This Guide provides a high view of Windows local management of groups and users
Users in windows
a user account is a collection of settings used by Windows to understand your preferences. It’s also used to control the files and folders you access, the tasks you are allowed to perform, the devices and resources you are allowed to use, User accounts are also the only way of authenticating and receiving the authorization to use your Windows device
Any user account has the following characteristics:
- the username or account name
- a unique identifier
- the password
- a user account picture
- the user type
- the user group
For each user account, Windows also generates a unique Security Identifier (SID) that’s not displayed in the user interface but is used internally for storing your settings. The SID has a unique value of variable length, and it looks like this: S-1-5-21-1180699209-877415012-3182924384-500.
SID meanings
S-1-5-32-544
In this example, the SID has the following components. The constants in parentheses are well-known identifier authority and RID values defined in Winnt.h:
- A revision level of 1
- An identifier-authority value of 5 (SECURITY_NT_AUTHORITY)
- A first subauthority value of 32 (SECURITY_BUILTIN_DOMAIN_RID)
- A second subauthority value of 544 (DOMAIN_ALIAS_RID_ADMINS)
https://docs.microsoft.com/es-es/windows/win32/secauthz/well-known-sids
net user
1. Listing User accounts
net user = Net User is a command line tool that allows system administrators to manage user accounts on Windows PCs. You can use the command to display account information or make changes to user accounts.
- net user
2. Displaying help
- net user /help
3. Display current user information, like, password settings, groups the user belongs, etc.
- net user vk9-user
4. Add a new username, needs to run as administrator
username = Is the name of the user account to add, delete, modify, or view.
password = Assigns or changes a password for the user’s account.
/ADD = Adds a user account to the user accounts database.
- net user vk9-test pass123 /ADD
- net user
- net user vk9-test
5. Create a user account hide the password when typing it
* = Produces a prompt for the password.
- net user vk9-test * /ADD
6. Add user & information
/COMMENT:”text” = Provides a descriptive comment about the user’s account.
/FULLNAME:”name” = Is a user’s full name (rather than a username). Enclose the name in quotation marks.
/USERCOMMENT:”text” Lets an administrator add or change the User Comment for the account.
- net user vk9-test pass123 /ADD /COMMENT:”Basic user account” /FULLNAME:”VK9 Security” /USERCOMMENT:”Do not delete”
- net user vk9-test
7. Allow users to change or not their password
/PASSWORDCHG:{YES | NO} Specifies whether users can change their own password. The default is YES.
- net user vk9-test /PASSWORDCHG:NO
- net user vk9-test
8. Set a temporary account
/EXPIRES:{date | NEVER} Causes the account to expire if date is set. NEVER sets no time limit on the account. An expiration date is in the form (mm/dd/yy).
- net user vk9-test /EXPIRES:03/09/2020
- net user vk9-test
9. Set user home directory
/HOMEDIR:pathname Sets the path for the user’s home directory. The path must exist.
- net user vk9-test /HOMEDIR:C:\Users\Public
Common errors
1. Lack of privileges. (Need to open CMD as admin)
2. The computer not connected to the domain
Delete account
Local
Delete an existing user account
/DELETE Removes a user account from the user accounts database.
- net user
- net user vk9-test /DELETE
- net user
Domain
(when using /DOMAIN you have to be connected to Active Directory as an example)
- net user vk9-test /DELETE /DOMAIN
Groups in Windows
- Local groups – are the user groups that exist on your Windows computer or device. They are defined locally and can be managed from the “Local Users And Groups” tool. These are the user groups that home users work with and the ones that we’re going to talk about in this article.
- Security groups – have security descriptors associated with them. Security groups are used in Windows domains with Active Directory.
- Distribution groups – are useful for distributing e-mails for users that belong to domains with Active Directory.
You can add a regular user to Administrators group for having more rights on the computer.
net localgroup
Net localgroup command is used to manage local user groups on a computer. Administrators can add local/domain users to groups, delete users from groups, create new groups and delete existing groups.
1. Display help
/help = Displays help
- net localgroup /help
2. List existing groups
- net localgroup
Show a specific group, its details and members
- net localgroup Users
3. Create a new local group
/ADD = Adds a groupname or username to a local group.
- net localgroup vk9-group /ADD
- net localgroup vk9-group
4. Add an existing user to a group
- net localgroup vk9-group vk9-test /ADD
- net localgroup vk9-group
Extra
Add a domain group to a local group
- net localgroup <localgroup> <domaingroup> /ADD
- net localgroup vk9-group WIN10VK9SECLAB\vk9-test /ADD
5. Add a comment to the group
/COMMENT:”text” = Adds a comment for a new or existing group.
- net localgroup vk9-group /COMMENT:”This is a test group”
- net localgroup vk9-group
Delete groups
1. To remove a user from existing group
/DELETE = Removes a groupname or username from a local group.
- net localgroup vk9-group
- net localgroup vk9-group vk9-test /DELETE
- net localgroup vk9-group
2. Delete an existing local group
- net localgroup vk9-group
- net localgroup vk9-group /DELETE
- net localgroup vk9-group