Chapter 11 - Managing user accounts
To use a Windows computer, you need a user account on that computer. Most home computers generally have one local account with administrative rights, and the user never gives it another thought. Windows computers that are part of a large business network are usually members of an Active Directory domain, with their user accounts stored on one of the domain's controllers. Active Directory is beyond the scope of this book, but in this chapter, we'll show you how to create and manage local accounts from the Command Prompt.
WHAT IS A USER ACCOUNT?
Before we begin, you should have a clear idea of what a user account is, and the difference between local user accounts and Active Directory user accounts.
To put it simply, a "user account" is a set of credentials that allow a user to log into a Windows computer system. "Credentials", in this context, is the term that computer security experts use to describe the pieces of information a user must present in order to access the computer. Most of the time, the credentials consist of two pieces of information - your username, and your password. However, you can have additional credentials, as well - more secure computer systems might require you to present a username, a password, and a smart card, or a USB flash drive with an encryption key stored upon it. Advanced systems can even require biometric credentials - your fingerprints, for instance. The vast majority of home computers are not so secure, and usually require only a username and a password (and some home computers are configured not even to require a password, which is always a bad idea).
There are two kinds of user accounts you will encounter in a Windows system - local user accounts, and Active Directory domain user accounts. Local user accounts are stored on one specific Windows computer, and work only on that particular Windows system. If you have a computer named System1, and a user account called camalas on that computer, then the camalas account will only work on System1. If you tried to use the camalas user account on another computer named System2, it would not work. You could set up an identically named local account on that computer named camalas, but it would not be the same account. Local accounts work fine for individual computers, or for computers on smaller networks, but managing local user accounts on a large network of hundreds or thousands of computers quickly becomes impractical.
This where Active Directory user accounts come in. In Active Directory, individual Windows computers are joined to the Active Directory domain. Each Active Directory domain controller stores a database of user accounts, and a user can log into any domain computer using his Active Directory account. The local accounts still exist on the domain member computers - most organizations leave a local administrator account in case of technical trouble, and perhaps a restricted local account for guest users.
In this chapter we'll focus on managing local accounts from the Command Prompt.
FINDING USER ACCOUNTS
The first step managing local user accounts is to know what accounts you actually have on your system. As with managing file shares, you can accomplish this with the NET command. This time, we'll be using the NET USER variation of the NET command. To find out the names of all the local accounts on your Windows system, issue the NET USER command without any arguments or switches:
NET USER
The output should look something like this:
User accounts for \\SYSTEMNAME
------------------------------------------------------------------
Administrator Guest camalas
The command completed successfully.
In this example, NET USER is listing all the local accounts for the \\SYSTEMANME Windows system. You can see that the computer has three accounts - the built-in Administrator account (which is disabled by default in Windows Vista and Windows 7), the built-in Guest account (also disabled by default), and the camalas account.
DISPLAYING INFORMATION ABOUT A SPECIFIC USER ACCOUNT
NET USER without any options lists the accounts on a system, but provides no other information about them. To get specific information about an individual local account, use the NET USER command with the name of the account. For instance, to find out specific information about the camalas account, use this command:
NET USER CAMALAS
If the account name has a space in it (as local accounts on a home computer often do), you'll need to enclose the account name in quotation marks:
NET USER "CAINA AMALAS"
Regardless of the account name, the output should look like this:
User name Caina Amalas
Full Name
Comment
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never
Password last set 4/20/2010 8:00:30 PM
Password expires Never
Password changeable 4/20/2010 8:00:30 PM
Password required No
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 9/10/2011 12:32:42 PM
Logon hours allowed All
Local Group Memberships *Administrators *Debugger Users
Global Group memberships *None
There's quite a bit of information here, but we'll go over the more important bits.
"User name", obviously, is the actual user name, the name of the account. "Full name" is often blank, but it's sometimes used if the username is a truncated version of the user's full name - a username of "camalas" with a full name of "Caina Amalas", for example. "Account active" indicates whether or not the account is disabled, and "account expires" indicates when the account is going to expire - user accounts can be configured to expire on a certain date (for a temporary employee, for instance).
The section of information dealing with the password is important. It shows when the password was last set, when it expires, and whether or not the user can change his password. It is possible to set a password policy forcing users to change their passwords after a set period of time. You can see the date of the password's expiration in NET USER's output, as well.
"Last logon", as the name indicates, shows the last time the user account logged into the computer. "Logon hours allowed" displays the hours when the account can log into the computer. This is useful if you want to restrict the times a user can use his account - a work employee can log in only during business hours. Or if you have children, you can restrict the hours they can use the family computer.
Finally, the "Local Group Memberships" field shows the local groups to which the user account belongs. If you want a user to have administrative rights, the account needs to be a member of the Administrators user group.
ADDING A USER ACCOUNT
NET USER can be used to view information about accounts already on your Windows system, but you can also employ it to add additional accounts. The basic format is to use NET USER with the /ADD switch and the account name. So to add a user account named camalas to your system, you would use this command:
NET USER CAMALAS /ADD
This command will add a user account of camalas to your computer. Note that an account name can only have a maximum of twenty characters.
However, you can also use NET USER and /ADD in conjunction with other command switches. You can also set the password associated with the camalas account right away through the use of the /PASSWORDREQ switch. To set camalas's account with a password of Cymr!Yy29 (note that passwords, unlike the rest of Command Prompt, are case senstive):
NET USER CAMALAS Cymr!Yy29 /ADD /PASSWORDREQ:YES
You can also set a full name for the account right away by using the /FULLNAME switch:
NET USER CAMALAS /ADD /FULLNAME:"Caina Amalas"
RESTRICING USER ACCOUNTS
Now that you know how to add user accounts, you may need to restrict the times that users can log into the system. You can do this by using NET USER with the /TIME switch. For example, to set that camalas account so that it can only log into the system on Mondays through Fridays from 6AM to 6PM:
NET USER CAMALAS /TIME:M-F, 06:00-18:00
This will restrict camalas from using the computer from 6 AM until 6 PM on Mondays through Fridays.
DISABLING USER ACCOUNTS
You might find it necessary from time to time to disable a user account. Usually, this happens when an employee is fired unexpectedly, and you need to lock his account to prevent him from accessing sensitive information. Or, if you are a parent, and your child misbehaves, you can punish him by locking his account on the family computer. Disabling a user account deactivates it without deleting it entirely - the account is still there, but locked, and cannot be used to access the computer. To lock the camalas user account from the command line, use this command:
NET USER CAMALAS /ACTIVE:NO
This will disable the camalas user account. To reactivate it, use the same command, but change the /ACTIVE switch from NO to YES:
NET USER CAMALAS /ACTIVE:YES
This will reactivate the account.
DELETING USER ACCOUNTS
Disabling user accounts is a useful ability, but if you have no further need of an account, there's no reason to keep it on your computer. Furthermore, an unused account represents a security risk - if an attacker were to guess the password, he would have access the account. And if the compromised account is an administrative account, he would have complete access to all of your computer's files and settings.
It is generally best to disable accounts rather than delete them entirely - there's always a chance you might need the account in the future, after all, and disabling an account is almost as secure as deleting it entirely. However, if you're absolutely certain you have no further need of an account, you can delete it using the NET USER command with the /DELETE switch. To delete the camalas account from our previous examples, you would use this command:
NET USERS CAMALAS /DELETE
This will delete the camalas user account. Note that the account is gone forever - if you need to bring it back, you will have to create a new account with the same name.
No comments:
Post a Comment