snipz

cheat sheet

net user

Create, modify, delete, and list local Windows user accounts from the command prompt — set passwords, manage account expiry, lock/unlock accounts, and control logon hours.

#net-user#windows#cli#scripting#sysadminupdated 05-26-2026

net user — Local User Account Manager

What it is

net user is a built-in Windows command for managing local user accounts on the machine where it runs. Use it to create accounts, set or change passwords, lock and unlock accounts, view account details, and configure logon restrictions such as password expiry and logon hours. It operates on the local SAM database — for domain accounts, use net user /DOMAIN or prefer Active Directory PowerShell (Get-ADUser, New-ADUser). Requires Administrator privileges for most write operations.

Availability

net user ships as part of C:\Windows\System32\net.exe on all Windows versions.

cmd
net user /?

Output:

ini
The syntax of this command is:

NET USER
[username [password | *] [options]] [/DOMAIN]
username {password | *} /ADD [options] [/DOMAIN]
username [/DELETE] [/DOMAIN]
username [/TIMES:{times | ALL}]
username [/ACTIVE:{YES | NO}]

Syntax

cmd
net user [username [password | *] [options]] [/DOMAIN]
net user username {password | *} /ADD [options]
net user username /DELETE

Output: (user list or operation result)

Essential options

SwitchMeaning
(no args)List all local user accounts
usernameShow details for a specific account
username password /ADDCreate a new account with the given password
username * /ADDCreate an account — prompt for password interactively
username /DELETEDelete the account
username /ACTIVE:YES|NOEnable or disable the account
username /PASSWORDREQ:YES|NORequire or waive a password
username /PASSWORDCHG:YES|NOAllow or forbid the user from changing their password
username /EXPIRES:date|NEVERSet account expiry date
username /LOGONPASSWORDCHG:YES|NOForce password change at next logon
username /TIMES:times|ALLRestrict logon to specified hours
username /COMMENT:"text"Set a descriptive comment on the account
/DOMAINOperate against the domain controller instead of local SAM

Listing local accounts

Running net user without arguments lists every local account on the machine. Running it with a username shows the full account detail including last logon, password expiry, group memberships, and logon restrictions.

cmd
net user

Output:

sql
User accounts for \\MYHOST

-------------------------------------------------------------------------------
Administrator            alicedev                 Guest
WDAGUtilityAccount
The command completed successfully.
cmd
net user alicedev

Output:

vbnet
User name                    alicedev
Full Name                    Alice Dev
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            4/28/2026 9:00:00 AM
Password expires             Never
Password changeable          4/28/2026 9:00:00 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   4/28/2026 10:14:32 AM

Logon hours allowed          All

Local Group Memberships      *Users
Global Group memberships     *None
The command completed successfully.

Creating a user account

/ADD creates a new local account. Supply the password directly on the command line for scripting, or use * to be prompted interactively (the typed password is not echoed).

cmd
net user alicedev P@ssw0rd123 /ADD

Output:

bash
The command completed successfully.
cmd
rem Interactive password prompt (not echoed)
net user bobdev * /ADD

Output:

rust
Type a password for the user:
Retype the password to confirm:
The command completed successfully.

Setting account properties

Once an account exists, re-run net user username with any option to change that property without recreating the account. Multiple options can be combined on one line.

cmd
rem Set full name and a comment
net user alicedev /FULLNAME:"Alice Dev" /COMMENT:"Developer workstation account"

Output:

bash
The command completed successfully.
cmd
rem Set account to expire on a specific date
net user alicedev /EXPIRES:12/31/2026

Output:

bash
The command completed successfully.
cmd
rem Force password change at next logon
net user alicedev /LOGONPASSWORDCHG:YES

Output:

bash
The command completed successfully.

Changing a password

Provide the username and new password. Use * to be prompted interactively — the prompt is the safest approach for interactive sessions because the password does not appear in command history.

cmd
net user alicedev NewP@ssword456

Output:

bash
The command completed successfully.

Enabling and disabling accounts

/ACTIVE:NO disables the account — the user cannot log on, but the account and its data are preserved. /ACTIVE:YES re-enables it. Prefer this to deletion when you need a recoverable off-boarding path.

cmd
rem Disable the account
net user alicedev /ACTIVE:NO

Output:

bash
The command completed successfully.
cmd
rem Re-enable the account
net user alicedev /ACTIVE:YES

Output:

bash
The command completed successfully.

Deleting an account

/DELETE removes the account from the local SAM. The user's profile directory (C:\Users\alicedev) and files are not removed automatically — delete them separately if needed.

cmd
net user alicedev /DELETE

Output:

bash
The command completed successfully.

Common pitfalls

  1. Passwords with special characters need quoting — a password containing &, |, >, or spaces must be enclosed in double quotes: net user alicedev "P@ss&word".
  2. /DELETE does not remove the profile — the home folder at C:\Users\username persists; delete it manually or via rmdir /S /Q if needed.
  3. /DOMAIN applies to the primary domain, not the local machine — omit it when targeting local accounts; including it routes the command to a domain controller.
  4. /ACTIVE:NO does not log out active sessions — a currently logged-in user stays connected until they disconnect; disabling the account prevents future logons only.
  5. Password complexity requirements apply — if the local password policy requires complexity, net user will reject passwords that don't meet it with error 2245.

Real-world recipes

Create a service account with no expiry

cmd
net user svcbackup S3cureP@ss /ADD /PASSWORDCHG:NO /PASSWORDREQ:YES /EXPIRES:NEVER /COMMENT:"Backup service account"

Output:

bash
The command completed successfully.

Bulk-disable accounts from a list

cmd
@echo off
for /f %U in (C:\Scripts\users_to_disable.txt) do (
    net user %U /ACTIVE:NO
    echo Disabled: %U
)

Output:

bash
The command completed successfully.
Disabled: bob
The command completed successfully.
Disabled: carol

Check if an account exists in a script

cmd
@echo off
net user alicedev >NUL 2>&1
if %ERRORLEVEL% EQU 0 (
    echo Account alicedev exists.
) else (
    echo Account alicedev does NOT exist.
)

Output:

arduino
Account alicedev exists.

Full option reference

net user accepts many additional switches that the /? summary doesn't fully expand. The complete reference:

SwitchValuesEffect
/ACTIVEYES | NOEnable/disable the account
/COMMENT"text"Descriptive comment (max 48 chars)
/COUNTRYCODEnumericCountry code for localized help text (0 = system default)
/EXPIRESdate or NEVERAccount expiry; date in local format (e.g. 12/31/2026)
/FULLNAME"Full Name"Display name
/HOMEDIRpathUser home directory
/LOGONPASSWORDCHGYES | NOForce password change at next logon
/PASSWORDCHGYES | NOWhether user can change own password
/PASSWORDREQYES | NOWhether a password is required at all
/PROFILEPATHpathRoaming profile path (UNC)
/SCRIPTPATHpathLogon script
/TIMEStimes | ALLAllowed logon hours (e.g. M-F,8AM-5PM)
/USERCOMMENT"text"User-editable comment (255 chars)
/WORKSTATIONSlist or *Comma-separated workstation list user may log on from
/DOMAIN(flag)Operate against the primary domain controller
/ADD(flag)Create the account
/DELETE(flag)Delete the account

For the logon-hours format, /TIMES:M-F,8AM-5PM allows logon Monday through Friday between 8am and 5pm. Multiple day/time entries are separated by semicolons; days within an entry by commas: /TIMES:M,4AM-12PM;T,12PM-8PM;W-F,8AM-5PM. Microsoft Learn confirms both 12-hour (with AM/PM or A.M./P.M.) and 24-hour (/TIMES:M-F,08:00-17:00) notations are accepted; hours must be in one-hour increments — 8:30AM is rejected. Days may be spelled out (Monday) or abbreviated as M, T, W, Th, F, Sa, Su. Use ALL for unrestricted logon or an empty value to block all sign-ins.

cmd
rem 24-hour notation
net user alicedev /TIMES:M-F,08:00-17:00

Output:

bash
The command completed successfully.
cmd
rem Mixed days and ranges
net user alicedev /TIMES:M,4AM-12PM;T,12PM-8PM;W-F,8AM-5PM

Output:

bash
The command completed successfully.

Restricting logon to specific workstations

/WORKSTATIONS is a comma-separated list of NetBIOS computer names where the user can log on. * (the default) means anywhere. Maximum 8 workstations.

cmd
net user alicedev /WORKSTATIONS:DEVBOX01,DEVBOX02

Output:

bash
The command completed successfully.
cmd
rem Reset to allow logon from anywhere
net user alicedev /WORKSTATIONS:*

Output:

bash
The command completed successfully.

Setting the home directory and profile path

For domain environments with central home folders:

cmd
net user alicedev /HOMEDIR:\\fileserver01\Users\alicedev /PROFILEPATH:\\fileserver01\Profiles\alicedev

Output:

bash
The command completed successfully.

The home directory mapping shows up at logon as the user's %HOMEPATH% and %HOMEDRIVE% environment variables. On domain controllers, this works hand-in-hand with Group Policy folder redirection.

PowerShell equivalents — the LocalAccounts module

Since Windows 10 / Server 2016, the Microsoft.PowerShell.LocalAccounts module ships with PowerShell and provides structured cmdlets that supersede net user for local-account work. They emit objects (not text), accept pipelines, and work consistently across regions where net user parses locale-specific dates and times.

Get-LocalUser — list and inspect

powershell
Get-LocalUser

Output:

sql
Name                Enabled Description
----                ------- -----------
Administrator       False   Built-in account for administering the computer/domain
alicedev            True    Developer workstation account
DefaultAccount      False   A user account managed by the system.
Guest               False   Built-in account for guest access
WDAGUtilityAccount  False   A user account managed and used by the system for...
powershell
Get-LocalUser -Name alicedev | Format-List *

Output:

yaml
AccountExpires         :
Description            : Developer workstation account
Enabled                : True
FullName               : Alice Dev
PasswordChangeableDate : 5/25/2026 9:00:00 AM
PasswordExpires        :
UserMayChangePassword  : True
PasswordRequired       : True
PasswordLastSet        : 5/25/2026 9:00:00 AM
LastLogon              : 5/25/2026 10:14:32 AM
Name                   : alicedev
SID                    : S-1-5-21-1004336348-1177238915-682003330-1001
PrincipalSource        : Local
ObjectClass            : User

New-LocalUser — create accounts

powershell
$pwd = Read-Host "Password" -AsSecureString
New-LocalUser -Name alicedev -Password $pwd -FullName "Alice Dev" -Description "Developer workstation account"

Output:

sql
Name      Enabled Description
----      ------- -----------
alicedev  True    Developer workstation account
powershell
# No-password account (rare; for kiosk scenarios)
New-LocalUser -Name kioskuser -NoPassword -FullName "Kiosk User"

Output:

sql
Name        Enabled Description
----        ------- -----------
kioskuser   True

New-LocalUser accepts: -AccountExpires <DateTime>, -AccountNeverExpires, -Description, -Disabled, -FullName, -Name, -Password, -PasswordNeverExpires, -UserMayNotChangePassword, -NoPassword.

Set-LocalUser — modify accounts

powershell
# Set the description
Set-LocalUser -Name alicedev -Description "Senior Developer"

# Force password change at next logon
Set-LocalUser -Name alicedev -PasswordNeverExpires $false

# Disable the account
Disable-LocalUser -Name alicedev

# Re-enable
Enable-LocalUser -Name alicedev

Output: (silent on success)

Changing a password securely

powershell
$pwd = Read-Host "New password" -AsSecureString
Set-LocalUser -Name alicedev -Password $pwd

Output: (silent on success)

Remove-LocalUser

powershell
Remove-LocalUser -Name alicedev

Output: (silent on success)

powershell
# Pipe a Get to a Remove for bulk deletion
Get-LocalUser | Where-Object { $_.Description -like '*Contractor*' } | Remove-LocalUser

Output: (silent on success)

Comparison with Active Directory cmdlets

For domain accounts, net user /DOMAIN works but the modern path is the ActiveDirectory PowerShell module (RSAT-AD-PowerShell on a domain-joined client). The cmdlets are vastly richer — they expose every AD object attribute, support LDAP filters, and work efficiently for bulk operations.

TaskLocal (net user / LocalAccounts)Active Directory (ActiveDirectory module)
Listnet user / Get-LocalUserGet-ADUser -Filter *
Inspectnet user alicedev / Get-LocalUser alicedevGet-ADUser alicedev -Properties *
Createnet user alicedev pw /ADD / New-LocalUserNew-ADUser -SamAccountName alicedev -AccountPassword (...)
Modifynet user alicedev /COMMENT:"..." / Set-LocalUserSet-ADUser alicedev -Description "..."
Deletenet user alicedev /DELETE / Remove-LocalUserRemove-ADUser alicedev
Disablenet user alicedev /ACTIVE:NO / Disable-LocalUserDisable-ADAccount alicedev
Reset passwordnet user alicedev newpw / Set-LocalUserSet-ADAccountPassword alicedev -Reset
Search(no — list everything)Get-ADUser -Filter "Department -eq 'IT'"
Unlock(no — must change password)Unlock-ADAccount alicedev
Move OU(N/A)Move-ADObject
Group membershipnet localgroup ... /ADDAdd-ADGroupMember

Get-ADUser — domain user inspection

powershell
Get-ADUser alicedev -Properties LastLogonDate, PasswordLastSet, MemberOf, EmailAddress

Output:

yaml
DistinguishedName : CN=Alice Dev,OU=Users,OU=NewYork,DC=contoso,DC=local
EmailAddress      : alice@example.com
Enabled           : True
GivenName         : Alice
LastLogonDate     : 5/25/2026 10:14:32 AM
MemberOf          : {CN=Developers,OU=Groups,DC=contoso,DC=local, ...}
Name              : Alice Dev
PasswordLastSet   : 5/24/2026 9:00:00 AM
SamAccountName    : alicedev
SID               : S-1-5-21-1234567890-987654321-111111111-1001
Surname           : Dev
UserPrincipalName : alicedev@contoso.local

New-ADUser — create domain account

powershell
$pwd = Read-Host "Password" -AsSecureString
New-ADUser `
    -SamAccountName alicedev `
    -Name "Alice Dev" `
    -GivenName "Alice" `
    -Surname "Dev" `
    -UserPrincipalName "alicedev@contoso.local" `
    -EmailAddress "alice@example.com" `
    -Path "OU=Users,OU=NewYork,DC=contoso,DC=local" `
    -AccountPassword $pwd `
    -Enabled $true `
    -ChangePasswordAtLogon $true

Output: (silent on success)

Bulk-onboard domain users from CSV

powershell
Import-Csv C:\HR\new_hires.csv | ForEach-Object {
    $pwd = ConvertTo-SecureString "Welcome1!$($_.SamAccountName)" -AsPlainText -Force
    New-ADUser `
        -SamAccountName $_.SamAccountName `
        -Name "$($_.GivenName) $($_.Surname)" `
        -GivenName $_.GivenName `
        -Surname $_.Surname `
        -UserPrincipalName "$($_.SamAccountName)@contoso.local" `
        -EmailAddress $_.EmailAddress `
        -Path "OU=Users,OU=$($_.Site),DC=contoso,DC=local" `
        -AccountPassword $pwd `
        -Enabled $true `
        -ChangePasswordAtLogon $true
    Write-Host "Created: $($_.SamAccountName)"
}

Output:

makefile
Created: alicedev
Created: bobdev
Created: caroldev

Built-in accounts

Every Windows installation has a fixed set of built-in accounts identified by well-known SIDs. These cannot be deleted, only enabled/disabled and renamed.

AccountRIDSID suffixDefault statePurpose
Administrator500-500DisabledBuilt-in admin; rename for security
Guest501-501DisabledAnonymous read-only access
DefaultAccount503-503DisabledUWP/system-managed
WDAGUtilityAccount504-504DisabledWindows Defender Application Guard
cmd
rem Enable the built-in Administrator (default is disabled on Windows 10/11)
net user Administrator /ACTIVE:YES
net user Administrator NewSecureP@ssword

Output:

bash
The command completed successfully.

Best practice: leave the built-in Administrator disabled and create a separate named admin account. Modern security baselines (CIS, Microsoft Security Compliance Toolkit) require this — see gpresult & gpupdate for inspecting which baseline applies.

Account flags and UAC properties

Beyond the visible options, accounts carry low-level flags stored in the SAM that govern logon behaviour. View them with PowerShell's Get-LocalUser properties or Get-WmiObject Win32_UserAccount:

powershell
Get-CimInstance Win32_UserAccount -Filter "LocalAccount=True AND Name='alicedev'" |
    Select-Object Name, Disabled, Lockout, PasswordExpires, PasswordRequired, PasswordChangeable

Output:

yaml
Name     : alicedev
Disabled : False
Lockout  : False
PasswordExpires    : False
PasswordRequired   : True
PasswordChangeable : True

Unlocking a locked account (after too many failed logons):

powershell
# Local
Set-LocalUser -Name alicedev -Password (Read-Host -AsSecureString)

# Domain — direct unlock without password change
Unlock-ADAccount -Identity alicedev

Output: (silent on success)

Password policy

Local password policy lives in the local Security Policy (secpol.msc → Account Policies → Password Policy) and is overridden by GPO on domain-joined machines. Inspect with net accounts:

cmd
net accounts

Output:

yaml
Force user logoff how long after time expires?:       Never
Minimum password age (days):                          0
Maximum password age (days):                          42
Minimum password length:                              0
Length of password history maintained:                None
Lockout threshold:                                    Never
Lockout duration (minutes):                           30
Lockout observation window (minutes):                 30
Computer role:                                        WORKSTATION
The command completed successfully.

Adjust the local policy (overridden by domain GPO if joined):

cmd
net accounts /MAXPWAGE:90 /MINPWLEN:14 /UNIQUEPW:5 /LOCKOUTTHRESHOLD:5 /LOCKOUTDURATION:30 /LOCKOUTWINDOW:30

Output:

bash
The command completed successfully.

Audit logging — Events 4720, 4722, 4724, 4725, 4726

Every account-management action generates a Security event. Forwarding these to a SIEM is essential for compliance (PCI-DSS, SOX, HIPAA) and for catching credential abuse.

Event IDMeaning
4720A user account was created
4722A user account was enabled
4723An attempt was made to change an account's password
4724An attempt was made to reset an account's password
4725A user account was disabled
4726A user account was deleted
4738A user account was changed
4740A user account was locked out
4767A user account was unlocked
powershell
# Recent account-creation events
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4720; StartTime=(Get-Date).AddDays(-30)} |
    Select-Object TimeCreated,
        @{Name='NewAccount';Expression={$_.Properties[0].Value}},
        @{Name='CreatedBy';Expression={$_.Properties[4].Value}}

Output:

swift
TimeCreated         NewAccount    CreatedBy
-----------         ----------    ---------
5/25/2026 9:10 AM   alicedev      Administrator
5/24/2026 2:45 PM   svcbackup     Administrator

Enable the audit subcategory globally:

cmd
auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable

Output:

bash
The command was successfully executed.

Common pitfalls (extended)

In addition to the basics above, watch for these in real deployments:

  1. Locale-sensitive /EXPIRES date format/EXPIRES:12/31/2026 works in US/English; on a German locale, you'd need /EXPIRES:31.12.2026. PowerShell's Set-LocalUser -AccountExpires accepts a [DateTime] object and avoids this trap.
  2. net user cannot create a Microsoft Account-linked user — only fully local accounts. Use Settings → Accounts → Family & other users for MSA setup.
  3. Password length over 14 chars fails on older OSes — Windows pre-Vista LM-hash password limit was 14 chars. Modern Windows accepts up to 127, but cross-domain trusts with old domains may still reject longer ones.
  4. Renaming a built-in account does not change its SIDAdministrator renamed to localadmin keeps RID 500, and security tools that key off the SID continue to recognize it.
  5. net user /DELETE does not orphan the SID immediately — internal SAM cleanup happens at the next service restart. ACLs still showing *S-1-5-21-... are normal until then.
  6. PASSWORDREQ:NO is a security risk — accounts with no password requirement can be used for lateral movement via psexec -u alicedev -p "". CIS baselines forbid this.
  7. Logon hours are enforced for new sessions only — already-logged-on users are NOT forcibly disconnected at end-of-hours unless you also set Force user logoff how long after time expires via net accounts /FORCELOGOFF.
  8. Service accounts should not have PasswordChg:YES — if the service account's password is changed externally, the service breaks. Set /PASSWORDCHG:NO and rotate via the service control manager.
  9. gMSA (Group Managed Service Accounts) — modern alternative to old-style service accounts. Cannot be managed with net user; use AD module: New-ADServiceAccount, Install-ADServiceAccount.
  10. /DOMAIN only works on domain-joined machines — on a workgroup machine, net user /DOMAIN returns "There is no domain controller available". Check membership with systeminfo | findstr Domain.
  11. Usernames are capped at 20 characters — Microsoft Learn documents the SAM-account-name limit explicitly; longer names truncate silently when consumed by legacy tooling. Passwords are capped at 127 characters; comments at 48; /USERCOMMENT at 255.
  12. /EXPIRES:Jan,9 rolls forward — when the year is omitted from the expiry date, Microsoft Learn states the next occurrence of the given month/day is assumed. Convenient for short-term contractor accounts; surprising when the script runs the day before the date and the account expires almost immediately.
  13. Hours are one-hour-granular/TIMES:M,8AM-5PM works; /TIMES:M,8:30AM-5PM is rejected. The legacy SAM logon-hours bitmap stores 168 single-hour bits per week, so half-hour boundaries cannot be expressed.

Real-world recipes (extended)

Onboard a developer workstation account

cmd
@echo off
set USER=alicedev
set FULLNAME=Alice Dev
set PWD=Welcome1!ChangeMe

net user %USER% "%PWD%" /ADD /FULLNAME:"%FULLNAME%" /COMMENT:"Developer workstation account" /LOGONPASSWORDCHG:YES
net localgroup "Users" %USER% /ADD >NUL 2>&1
net localgroup "Remote Desktop Users" %USER% /ADD
echo Account %USER% provisioned. Initial password: %PWD% (must change at next logon)

Output:

bash
The command completed successfully.
The command completed successfully.
Account alicedev provisioned. Initial password: Welcome1!ChangeMe (must change at next logon)

Offboard a user — disable, dump groups, archive profile

powershell
$user = 'alicedev'
$ts   = Get-Date -Format 'yyyyMMdd-HHmmss'

# Capture group memberships for audit
$groups = Get-LocalGroup | Where-Object { (Get-LocalGroupMember $_).Name -contains "$env:COMPUTERNAME\$user" }
$groups | Select Name | Export-Csv "C:\Offboarding\$user-groups-$ts.csv" -NoTypeInformation

# Disable instead of delete (preserves SID + ACLs)
Disable-LocalUser -Name $user

# Remove from all groups
foreach ($g in $groups) {
    Remove-LocalGroupMember -Group $g.Name -Member $user -ErrorAction SilentlyContinue
}

# Archive the profile
Compress-Archive -Path "C:\Users\$user\*" -DestinationPath "C:\Offboarding\$user-profile-$ts.zip"
Write-Host "Offboarded $user; profile archived to C:\Offboarding\$user-profile-$ts.zip"

Output:

ini
Offboarded alicedev; profile archived to C:\Offboarding\alicedev-profile-20260525-091422.zip

Find accounts with passwords that never expire

powershell
Get-LocalUser | Where-Object PasswordExpires -eq $null |
    Select-Object Name, Enabled, Description, LastLogon

Output:

sql
Name        Enabled Description                              LastLogon
----        ------- -----------                              ---------
svcbackup   True    Backup service account                   5/24/2026 2:00:00 AM
Administrator False  Built-in account for administering...    1/1/1601

Detect stale accounts (no logon for 90+ days)

powershell
Get-LocalUser | Where-Object {
    $_.Enabled -and $_.LastLogon -and $_.LastLogon -lt (Get-Date).AddDays(-90)
} | Select-Object Name, LastLogon, Description

Output:

sql
Name      LastLogon          Description
----      ---------          -----------
bobdev    1/15/2026 8:14 AM  Contractor — Q1 only

For domain users:

powershell
Search-ADAccount -AccountInactive -TimeSpan 90.00:00:00 -UsersOnly |
    Select-Object SamAccountName, LastLogonDate, Enabled

Output:

sql
SamAccountName LastLogonDate          Enabled
-------------- -------------          -------
contractor1    1/10/2026 11:14:32 AM  True
contractor2    12/20/2025 9:00:00 AM  True

Audit local-vs-domain account map

On domain-joined machines, list which local accounts exist outside AD oversight (common audit finding):

powershell
Get-LocalUser | Where-Object PrincipalSource -eq 'Local' |
    Select-Object Name, Enabled, Description, LastLogon

Output:

sql
Name                Enabled Description
----                ------- -----------
Administrator       False   Built-in account for administering the computer/domain
Guest               False   Built-in account for guest access
svcbackup           True    Backup service account

Reset the local Administrator password remotely

powershell
Invoke-Command -ComputerName workstation01 -Credential (Get-Credential CORP\domainadmin) -ScriptBlock {
    $pwd = ConvertTo-SecureString "NewSt0ngP@ss!" -AsPlainText -Force
    Set-LocalUser -Name Administrator -Password $pwd
    Enable-LocalUser -Name Administrator
}

Output: (silent on success across WinRM)

For fleet-wide rotation, Microsoft's Local Administrator Password Solution (LAPS) is the recommended tool — it stores per-machine random admin passwords in AD and rotates them on a schedule. net user should not be used to set the local admin password manually on LAPS-managed boxes.

One-liner: show all enabled local accounts

powershell
Get-LocalUser -Verbose | Where-Object Enabled | Format-Table Name, FullName, LastLogon, PasswordLastSet

Output:

swift
Name      FullName    LastLogon              PasswordLastSet
----      --------    ---------              ---------------
alicedev  Alice Dev   5/25/2026 10:14:32 AM  5/25/2026 9:00:00 AM
svcbackup             5/24/2026 2:00:00 AM   1/15/2025 8:00:00 AM

See also

Sources

  • net user — Microsoft Learn
  • net localgroup — Microsoft Learn (archived)