Create Windows User using Command line

net user [username] * /add (/domain)

net localgroup [localgroup_name] [username] /add


net group [group_name] [username] /add /domain

net user [username [password | *] [options]] [/domain]
         username {password | *} /add [options] [/domain]
         username [/delete] [/domain]
  • username
    Is the name of the user account you want to add, delete, modify, or view.The name of the user account can have as many as 20 characters.
  • password
    Assigns or changes a password for the user’s account. A password must satisfy the minimum length set with the /minpwlen option of the net accounts command. It can contain as many as 14 characters.
  • *
    Produces a prompt for the password. The password is not displayed when you type it at a password prompt.
  • /domain
    Performs the operation on the primary domain controller (PDC) of the current domain. This parameter applies only to computers running Windows NT Workstation that are members of a Windows NT Server domain. By default, Windows NT Server-based computers perform operations on the PDC.
  • /add
    Adds a user account to the user accounts database.
  • /delete
    Removes a user account from the user accounts database.

Options for the Net User Command

  • /active:{yes | no}
    Activates or deactivates the account. If the account is not active, the user cannot gain access to the server. The default is yes.
  • /comment:”text”
    Provides a descriptive comment about the user’s account (maximum of 48 characters). Be sure to put quotation marks around the text you use.
  • /countrycode:nnn
    Uses the operating system country code to implement the specified language files for a user’s help and error messages. A value of 0 signifies the default country code.
  • /expires:{date | never}
    Causes the account to expire if date is set. The never option sets no time limit on the account. An expiration date is in the form mm/dd/yy or dd/mm/yy, depending on the country code. Months can be a number, spelled out, or abbreviated with three letters. Year can be two or four numbers. Use slashes (/) with no spaces to separate parts of the date.
  • /fullname:”name
    Is a user’s full name (rather than a user name). Enclose the name in quotation marks.
  • /homedir:pathname
    Sets the path for the user’s home directory. The path must exist.
  • /passwordchg:{yes | no}
    Specifies whether users can change their own password. The default is yes.
  • /passwordreq:{yes | no}
    Specifies whether a user account must have a password. The default is yes.
  • /profilepath[:path]
    Sets a path for the user’s logon profile.
  • /scriptpath:pathname
    Is the location of the user’s logon script.
  • /times:{times | all}
    Is the logon hours. The times option is expressed as day[-day][,day[-day]],time[-time][,time [-time]], and is limited to 1-hour increments. Days can be spelled out or abbreviated. Hours can be 12-hour or 24-hour notation. For 12-hour notation, use am, pm, a.m., or p.m. The all option specifies that a user can always log on, and a blank value specifies that a user can never log on. Separate day and time entries with a comma, and separate multiple day and time entries with a semicolon.
  • /usercomment:”text”
    Lets an administrator add or change the user comment for the account.
  • /workstations:{computername[,…] | *}
    Lists as many as eight computers from which a user can log on to the network. If the /workstationsoption has no list or if the list is *, the user can log on from any computer.
  • net help user | more
    Displays Help one screen at a time.

Get help using the following command net help user

Create user using batch file.

AA. The simple answer is to use the net user <username> <password> /add (/domain) , however it is possible to automate not only the addition of the user, but also his/her addition to groups and the creation of a template user account directory structure. Many organizations have a basic structure with word, excel directories and some template files. This can be automated with a basic script. For example


net user %1 password /add /homedir:\<server>users%1 /scriptpath:login.bat /domain
net localgroup "<local group>" %1 /add
repeat for local groups
net group "<groups>" %1 /add /domain
repeat for global groups
xcopy \<server>userstemplate \<server>users%1 /e
nltest /sync /server:BDCname
repeat for all BDCs you might be authenticating to
sleep 20
cacls \<server>users%1 /e /r Everyone
remove the everyone permission to the directory
cacls \<server>users%1 /g %1:F /e
cacls \<server>users%1 /g Administrators:F /e

The nltest commands are needed as otherwise it fails to do the cacls command, since the user account does not exist on the BDC to which you are authenticating as only the PDC has been updated.