two other interesting parameters, passwordchg and passwordreg. The first determines if the user can change the password. This setting is really useful for kiosk accounts. The user can’t change the password when this is set to no.
# User lazyadmin can't change it's password net user lazyadmin /passwordchg:no
The parameter passwordreg is used to specify it a user account must have a password. If this is set to no, then the user can remove their password, making the device vulnerable.
net user lazyadmin /passwordreg:yes
Home Directory Path
The last parameter that I want to mention is the home directory path. If you want to store the home directory of the user on a network share then you can set the path to the folder with the parameter /homedir. But make sure that the full path, including the user’s folder, exists.
# Set the home directory for testusr net user testusr homedir:"\\lazyadmin.local\home\testusr"
Wrapping Up
The Net User command is great when wanting to quickly enable or disable a user account or reset a password. Also, it’s great to manage local computer accounts on small networks. When working with domain accounts I prefer to use the Active Directory module in PowerShell.
I hope you found this article useful, if you have any questions, just drop a comment below.
Hi Ruud,
I understand and I agree that 2FA is the only solution.
Thanks for looking at it.
Hi Ruud,
Ik heb sinds kort grote problemen met een hacker. What happend? De hacker refereerde naar mijn slapend account bij Kraken. Ik wist het zelf niet meer, maar heb nog alle gegevens.
Hij sprak van refund. Er was over de jaren een aardig bedrag ontstaan.Uiteindelijk bleek hij uit zijn mijn bankaccount wat leger te maken. Dat is niet gelukt.
Hij is heel boos. Het gevolg is dat hij al mijn google accounts het paswoord veranderd. Dat doet hij in 1 keer. In Youtube vond ik ook hoe je dat moest doen. Heb het niet toegepast.
Hij doet het nog steeds. Heel vervelend. Heb niet het gevoel dat Google een goede oplossing heeft. Volgens mij moet Google deze mogelijkheid een halt toeroepen.
Ik heb ook geen zien elke dag “net user” gebruiken om paswoorden terug te zetten.
Zelf heb veel ervaring opgedaan bij GE. Zij hadden een time sharing systeem in Amstelveen. Daar heb ik leren debuggen 25 jaar met assembler.
Maar dat is heel anders dan Google en Microsoft .
Wat denk wat ik kan doen de hacker te stoppen.?
Tijdelijk heb ik mijn Yahoo account van 15 jaar terug in gebruik genomen
De enige manier om te voorkomen dat iemand toegang tot je accounts krijgt is om gebruikte te maken van 2FA (meervoudige verificatie). Dus 1x je wachtwoorden overal resetten, unieke wachtwoorden voor alles gebruiken en overal, waar mogelijk, gebruik maken van 2FA.
Net User command is enkel voor accounts op je eigen computer, dat heeft niets met Google etc te maken.
Your blog is super helpful!! Thank you so much for all the scripts / knowledge on powershell and other IT related stuff 🙂
Quick question, what is DefaultAccount and WDAGUtilityAccount? How are they used and should they be password protected?
WDAGUtilityAccount is used by Windows Defender and default account is used as a template for new users.
I appreciate you for this, an explicit and well documented article.
Greetings from Mexico City
Juan Garduno
“System error 5 has occurred. Access is denied”
I get the error and I always run “net user /domain in a non privileged window. 95% of the time it works fine but the other 5% I get that error. Running the CMD as admin when the error is occurring returns the same error so clearly admin isn’t the issue here.
Does your account have the appropriate role in AD (member of Administrators, for example)? And with which command does the error occur?
Hi Ruud,
Interresting post as always. But, … yes there is a “but”, in, 2022 all these legacy DOS command could be easily replaced by the equivalent in Powershell (Get-LocalUser, Set-LocaUser, new-LocalUser, Remove-LocalUser, Rename-LocalUser, … and all many cmdlet from the “Microsoft.PowerShell.LocalAccounts” Module.
Easier to use than DOS, cause it’s powershell. Easier to export cause it’s Object (cause Powershell), Easier to understand (cause it’s powershell and the syntax is normalized), …etc…
Regards
Totally agree, is on the list of articles to write 😉