Windows Command Prompt Users & Permissions
last modified July 14, 2025
User and permission management is crucial for Windows system administration. The Command Prompt provides powerful tools to manage these aspects. Understanding these commands helps secure systems and control access. This tutorial covers essential user and permission management techniques.
Windows uses a security model based on user accounts and permissions. Each resource has an Access Control List (ACL) defining who can access it. Permissions determine what actions users can perform on resources. Administrators need to manage these settings for proper system security.
Command-line tools offer precise control over user and permission settings. They allow automation through scripts and batch files. Many administrative tasks can be performed faster through cmd than GUI. This is especially true when managing multiple systems or users.
Basic Definitions
User Account: An identity used to log into Windows systems. Each account has a unique Security Identifier (SID). Accounts can be local or domain-based in Active Directory environments.
Permissions: Rules defining what actions users can perform. These include read, write, execute, modify, and full control. Permissions are assigned to files, folders, registry keys, and other objects.
Groups: Collections of user accounts that share permissions. Groups simplify permission management by applying settings to multiple users. Examples include Administrators, Users, and Power Users.
ACL (Access Control List): A list of permissions attached to an object. Each entry in an ACL is an ACE (Access Control Entry). ACLs determine which users can access an object and their access level.
Administrator: A user account with full system privileges. Administrators can modify any system setting and access all resources. Regular users have limited privileges by default for security.
Viewing User Accounts
The net user command displays information about user accounts. This is useful for auditing existing accounts on a system. You can view all accounts or details about a specific account.
@echo off echo Listing all user accounts: net user echo Detailed info about Administrator: net user Administrator
This script demonstrates basic user account viewing commands. The first command lists all accounts, the second shows details.
net user
Lists all user accounts on the local computer. The output includes both built-in and custom user accounts. Domain accounts aren't shown when run on domain-joined computers.
net user Administrator
Displays detailed information about the Administrator account. This includes account status, password requirements, and group membership. Replace "Administrator" with any username to view its details.
C:\>view_users.bat Listing all user accounts: User accounts for \\COMPUTERNAME ------------------------------------------------------------------------------- Administrator Guest JohnDoe The command completed successfully. Detailed info about Administrator: User name Administrator Full Name Comment Built-in account for administering the computer/domain ...
The output shows available user accounts and Administrator details. Actual output varies based on your system configuration.
Creating and Deleting Users
User management includes creating and removing accounts. The net user command with appropriate parameters handles these tasks. Administrator privileges are required for these operations.
@echo off echo Creating new user account... net user TestUser P@ssw0rd /add /fullname:"Test User" /comment:"Temporary account" echo Verifying creation: net user TestUser echo Deleting test account... net user TestUser /delete
This script demonstrates user account lifecycle management. It creates, verifies, then deletes a test user account.
net user TestUser P@ssw0rd /add /fullname:"Test User" /comment:"Temporary account"
Creates a new local user account named TestUser with password P@ssw0rd. The /add parameter specifies account creation. /fullname and /comment add descriptive information to the account.
net user TestUser /delete
Deletes the TestUser account from the system. The /delete parameter removes the specified user account. This operation cannot be undone - user data will be lost.
C:\>manage_users.bat Creating new user account... The command completed successfully. Verifying creation: User name TestUser Full Name Test User Comment Temporary account ... Deleting test account... The command completed successfully.
The script output shows successful account creation and deletion. Note that in production, you should use more secure passwords.
Managing Group Membership
Groups simplify permission management by applying settings to multiple users. The net localgroup command manages group memberships. This is essential for proper permission delegation.
@echo off echo Creating new user... net user GroupUser P@ssw0rd /add echo Adding user to Administrators group... net localgroup Administrators GroupUser /add echo Verifying membership... net localgroup Administrators echo Removing from group... net localgroup Administrators GroupUser /delete echo Cleaning up... net user GroupUser /delete
This script demonstrates group membership management. It creates a user, adds them to Administrators, then cleans up.
net localgroup Administrators GroupUser /add
Adds GroupUser to the local Administrators group. This grants the user full system privileges. Use caution when adding users to privileged groups.
net localgroup Administrators
Lists all members of the local Administrators group. This verifies the user was successfully added to the group. Similar syntax works for any local group.
net localgroup Administrators GroupUser /delete
Removes GroupUser from the Administrators group. This revokes the user's administrative privileges. The user account remains but with reduced permissions.
C:\>manage_groups.bat Creating new user... The command completed successfully. Adding user to Administrators group... The command completed successfully. Verifying membership... Alias name Administrators Comment Administrators have complete and unrestricted access to the computer/domain Members ------------------------------------------------------------------------------- Administrator GroupUser ... Removing from group... The command completed successfully. Cleaning up... The command completed successfully.
The output shows the complete group management process. Actual member lists will vary based on your system.
Viewing File Permissions
The icacls command displays and modifies file and folder permissions. Understanding current permissions is essential before making changes. This helps avoid accidental permission problems.
@echo off echo Creating test file... echo Permission test > testfile.txt echo Current permissions: icacls testfile.txt echo Cleaning up... del testfile.txt
This script creates a test file, shows its permissions, then deletes it. The icacls output reveals the file's security settings.
icacls testfile.txt
Displays the Access Control List for testfile.txt. The output shows which users/groups have what permissions. Permissions are displayed using letter codes (F, M, RX, etc.).
C:\>view_permissions.bat
Creating test file...
Current permissions:
testfile.txt BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
Successfully processed 1 files; Failed processing 0 files
Cleaning up...
The output shows typical permissions for a new file. Administrators and SYSTEM have full control (F). Authenticated users can modify (M), regular users can read/execute (RX).
Modifying File Permissions
Changing permissions is often necessary for security or access requirements. The icacls command can grant or revoke specific permissions. Always verify changes to avoid security issues.
@echo off echo Creating test file... echo Permission test > securefile.txt echo Granting read-only to Users... icacls securefile.txt /grant:r "Users:(R)" echo Removing all other permissions... icacls securefile.txt /remove:g "Authenticated Users" icacls securefile.txt /remove:g "Administrators" icacls securefile.txt /remove:g "SYSTEM" echo Final permissions: icacls securefile.txt echo Cleaning up... del securefile.txt
This script demonstrates modifying file permissions. It creates a file, restricts access to Users read-only, then shows results.
icacls securefile.txt /grant:r "Users:(R)"
Grants read (R) permission to the Users group. The /grant:r parameter replaces existing permissions. Without :r, it would add to existing permissions.
icacls securefile.txt /remove:g "Authenticated Users"
Removes all permissions for Authenticated Users. The /remove:g parameter deletes permissions for the specified group. Similar syntax works for users and other security principals.
C:\>modify_permissions.bat Creating test file... Granting read-only to Users... processed file: securefile.txt Successfully processed 1 files; Failed processing 0 files Removing all other permissions... processed file: securefile.txt Successfully processed 1 files; Failed processing 0 files ... Final permissions: securefile.txt BUILTIN\Users:(R) Successfully processed 1 files; Failed processing 0 files Cleaning up...
The final output shows only Users have read access. This demonstrates how to create highly restricted files. In production, be careful not to lock out administrators.
Source
This tutorial covered essential user and permission management in Command Prompt. These skills are fundamental for Windows system administration and security.