Create Windows NT domain user accounts from command-line

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

Windows NT administrators can certainly create user accounts using Microsoft's GUI admin tool, User Manager for Domains . Try it for 1000 new accounts or for 10 new accounts on each of 100 new member servers. If you want to know how an ex-unix administrator would do it, or how a commandline oriented old fart would do it, or how someone interested in free time would do it, check out the addusers.exe utility in the Windows NT Server Resource Kit or in the Windows 2000 Server Resource Kit.

You can get a comma-delimited file with a list of user accounts and group from a domain, member server or workstation. The file can be used to duplicate or recreate the accounts / groups on other servers. It is also valuable documentation and a beginning point for scripting. To generate a file with all user accounts and group in a domain:

addusers \\domaincontroller /d extractfile.txt

You use /c parameter to read an addusers extract to create accounts / groups. As an example, lets say you want to merge two domains or move accounts from one domain to another:

  • Log on as Administrator to the machine that has the accounts you wish to copy.
  • Create a comma-separated file containing details of all accounts and groups by running the following command.
    addusers /d filename
  • In this example, you are not duplicating global or local groups, so edit the comma-separated file to remove the [Global] and [Local] sections and their contents.
  • Copy the edited file to the PDC of the domain where you want to create the accounts.
  • Login as administrator to the PDC of the domain where you want to create the accounts.
  • Run the following command:
    addusers /c filename
    This creates the accounts.

To get a list of all the addusers parameters, issue the following command

addusers /?

The addusers syntax is:

AddUsers {/c|/d{:u}|/e} filename [/s:x] [/?] [\\computername|domainname] [/p:{l|c|e|d}]

where:

\\computername - is the computer where you want to create user accounts or from which you want to write user accounts. If you do not specify computername, AddUsers uses the local computer by default.

domainname - this option can be used in place of computername. If this option is used, then Addusers queries the PDC of the domain specified.

/c - Creates user accounts, local groups, and global groups as specified by filename.

/d{:u} - Dumps user accounts, local groups, and global groups to the specified file name. The (:u) is an optional switch that causes current accounts to be written to the specified file in Unicode text format. Choosing to dump current user accounts does not save the account's passwords or any security information for the accounts. To back up security information for accounts, a Tape Backup should be used. Note: Password information is not saved in a user account dump and if you use the same file to create accounts, all passwords of newly created accounts will be empty. All created users are required to change their password at logon by default.

/e - Erases the user accounts specified in the file name. CAUTION: Be careful when erasing user accounts, as it is not possible to recreate the user account with the same SID. This option, however, cannot erase built-in accounts.

filename - The comma-delimited input/output file that AddUsers uses for data.

/s:x - This a optional switch that changes the character used for separating fields in the file. The x should be replaced with the new character to be used for separating fields. For example, /s:~ would make the field-separation character the "~" (tilde). If this option is not specified, the default separator, a comma, is used.

/? - Displays a help screen.

The newer version of Addusers.exe is available in the Windows NT 4.0 Resource Kit, Supplement 3 or later, has added a /p switch. This switch increases functionality when creating new users with AddUsers.exe in Windows NT.

/p: - Sets account creation options. It can be used along with any combination of the following options:

l - Users do not have to change passwords at next logon.

c - Users cannot change passwords.

e - Passwords never expire. (implies l option)

d - Accounts disabled.

If you do not have access to the Windows NT Server Resource Kit or the Windows 2000 Server Resource Kit, an alternative available on every Windows NT workstations is the net localgroup command. The core options include /domain which says to perform the task a domain controller of the current domain; /add which says to add a group or user; and /delete which says to remove a group or user. Experiment with the command on your workstation before attempting domain changes. To get the full list of parameters, issue the following command

net help localgroup

Featured Links