1. Manipulating Users and Groups with the net Command
You can also use the net command to create, modify, and delete users and groups. The following table shows some of the common commands.
| net Command | Description |
|---|
Create user.
net user username password /add
c:\>net user Darril P@ssw0rd /add
| Creates
a new user with the specified name and password. The password must meet
the password requirements of the system.
If the command is executed on a local computer, it creates a local user
account. If the command is executed on a domain controller, it creates
an account in the Users container of Active Directory unless the redirusr command has changed the default location. |
Create local group.
net localgroup groupname /add
c:\>net localgroup ITPros /add
| Creates
a local group with the group name. The group is created using the case
specified in the command but can be identified later using any case. |
Create group on domain controller.
net group groupname /add
c:\>net group ITPros /add
| Creates a global security group using the group name. The group is added to the Users container.
Note
group works only on a domain controller and localgroup works only on a nondomain controller.
|
Add user (or group) to group.
c:\>net localgroup "event log
readers" Darril /add
c:\>net localgroup "event log
readers" ITPros /add
| You can use the net localgroup command to add a user or group to an existing group.
The examples add a user account (Darril) and a group (ITPros) to the preexisting event log readers group. |
Delete user.
net user username /delete
c:\>net user Darril /delete
| Deletes the specified user account. |
Delete local group.
net localgroup groupname /delete
c:\>net localgroup itpros /delete
| Deletes the specified local group. |
Delete group on domain controller.
net group groupname /delete
c:\>net group itpros /delete
| Deletes the specified domain group. |
2. Modifying NTFS Permissions with icacls
You can modify file and folder permissions with the icacls command. The basic format is
icacls file or folder /grant sid permission
Tip
icacls modifies NTFS permissions for files and folders. The net share command modifies the permissions for shares.
The security identifier (sid)
can be expressed as the actual sid of a user or group (with an asterisk
as a prefix) or with the friendly name. For example, the following two
commands both work:
c:\>icacls c:\data /grant darrilgibson:f
c:\>icacls c:\data /grant *S-1-5-21-2165312475-2208171157-4291121935-1000:f
The following table shows the basic codes used for permissions.
| Permission Code | Description |
|---|
| F | Full access |
| M | Modify access |
| Rx | Read and execute access |
| R | Read-only access |
| W | Write-only access |
The following table shows some common usage of the icacls command. You can substitute the f permission code (for full access) with any of the permission codes listed in the previous table.
| icacl Command | Comments |
|---|
Show permissions for a folder.
| You can show the current permissions using only the command and the name of the folder. |
Grant permission to a user.
c:\>icacls c:\data /grant:r
darrilgibson:f
c:\>icacls c:\data /grant
darrilgibson:f
| You
can append the permissions to any other explicitly added permissions or
replace all explicitly added permissions. When you use :r in the /grant (/grant:r) switch, it replaces explicitly assigned permissions.
Tip
Inherited permissions are still inherited when /grant:r is used.
|
Include subfolders.
c:\>icacls c:\data /grant:r
darrilgibson:f /t
| The /t switch includes all files and subfolders within the specified folder. |
Deny permission to a user.
c:\>icacls c:\data /deny
darrilgibson:f /t
| Instead of granting permissions, you can deny the permissions.
Tip
The deny permission always takes precedence. In other words, if a user
is granted permission explicitly or as a member of a group and is also
denied permission, the user is denied permission.
|
Remove permissions for a user.
c:\>icacls c:\data /remove
darrilgibson:f /t
| Removes all ACL entries for the specified user. |
