You won't find some of Windows' best command-line tools in the resource kit, in Support Tools, or on the Web. That's because they're built right into Windows! The Net commands are a great example of powerful, often-overlooked tools that are right underneath our noses. In my April column, "Don't Forget About Net Share" (http:// www.windowsitpro.com, InstantDoc ID 49270), I showed you how to use Net Share for file sharing. Net Share has a sibling command—Net User—that's just as useful for creating, deleting, and managing both local and domain user accounts.

Diving Into the Syntax
Let's start with a look at Net User's basic syntax. The following command, with its /add option, creates a user account:

net user <username password> /add /domain

Without the /add option, Net User operates on an existing account. The /domain option tells the command to contact a domain controller (DC) and create a domain account; otherwise, it's a local account. (Of course, if you run the command on a DC, you automatically get a domain account.) So, for example,

net user joe hi /add

creates a new local user account named joe with the password hi. The command

net user jane wolf /domain

contacts a DC and resets Jane's password to wolf. Note that this command accomplishes a password reset, not a change; I don't know of a command-line tool that will do a password change.

If you're creating an Active Directory (AD) account, that account's logon name will be name@domainname. So, for example, typing

net user wally wallypassword /domain /add

on a system that's a member of a domain called bigfirm.com would create a user account whose old-style Windows NT 4.0 logon name would be bigfirm\wally but whose AD-style user principal name (UPN) would be wally@bigfirm.com. You can skip the password, as in

net user sally /add /domain

but doing so creates an account with a null password, and so the account will probably fail with an error message because most of us have minimum password requirements on our networks. As with the other Net commands, uppercase or lowercase doesn't matter— except, of course, when it comes to passwords.

Modifying Attributes
You can use several options to modify an account's attributes. The /active:\[yes|no\] option lets you enable or disable an account. The /comment option lets you add a comment to an account. Be sure to surround the comment with double quotes if the comment's text contains spaces or other punctuation, as follows:

net user lila /comment:"accounting person" /add

To remove a comment, you can simply retype the command but follow the /comment option with nothing.

The /homedir option lets you specify a Universal Naming Convention (UNC) path to a user's home directory; similarly, the /profilepath option lets you specify a UNC to a user's roaming profile. For example, if you wanted your accounting person, Lila, to have a roaming profile stored in a folder named \lila in a share named \profiles on a server named fileserver27, and you wanted Lila's default directory to be a folder named \lilastuff on a share named \homes on a server named fileserver04, you could modify her account as follows:

net user lila /profilepath:"\\fileserver27\profiles
  \lila" /homedir:"\\fileserver04\homes\lilastuff"

When Lila logs on, her workstation will retrieve her roaming profile from fileserver27. Then, whenever she opens a command prompt, she won't see C:\Documents and Settings\lila; instead, she'll see a simple Z prompt. She'll see the drive letter Z because her workstation automatically mapped a Z drive letter to \\ fileserver04\homes\lila, just as if she'd typed

net use Z: \\fileserver04\homes\lila

As with the /comment option, you can remove either a /homedir or /profilepath value by just typing that option with nothing after the colon. If you've ever used the Microsoft Management Console (MMC) Active Directory Users and Computers snapin to create a roaming profile or home directory, you're probably familiar with the notion of using a built-in variable named % username% when creating either of those characteristics. That doesn't work in Net User.

Many folks assign a logon batch script to user accounts. Net User provides that capability with the /scriptpath option, which refers to a file within the Netlogon share—a share that every DC contains. For example, specifying lilastart.cmd as Lila's logon batch script would mean that Lila's logon script is a file by that name in the Netlogon share. Specifying \scripts\lilastart.cmd would mean that the script resides in a folder named \scripts that was, again, in the Netlogon share.

The /fullname option lets you assign a value to what the Active Directory Users and Computers snap-in calls a user's Display Name. With the /workstations option, you can restrict the workstations that a given account can log on to. To restrict Lila's account so that she can log on only to a machine named PCWS55, you could type

net user lila /workstations:pcws55

To specify more than one workstation, just include a list of them, separated by commas. You can surround the list with double quotes, but don't put spaces after the commas. You can specify as many as eight workstations. The /passwordchg:\[yes|no\] option controls whether a user can change his or her password. Oddly enough, you can't use Net User to set an account password to never expire.

Adding the /delete option deletes an account, so

net user joe /delete

would delete a local account named Joe, and

net user jane /domain /delete

would contact a DC and delete the Jane user account. By itself, the Net User command lists your user accounts, and Net User username reports information about a specific user's account.

Going Gray
Let's end with a cool example of how Net User can solve what might seem like a tough problem. Recently I needed to create a domain with 501 user accounts. I didn't care what was in the accounts; I just needed 501 dummy accounts quickly. To do that, I used a combination of Net User and the command-line tool For, as follows:

for /l %r in (1,1,501) do
  net user user%r password%r /add

In a twinkling, I had my 501 accounts. And if you want to know just why I needed these accounts, look up the Microsoft article at http://support.microsoft.com/default.aspx?scid=kb;en-us;281923. I guarantee you'll have a sudden need for Net User.