Net User Command Reference

Most of this is taken from the Net user command reference online at the Microsoft website. I’ve tried to condense and clarify what I could. All commands below assume you are executing them as either a local or domain admin, and are using an administrative cmd prompt when necessary.

The basics

net user [enter]
Displays a list of the user accounts on the local computer
net user /domain [enter]
Displays a list of the user accounts on the domain
net user jimbob * /add [enter]
Creates a local user account named jimbob and prompts you for the password
net user jimbob LuckyGue$$ /add [enter]
Creates a local user account named jimbob with a password of LuckyGue$$
net user billybob * /domain /add [enter]
Creates a domain user account named billybob and prompts you for the password
net user billybob FiddleStix! /domain /add [enter]
Creates a domain user account named billybob with a password of FiddleStix!
net user jimbob * [enter]
Changes local user account jimbob’s password; prompts you to enter it and again to confirm.
net user billybob Grubb3r! /domain [enter]
Changes domain user account billybob’s password to Grubb3r!
net user jimbob /delete [enter]
Deletes the local user account named jimbob.
net user billybob /domain /delete [enter]
Deletes the domain user account named billybob.

Adding some options

/active:{no | yes}
Enables or disables the user account. If the user account is not active, the user cannot access resources on the computer. The default is yes (active).
/comment:"text"
Provides a descriptive comment about the user’s account. This comment can have as many as 48 characters. Enclose the text in quotation marks.
/expires:{date | never}
Causes the user account to expire if date is set; does not ever set a time limit on the user account. Expiration dates can be in mm/dd/yy, dd/mm/yy, or mmm,dd,yy format, depending on the Country/Region code. Note that the account expires at the beginning of the date specified. Months can be a number, spelled out, or abbreviated with three letters. Years can be two or four numbers. Use commas or slashes to separate parts of the date (no spaces). If yy is omitted, the next occurrence of the date (according to your computer’s date and time) is assumed. For example, the following date entries are equivalent if entered between Jan. 10, 1994, and Jan. 8, 1995: jan,9 1/9/95 january,9,1995 1/9
/fullname:"name"
Specifies a user’s full name rather than a user name. Enclose the name in quotation marks.
/homedir:path
Sets the path for the user’s home directory. The path must exist. Use the UNC path. %username% is acceptable for the directory.
/passwordchg:{yes | no}
Specifies whether users can change their own password. The default is yes.
/passwordreq:{yes | no}
Specifies whether a user account must have a password. The default is yes.
/profilepath:[path]
Sets a path for the user’s logon profile. This path points to a registry profile.
/scriptpath:path
Sets a path for the user’s logon script. The path value cannot be an absolute path; path is relative to %systemroot%\System32\Repl\Import\Scripts.
/times:{times | all}
Specifies the times the user is allowed to use the computer. The times value is expressed as day[-day][,day[-day]] ,time[-time][,time[-time]], limited to 1-hour time increments. Days can be spelled out or abbreviated (M,T,W,Th,F,Sa,Su). Hours can be 12- or 24-hour notation. For 12-hour notation, use AM, PM, or A.M., P.M. The value all means a user can always log on. A null value (blank) means a user can never log on. Separate day and time with commas, and units of day and time with semicolons (for example, M,4AM-5PM;T,1PM-3PM). Do not use spaces when designating times.
/usercomment:"text"
Specifies that an administrator add or change the "User comment" for the account. Enclose the text in quotation marks.
/workstations:{computername[,...] | *}
Lists as many as eight workstations from which a user can log on to the network. Separate multiple entries in the list with commas. If /workstations has no list, or if the list is *, the user can log on from any computer.

Some examples

These all come from http://www.microsoft.com/windows/windows2000/en/advanced/help/net_user__examples.htm

net user jimmyh [enter]
Displays information about the local user account jimmyh.
net user efisher /domain [enter]
Displays information about the domain user account efisher. This will include group memberships, homedir path, and password expiry.
net user henryj P@ssw0rd /add /passwordreq:yes /times:monday-friday,8am-5pm /fullname:"Henry James" [enter]
To add a user account for Henry James, with logon rights from 8 A.M. to 5 P.M., Monday through Friday (no spaces in time designations), a mandatory password (P@ssw0rd), and the user’s full name.
net user johnsw /time:M-F,08:00-17:00 [enter]
To set johnsw’s logon time (8 A.M. to 5 P.M.) using 24-hour notation.
net user johnsw /time:M-F,8am-5pm [enter]
To set johnsw’s logon time (8 A.M. to 5 P.M.) using 12-hour notation.
net user marysl /time:M,4am-5pm;T,1pm-3pm;W-F,8:00-17:00 [enter]
To specify logon hours of 4 A.M. until 5 P.M. on Monday, 1 P.M. until 3 P.M. on Tuesday, and 8 A.M. until 5 P.M. Wednesday through Friday for marysl.

A few notes:

User accounts cannot have more than twenty characters in their name. Domain accounts will always be created in the CN=Users container unless you changed the default through GPO. They will not have a UPN until you go into ADUC to create one. They will not have any other attributes populated unless you specify them using options.
The ‘password’ option assigns or changes a password for the user’s account. A password must satisfy the requirements of the local machine or the domain.
The ‘/domain’ option performs the operation on any one domain controller of the computer’s primary domain, not the user’s. This will not necessarily be the PDCe, logon server, or even a server in your site.
All options can be omitted if the defaults are desired.
All of the above commands can be used in a simple cmd file, but if you do, all variables must be offset by double percent signs
eg. for /f %%I in (c:\scratch\users.txt) do net user %%I /active:no /domain