Add local user with administrator rights and to be disabled in a week

-1

1

I am preparing my pc lab for a workshop which will take two days.

I have been told to create local administrator accounts for each computer.

It is possible to add a user "workshop" with password "123456" usin NET command.

net user workshop 123456 /add
net localgroup "Administrators" "workshop" /add

But I need more. I need the user should be disabled after three days. What should be the command line like?

Özkan ÖZLÜ

Posted 2016-02-24T12:36:54.920

Reputation: 325

It's your lab PC, why cant you just log-in after three days and disable the accounts? – Smeerpijp – 2016-02-24T12:46:06.973

Bear in mind even if there is a way, they could easily undo that, create another account, get in to your main account etc. I'm not sure it would stop much. – Jonno – 2016-02-24T12:50:05.090

@Jonno, thank you for your advise. The guests will not harm the computer I guess. – Özkan ÖZLÜ – 2016-02-24T12:53:04.403

Answers

2

I think it can be done step by step:

1) Create user:

net user workshop 123456 /add

2) Add user to "Administrators" group:

net localgroup "Administrators" "workshop" /add

3) Set expiration date:

net user workshop /expires:27.02.2016

This looks OK.

Özkan ÖZLÜ

Posted 2016-02-24T12:36:54.920

Reputation: 325

Just remember, by making them admin, they can change their expiration time for workstation accounts. – Frank Thomas – 2016-02-24T12:52:12.117

@FrankThomas you are right. Maybe I should change the group. More powerful than limited user, but less authorized than administrator. – Özkan ÖZLÜ – 2016-02-24T12:54:20.660

0

You should try using the Task Scheduler for this

  1. Create a batch file with the command to delete the corresponding user using net user(net user usrname /del)
  2. goto task scheduler select create a new task
  3. choose approiate trigger
  4. Under action tab select start a program
  5. be sure to check to check "run with highest privillage(after creating task)"

Mohit Rajan

Posted 2016-02-24T12:36:54.920

Reputation: 131

0

There are several ways to disable an account on a schedule, but all are potentially vulnerable to tampering by an administrative account, when applied to local (workgroup) accounts.

For a workgroup you can use the net user workshop /expires:mm/dd/yyyy to automatically expire the account. Alternately you can create a Scheduled Task on the workstation, which runs net user workshop /active:no You can automate the creation of the scheduled task using schtasks.exe . The problem with this approach is that the administrative user could remove the scheduled task, or change their expiration date. There is basically nothing you can do to prevent a local admin from accessing local resources, so for workgroups, there is no perfect answer.

For a domain user, you can go a little further because you can seperate local admin rights from domain admin rights. In that case, if the user is not delegated user management, then you can just use /expires:MM/DD/YYYY on the domain account. If the user is delegated user management, but is not able to access the domain controller, you can schedule a task there to disable the user.

Frank Thomas

Posted 2016-02-24T12:36:54.920

Reputation: 29 039

Asked: 2016-02-24T12:36:54.920

Viewed: 5 405 times

Active: 2016-02-24T12:57:45.583