Modify

User Accounts

net user [UserName] [password] /add

Add new user (use * for password for secure prompt)

New-LocalUser "UserName"

Add new user

net user [UserName] /delete

Delete user

Remove-LocalUser "UserName"

Delete user

net user [UserName] [Password]

Change password

Set-LocalUser "User" -Password "Password"

Change password

net user UserName /active:yes

Activate user account

Enable-LocalUser "UserName"

Activate user account

net user [UserName[ /active:no

Disable user account

Disable-LocalUser "UserName"

Disable user account

net user user /comment:"comment" moe

Add comment

net user [UserName] /times:[Day],[TIME]

Set logon time for Users. Day=M,T,W,Th,F,Sa,Su Time=3PM-11PM or 15-23

net user UserName /expires:never

Set account to never expire.

net user UserName /expires:date

Set account expiration date.

net accounts /maxpwage:days

Set max password age.

net accounts /minpwage:days

Set min password age.

net accounts /minpwlen:length

Set min password length.

net accounts /uniquepw:number

Set password history length.

dsadd user "UserDN"

Add new AD user

New-ADUser -Name "UserName"

Add new AD user

dsrm "UserDN"

Delete AD user

Remove-ADUser -Identity "UserName"

Delete AD user

dsmod user "UserDN" -mustchpwd yes

Force password change at next logon.

dsmod user "UserDN" -pwd NewPassword

Change AD user password.

dsmod user "UserDN" -disabled no

Enable AD user account.

Enable-ADAccount -Identity "UserName"

Enable AD user account.

dsmod user "UserDN" -disabled yes

Disable AD user account.

Disable-ADAccount -Identity "UserName"

Disable AD user account.

Set AD user password:

Set-ADUser "UserName" -AccountPassword (ConvertTo-SecureString "NewPassword" -AsPlainText -Force)

Groups

net localgroup GroupName /add

Create local group.

New-LocalGroup -Name "GroupName"

Create local group.

net localgroup GroupName /delete

Delete local group.

Remove-LocalGroup -Name "GroupName"

Delete local group.

net localgroup "Power Users" /add moe

Add user to local group.

Add-LocalGroupMember -Group "GroupName" -Member "UserName"

Add user to local group.

net localgroup "Users" /delete larry

Remove user from local group.

Remove-LocalGroupMember -Group "GroupName" -Member "UserName"

Remove user from local group.

net group GroupName /add

Create AD group (on domain controllers).

New-ADGroup -Name "GroupName"

Create AD group (requires Active Directory module).

dsadd group "GroupDN"

Create AD group.

net group GroupName /delete

Delete AD group (on domain controllers).

Remove-ADGroup -Identity "GroupName"

Delete AD group.

dsrm "GroupDN"

Delete AD group.

net group GroupName UserName /add

Add user to AD group (on domain controllers).

Add-ADGroupMember -Identity "GroupName" -Members "UserName"

Add user to AD group.

dsmod group "GroupDN" -addmbr "UserDN"

Add user to AD group.

Set-ADGroup -Identity "GroupName" -Add @{member="CN=UserName"}

Add user to AD group.

net group GroupName UserName /delete

Remove user from AD group (on domain controllers).

Remove-ADGroupMember -Identity "GroupName" -Members "UserName"

Remove user from AD group.

dsmod group "GroupDN" -rmmbr "UserDN"

Remove user from AD group.

Set-ADGroup -Identity "GroupName" -Remove @{member="CN=UserName"}

Remove user from AD group.

Default Groups

Group Name

Description

Administrators

Full system access and administrative privileges.

Users

Standard user access with limited privileges.

Guests

Limited access for guest users.

Power Users

Legacy group with limited administrative privileges.

Backup Operators

Rights to backup and restore files, regardless of permissions.

Replicator

Supports file replication in a domain environment.

Remote Desktop Users

Permission to access the system via Remote Desktop.

Network Configuration Operators

Authority to configure network settings.

Performance Monitor Users

Can monitor system performance.

Performance Log Users

Can manage performance logs and counters.

IIS_IUSRS

Permissions for IIS web server processes.

Cryptographic Operators

Can perform cryptographic operations.

Event Log Readers

Can read event logs.

Certificate Service DCOM Access

Provides DCOM access for Certificate Services.

Distributed COM Users

Members can launch and configure DCOM applications.

Enterprise Read-only Domain Controllers

Contains RODCs from the entire forest.

Domain Admins

Administrators for the domain.

Domain Users

Regular user accounts in the domain.

Domain Guests

Guests in the domain.

Domain Computers

Contains all computer accounts in the domain.

Domain Controllers

All domain controller accounts in the domain.

Read-only Domain Controllers

Contains RODCs for the domain.

Enterprise Admins

Highest level of administrative privileges across all domains in the forest.

Schema Admins

Can modify the schema within the Active Directory forest.

Group Policy Creator Owners

Can create and modify group policy objects.

RAS and IAS Servers

Servers running RAS and IAS services.

Server Operators

Limited administrative privileges on servers.

Account Operators

Can manage user and group accounts, but not administrative accounts.

Print Operators

Can manage printers and print queues.

Incoming Forest Trust Builders

Can create incoming, one-way trusts to this forest.

PreviousEnumerate NextNetwork

Last updated 1 year ago

Was this helpful?

User Accounts

net user [UserName] [password] /add

Add new user (use * for password for secure prompt)

New-LocalUser "UserName"

Add new user

net user [UserName] /delete

Delete user

Remove-LocalUser "UserName"

Delete user

net user [UserName] [Password]

Change password

Set-LocalUser "User" -Password "Password"

Change password

net user UserName /active:yes

Activate user account

Enable-LocalUser "UserName"

Activate user account

net user [UserName[ /active:no

Disable user account

Disable-LocalUser "UserName"

Disable user account

net user user /comment:"comment" moe

Add comment

net user [UserName] /times:[Day],[TIME]

Set logon time for Users. Day=M,T,W,Th,F,Sa,Su Time=3PM-11PM or 15-23

net user UserName /expires:never

Set account to never expire.

net user UserName /expires:date

Set account expiration date.

net accounts /maxpwage:days

Set max password age.

net accounts /minpwage:days

Set min password age.

net accounts /minpwlen:length

Set min password length.

net accounts /uniquepw:number

Set password history length.

dsadd user "UserDN"

Add new AD user

New-ADUser -Name "UserName"

Add new AD user

dsrm "UserDN"

Delete AD user

Remove-ADUser -Identity "UserName"

Delete AD user

dsmod user "UserDN" -mustchpwd yes

Force password change at next logon.

dsmod user "UserDN" -pwd NewPassword

Change AD user password.

dsmod user "UserDN" -disabled no

Enable AD user account.

Enable-ADAccount -Identity "UserName"

Enable AD user account.

dsmod user "UserDN" -disabled yes

Disable AD user account.

Disable-ADAccount -Identity "UserName"

Disable AD user account.

Set AD user password:

Set-ADUser "UserName" -AccountPassword (ConvertTo-SecureString "NewPassword" -AsPlainText -Force)

Groups

net localgroup GroupName /add

Create local group.

New-LocalGroup -Name "GroupName"

Create local group.

net localgroup GroupName /delete

Delete local group.

Remove-LocalGroup -Name "GroupName"

Delete local group.

net localgroup "Power Users" /add moe

Add user to local group.

Add-LocalGroupMember -Group "GroupName" -Member "UserName"

Add user to local group.

net localgroup "Users" /delete larry

Remove user from local group.

Remove-LocalGroupMember -Group "GroupName" -Member "UserName"

Remove user from local group.

net group GroupName /add

Create AD group (on domain controllers).

New-ADGroup -Name "GroupName"

Create AD group (requires Active Directory module).

dsadd group "GroupDN"

Create AD group.

net group GroupName /delete

Delete AD group (on domain controllers).

Remove-ADGroup -Identity "GroupName"

Delete AD group.

dsrm "GroupDN"

Delete AD group.

net group GroupName UserName /add

Add user to AD group (on domain controllers).

Add-ADGroupMember -Identity "GroupName" -Members "UserName"

Add user to AD group.

dsmod group "GroupDN" -addmbr "UserDN"

Add user to AD group.

Set-ADGroup -Identity "GroupName" -Add @{member="CN=UserName"}

Add user to AD group.

net group GroupName UserName /delete

Remove user from AD group (on domain controllers).

Remove-ADGroupMember -Identity "GroupName" -Members "UserName"

Remove user from AD group.

dsmod group "GroupDN" -rmmbr "UserDN"

Remove user from AD group.

Set-ADGroup -Identity "GroupName" -Remove @{member="CN=UserName"}

Remove user from AD group.

Default Groups

Group Name

Description

Administrators

Full system access and administrative privileges.

Users

Standard user access with limited privileges.

Guests

Limited access for guest users.

Power Users

Legacy group with limited administrative privileges.

Backup Operators

Rights to backup and restore files, regardless of permissions.

Replicator

Supports file replication in a domain environment.

Remote Desktop Users

Permission to access the system via Remote Desktop.

Network Configuration Operators

Authority to configure network settings.

Performance Monitor Users

Can monitor system performance.

Performance Log Users

Can manage performance logs and counters.

IIS_IUSRS

Permissions for IIS web server processes.

Cryptographic Operators

Can perform cryptographic operations.

Event Log Readers

Can read event logs.

Certificate Service DCOM Access

Provides DCOM access for Certificate Services.

Distributed COM Users

Members can launch and configure DCOM applications.

Enterprise Read-only Domain Controllers

Contains RODCs from the entire forest.

Domain Admins

Administrators for the domain.

Domain Users

Regular user accounts in the domain.

Domain Guests

Guests in the domain.

Domain Computers

Contains all computer accounts in the domain.

Domain Controllers

All domain controller accounts in the domain.

Read-only Domain Controllers

Contains RODCs for the domain.

Enterprise Admins

Highest level of administrative privileges across all domains in the forest.

Schema Admins

Can modify the schema within the Active Directory forest.

Group Policy Creator Owners

Can create and modify group policy objects.

RAS and IAS Servers

Servers running RAS and IAS services.

Server Operators

Limited administrative privileges on servers.

Account Operators

Can manage user and group accounts, but not administrative accounts.

Print Operators

Can manage printers and print queues.

Incoming Forest Trust Builders

Can create incoming, one-way trusts to this forest.