Как посмотреть список пользователей на сервере windows

Команда NET USER предназначена для добавления, редактирования или просмотра учетных записей пользователей на компьютерах.

NET USER — управление учетными записями пользователей

Команда NET USER предназначена для добавления, редактирования или просмотра учетных записей пользователей на компьютерах. При выполнении команды в командной строке без параметров отображается список учетных записей пользователей Windows, присутствующих на компьютере (эта команда также хорошо работает и в Windows 10). Информация об учетных записях пользователей хранится в базе данных Windows.

Возможности команды Net User

Давайте перечислим какие операции мы можем сделать с помощью команды Net User

  1. Добавить учетную запись;
  2. Добавить пароль учетной записи;
  3. Изменить пароль учетной записи;
  4. Отключить учетную запись;
  5. Удалить учетную запись.

Видео — Полное ознакомление с NET USER (примеры, вопросы на ответы)

Синтаксис команды NET USER

net user [имя_пользователя [пароль | *] [параметры]] [/domain]

net user имя_пользователя {пароль | *} /add [параметры] [/domain]

net user имя_пользователя [/delete] [/domain], где

  • имя_пользователя — Указывает имя учётной записи пользователя, которую можно добавить, удалить, отредактировать или просмотреть. Имя может иметь длину до 20 символов.
  • пароль — Присваивает или изменяет пароль пользователя. Введите звездочку (*) для вывода приглашения на ввод пароля. При вводе с клавиатуры символы пароля не выводятся на экран.
  • /domain — Выполняет операцию на контроллере основного для данного компьютера домена.
  • параметры — Задает параметр командной строки для команды.
  • net help команда — Отображение справки для указанной команды net.
  • /delete — Удаление учетной записи пользователя.

Примеры команды NET USER

  • Для вывода списка всех пользователей данного компьютера служит команда: net user;
  • Для добавления учетной записи пользователя User1 с полным именем пользователя и паролем 123 используется следующая команда: net user User1 123 /add /fullname:»User1 » /comment:»Для тестов»;
  • Для вывода информации о пользователе » User1″ служит следующая команда: net user User1;
  • Для изменения пароля пользователя User1 на пароль 890 служит команда net user User1 890;
  • Для отключения учетной записи необходимо ввести команду: net user User1 /active:no;
  • Для удаления учетной записи необходимо ввести команду: net user User1 /delete.

Вопросы от подписчиков и примеры использования Net User

  1. Как включить встроенную учетную запись Администратора? Как получить права администратора в Windows? Для этого нужно ввести команду — net user администратор /active:yes и учетная запись Администратор будет включена (по умолчанию в системе эта учетная запись отключена);
  2. Как создать с помощью net user пользователя с правами администратора? Заранее скажу, используя дополнительно команду Net Localgroup можно добавлять учетные записи в нужную группу – Администраторы, Опытные пользователи или просто в группу Пользователи;
  3. Net user сменить пароль, net user изменить пароль, net user имя_пользователя сделать новый_пароль – эти все моменты мы показали net user User1 890;
  4. Net user отказано в доступе, net user команда выполнена с ошибками. Так, уважаемый пользователь все дело в правах, если вы запускаете командную строку без административных прав (т.е. под обычным пользователем), консоль выведет ошибку;
  5. Net user не найдено имя пользователя – тут еще проще, в системе нету такого пользователя, т.е. скорее всего логин написан с ошибками;
  6. Net user как сделать пустой пароль — Чтобы скинуть пароль пользователя на пустой введем команду net user User1 «»;
  7. Net user как переименовать пользователя? Очень интересный вопрос! Командой net user переименовать не получится, но мы предлагаем вам воспользоваться командой — wmic useraccount where name=’currentname’ rename newname.

Дополнительные параметы команды NET USER

Также рекомендуем ознакомиться с дополнительными параметрами команды Net User:

  • net user/active:{yes | no} — Активирует или деактивирует учетную запись. Если учетная запись не активирована, пользователь не может получить доступ к серверу. По умолчанию учетная запись активирована.
  • /comment:»текст» — Позволяет добавить описание учетной записи пользователя
  • /countrycode:nnn — Использует код страны, указанный для операционной системы, для реализации соответствующих языковых файлов
  • /expires:{дата | never} — Дата истечения срока действия учетной записи. Значение never соответствует неограниченному сроку действия. 
  • /fullname:»имя» — Полное имя пользователя (в отличии от имени учетной записи пользователя). 
  • /homedir:путь — Указывает путь к домашнему каталогу пользователя. Указанное место должно существовать.
  • /passwordchg:{yes | no} — Указывает, может ли пользователь изменять свой пароль (по умолчанию может).
  • /passwordreq:{yes | no} — Указывает, должна ли учетная запись пользователя иметь пароль (по умолчанию должна).
  • /profilepath[:путь] — Указывает путь к профилю входа в систему пользователя.
  • /scriptpath:путь — Путь к сценарию, используемому пользователем для входа в систему.
  • /times:{время | all} — Время для входа в систему. Параметр время указывается в формате день[-день][,день[-день]],час [-час][,час [-час]], причем приращение равняется 1 часу. Название дней недели могут указываться полностью или в сокращенном виде. Часы могут указываться в 12- или 24-часовом представлении. Для 12-часового представления используются обозначения am, pm, a.m. или p.m. Значение all соответствует отсутствию ограничений на время входа в систему, а пустое значение обозначает полный запрет на вход в систему. 
  • /usercomment:»текст» — Позволяет администратору добавить или изменить комментарий к учетной записи.
  • /workstations:{имя_компьютера[,…] | *} — Позволяет указать до 8 компьютеров, с которых пользователь может войти в сеть. Если для параметра/workstations не указан список компьютеров или указано значение *, пользователь может войти в сеть с любого компьютера.

С чего начинается администрирование пользователей на сервере терминалов?

Конечно с просмотра «Активных» или «Отключенных» сессий пользователей.

Без этой картины администрирование сервера терминалов невозможно.

Помимо статьи, записал также, и подробное видео, о том как администрировать пользователей на сервере терминалов (Новичкам смотреть обязательно!)

Конечно, данная тема также подымается и на курсе: Администратор 1С!

И так, конечно мы должны во всех подробностях видеть, что у нас происходит на сервере терминалов!

Какие процессы запущены от имени тех или иных пользователей (в т.ч. процессы 1С) их идентификаторы, id сессий пользователей, это и многое другое помогает администратору всегда быть в курсе того что происходит на сервере и соответственно всем этим управлять, и вовремя реагировать на различные ситуации.

На разных версиях Windows server  администраторы по-разному решают этот вопрос.

Кто-то смотрит пользователей используя простой «Диспетчер задач» на Windows server 2012 – 2016. Некоторые используют различные команды в CMD, ну а кое-кто использует PowerShell .

Но все администраторы хотят одного:

1.  Чтоб быстро посмотреть всех пользователей кто работает на сервере.

2.  Чтоб это было как можно информативней.

3.  Чтоб бесплатно.

Поэтому поводу решил собрать все лучшие, простые и быстрые способы которые (на мое мнение) стоит использовать.

Уверен, что многим начинающим администраторам эти способы помогут в администрировании сервера терминалов.

И так способ первый и самый простой (На Windows server 2012 R2)

1.     Диспетчер задач.

«Диспетчер задач» — вкладка «Пользователи» — позволяет нам видеть пользователей, которые работают на этом сервере.

 Dispetcher_Zadach_Windows_server_2012_r2

Но по умолчанию стандартный «Диспетчер задач» — вкладка «Пользователи» нам не покажет, что пользователь работает на сервере удаленно, используя RDP, хорошо, что это можно легко исправить.

Правый клик мышкой на панели «Пользователь» и в появившимся контекстном меню

ставим птичку напротив «Сеанс» а также стоит поставить и напротив «Имя клиента».

Dispetcher_Zadach_Windows_server_2012_r222

Так мы будем знать, что этот пользователь работает у нас на сервере через RDP.

Минусы данного способа здесь очевидны, чтоб смотреть пользователей мы должны находится на сервере терминалов, где собственно и запускаем «Диспетчер задач», нет возможности сделать какую-то выборку, фильтр и т.д. 

2.     quser

Следующий метод это использование команды quser в CMD или PowerShell.

Quser – это аналог QUERY USER (Такое сокращение позволяет выполнять команду быстрее)

Здесь все просто запускаем CMD или PowerShell и пишем команду quser

PowerShell_quser

Так мы увидим всех пользователей, что работают на этом сервере.

Метод очень простой быстрый и достаточно информативный.

Он покажет Вам — Пользователя, Сеанс, его ID, Статус , Бездействие сеанса, и время входа.

Если мы хотим посмотреть только какого-то конкретного пользователя, тогда можно написать например так:

Пример: 

Term01 – это логин пользователя.

PowerShell_quser2

Большинство системных администраторов отдают предпочтение именно этому способу.

И не только потому, что быстро, просто и т.д., но и потому что можно смотреть удаленно всех пользователей, сидя за своим ПК, где не будь в локальной сети.

И для этого достаточно ввести команду с параметром SERVER

Пример: 

Если Вы хотите больше узнать о технической стороне 1С, тогда регистрируйтесь на первый бесплатный модуль курса: Администратор 1С
 

CMD Управление пользователями в Windows.  Команда NET USER, WHOAMI

Управление пользователями в Windows, помимо графической оснастки «Учетные данные пользователей», расположенной в панели управления, можно производить с помощью командной строки.

Команда NET USER

Команда NET USER предназначена для просмотра, добавления или редактирования учетных записей пользователей на компьютерах. При выполнении команды в командной строке без параметров  отображается список учетных записей пользователей Windows, присутствующих на компьютере(локальные УЗ). Информация об учетных записях пользователей хранится в базе данных Windows.

Синтаксис команды NET USER

net user [имя_пользователя [пароль | *] [параметры]] [/domain]

net user имя_пользователя {пароль | *} /add [параметры] [/domain]

net user имя_пользователя [/delete] [/domain]где

  • имя_пользователя — Указывает имя учётной записи пользователя, которую можно добавить, удалить, отредактировать или просмотреть. Имя может иметь длину до 20 символов.
  • пароль — Присваивает или изменяет пароль пользователя. Введите звездочку (*) для вывода приглашения на ввод пароля. При вводе с клавиатуры символы пароля не выводятся на экран.
  • /domain — Выполняет операцию на контроллере основного для данного компьютера домена.
  • параметры — Задает параметр командной строки для команды.
  • net help команда — Отображение справки для указанной команды net.
  • /delete — Удаление учетной записи пользователя.

Дополнительные параметры команды NET USER:

  • /active:{yes | no} — Активирует или деактивирует учетную запись. Если учетная запись не активирована, пользователь не может получить доступ к серверу. По умолчанию учетная запись активирована.
  • /comment:»текст» — Позволяет добавить описание учетной записи пользователя (максимум 48 символов). Текст описания заключается в кавычки.
  • /countrycode:nnn — Использует код страны, указанный для операционной системы, для реализации соответствующих языковых файлов при отображении пользовательской справки и сообщений об ошибках. Значение 0 соответствует коду страны, используемому по умолчанию.
  • /expires:{дата | never} — Дата истечения срока действия учетной записи. Значение never соответствует неограниченному сроку действия. Дата указывается в формате мм/дд/гг или дд/мм/гг в зависимости от кода страны. Месяц может указываться цифрами, полностью или в сокращенном виде (тремя буквами). Год может указываться двумя ли четырьмя цифрами. Элементы даты разделяются слэшем (/) без пробелов.
  • /fullname:»имя» — Полное имя пользователя (в отличии от имени учетной записи пользователя). Имя указывается в кавычках.
  • /homedir:путь — Указывает путь к домашнему каталогу пользователя. Указанное место должно существовать.
  • /passwordchg:{yes | no} — Указывает, может ли пользователь изменять свой пароль (по умолчанию yes).
  • /passwordreq:{yes | no} — Указывает, должна ли учетная запись пользователя иметь пароль (по умолчанию yes).
  • /profilepath[:путь] — Указывает путь к профилю входа в систему пользователя.
  • /scriptpath:путь — Путь к сценарию, используемому пользователем для входа в систему.
  • /times:{время | all} — Время для входа в систему. Параметр время указывается в формате день[-день][,день[-день]],час [-час][,час [-час]], причем приращение равняется 1 часу. Название дней недели могут указываться полностью или в сокращенном виде. Часы могут указываться в 12- или 24-часовом представлении. Для 12-часового представления используются обозначения am, pm, a.m. или p.m. Значение all соответствует отсутствию ограничений на время входа в систему, а пустое значение обозначает полный запрет на вход в систему. Значения дней недели и времени разделяются запятой; несколько записей для значений дней недели и времени разделяются точкой с запятой.
  • /usercomment:»текст» — Позволяет администратору добавить или изменить комментарий к учетной записи.
  • /workstations:{имя_компьютера[,…] | *} — Позволяет указать до 8 компьютеров, с которых пользователь может войти в сеть. Если для параметра/workstations не указан список компьютеров или указано значение *, пользователь может войти в сеть с любого компьютера.

Примеры команды NET USER

  • Для вывода списка всех пользователей данного компьютера служит команда:
  • Для вывода информации о пользователе «petr» служит следующая команда:
  • Для добавления учетной записи пользователя Petr с полным именем пользователя и правом на подключение с 8 до 17 часов с понедельника по пятницу используется следующая команда:

    net user petr /add /times:ПнПт,08:0017:00/fullname:«Petr»

  • Для удаления учетной записи необходимо ввести команду:
  • Для отключения учетной записи необходимо ввести команду:

Для просмотра членов локальной группы можно использовать команду net localgroup <«имя группы»>

net localgroup «Администраторы»

Команда WHOAMI

Есть еще одна команда для определения свойств УЗ текущего пользователя, это команда WHOAMI

Три способа выполнения WhoAmI:

Синтаксис 1:
WHOAMI [/UPN | /FQDN | /LOGONID]

Синтаксис 2:
WHOAMI { [/USER] [/GROUPS] [/CLAIMS] [/PRIV] } [/FO <формат>] [/NH]

Синтаксис 3:
WHOAMI /ALL [/FO <формат>] [/NH]

Описание:
Эту программу можно использовать для получения сведений об имени
пользователя и группе, а также о соответствующих идентификаторах
безопасности (SID), утверждениях, привилегиях, идентификаторе входа
текущего пользователя на локальном компьютере, т. е. для
определения текущего пользователя. Если параметр не указан, имя
пользователя отображается в формате NTLM (доменпользователь).

Параметры:
/UPN Отображение имени пользователя в формате
имени участника-пользователя (UPN).

/FQDN Отображение имени пользователя в формате
полного доменного имени (FQDN).

/USER Отображение сведений о текущем пользователе
вместе с идентификатором безопасности (SID).

/GROUPS Отображение для текущего пользователя членства
в группах, типа учетной записи, идентификаторов
безопасности (SID) и атрибутов.

/CLAIMS Отображение требований для текущего пользователя,
включая имя требования, флаги, тип и значения.

/PRIV Отображение привилегий безопасности текущего
пользователя.

/LOGONID Отображение идентификатора входа текущего
пользователя.

/ALL Отображение имени пользователя, членства
в группах, идентификаторов безопасности
(SID), утверждений и привилегий для
маркера входа текущего пользователя.

/FO <формат> Формат вывода.
Допустимые значения: TABLE, LIST, CSV.
Заголовки столбцов в формате CSV
не отображаются. Формат по умолчанию: TABLE.

/NH Строка заголовков столбцов
не отображается при выводе. Действительно
только для форматов TABLE и CSV.

/? Вывод справки по использованию.

Примеры использования WHOAMI:

WHOAMI — отобразить имя текущего пользователя в формате «доменимя»

WHOAM /UPN — отобразить имя текущего пользователя в формате «имя@домен»

WHOAM /FQDN — отобразить имя текущего пользователя в формате полного доменного имени (FQDN).

WHOAMI /LOGONID — отобразить идентификатор текущего пользователя.

WHOAMI /USER — отобразить имя и SID текущего пользователя.

WHOAMI /USER /FO LIST — то же, что и в предыдущем случае, но с выводом данных в виде списка.

WHOAMI /GROUPS — отобразить список групп, членом которых является текущий пользователь.

WHOAMI /GROUPS /FO CSV — то же, что и в предыдущем случае, но с выводом результатов в виде полей, разделяемых запятой.

WHOAMI /GROUPS /FO CSV > C:MyGroups.csv — то же, что и в предыдущем примере, но с выводом результатов в файл C:MyGroups.csv.

WHOAMI /PRIV — отобразить список привилегий текущего пользователя.

WHOAMI /PRIV /FO TABLE — то же, что и в предыдущем примере, но с отображением результатов в виде таблицы.

WHOAMI /ALL — отобразить информацию о SID текущего пользователя, принадлежности к группам и перечень привилегий.

При подготовке этой шпаргалки использовались материалы:

http://cmd4win.ru/administrirovanie-computera/administrirovanie-polzovatelej/43-netuser

https://ab57.ru/cmdlist/whoami.html

Читайте также: Linux. Пользователи и группы.

The Net User command is a Windows command-line utility that allows you to manage Windows server local user accounts or on a remote computer.

The command Net User allow you to create, delete, enable, or disable users on the system and set passwords for the net user accounts.

Windows administrators can perform add or modifications in domain user accounts using the net user command-line tool.

You can get net user account information, enable or disable a user account, sets the home directory path, set account expiration, and so on.

net user to display user account info
Command Net User to display user account info

In this article, we will discuss how to use the net user command-line tool with examples to get user account information, domain account status, and password expiry date.

Net User Command – Syntax

net user command syntax

net user [<UserName> {<Password> | *} [<Options>]] [/domain]
net user [<UserName> {<Password> | *} /add [<Options>] [/domain]]
net user [<UserName> [/delete] [/domain]]

Parameters

Username – It specifies user account name to add or modify or display user account information

Password – Assign or change the password for the user account

/domain – Perform the operation on the domain controller

/active:{no |yes} – Enable or disable user account

/comment – Provide descriptive comments for the user account

/expires – Specify the date to expire user account

net help – Display help for the net user command.

<Options> – Specify command-line options.

Refer to the following table to know more about options used in net user command.

Command-line option syntax Description
/active:{no | yes} Use this option to enable or disable a user account. The default value is yes (active).
/comment:”<Text>” Use this to provide comments for the user account, max 48 characters, and should be enclosed in quotation marks.
/countrycode:<NNN> /countrycode option is used to set the country code for the user account to display help or error messages in their language. The default value is 0, which means the computer’s default country/region code.
/expires:{{<MM/DD/YYYY> | <DD/MM/YYYY> | <mmm,dd,YYYY>} | never} Use this option to specify the date for the user account to expire. If the expiration date is not specified, it will assume never expires.
/fullname:”<Name>” Specify the user’s full name instead of username.
/homedir:<Path> Use this option to set the path for the user’s home directory.
/passwordchg:{yes | no} Use this to specify if the user can change their own password. The default value is yes.
/passwordreq:{yes | no} It specifies if the user must have a password or not. The default is yes.
/profilepath:[<Path>] Use this option to sets a path for the user’s logon profile. This path points to a registry profile.
/scriptpath:<Path> Use this to set a path for the user’s logon script. <Path> should be relative.
/times:{<Day>[<-Day>][,<Day>[-<Day>]],<Time>[-<Time>][,<Time>[-<Time>]][;] | all} It specifies the times that users are allowed to use the computer.
/usercomment:”<Text>” It specifies that an administrator can add or change the “User comment” for the account.
/workstations:{<ComputerName>[,…] | *} It lists as many as eight workstations from which a user can log on to the network.
net user command options

Net User – List all User Accounts

Use the Net User command and run it on the Windows command prompt without any parameter to list all user accounts on the local user account.

Open a command prompt to run the net user command below

net user

The above Windows net user command returns the list of all user accounts of the local computer.

net user accounts on local computer
net user accounts on local computer

Run the command net user on the domain controller to get a list of all users on the domain.

net user

The output of the above command net user gets the domain username accounts.

net user domain username
net user domain username

You can also use the net user command-line tool to get user account information, modify a user account, and check when the password was last set.

Net User Account – Display User Account Information

Run the net user command in the command line to get user account information.

net user Toms

The above net user command uses the username to retrieve user details and display net user account information below


C:>net user Toms
User name                    Toms
Full Name                    John Paul
Comment                      Built-in account for administering the computer/domain
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            7/29/2021 6:55:50 PM
Password expires             9/9/2021 6:55:50 PM
Password changeable          7/30/2021 6:55:50 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   8/2/2021 11:53:32 AM

Logon hours allowed          All

Local Group Memberships      *Administrators
Global Group memberships     *Domain Admins        *Group Policy Creator
                             *Schema Admins        *Domain Users
                             *Enterprise Admins
The command completed successfully.


C:>
net user account details
net user account details

Cool Tip: How to get-aduser in the active directory using PowerShell!

Net User Password Change for User Account

If you want to change a user password using the command line, use the net user command-line tool to set the password.

The syntax for the command net user to set a password for a user account is given below:

net user userid password

Let’s consider an example to reset the password for user account GaryW on the local computer, run the below command

net user garyw [email protected]

In the above net user command, garyw is a user account id and [email protected] is a password that is used with the command to set the password for the user account on the local computer.

The output of the above command as below

net user password change
net user password change

Note: Run Windows command prompt using administrator account privileges else it will display “System error 5 has occurred. Access is denied

There is an alternative and secure way to change the user password using the net user cmd tool as below

C:>net user garyw *
Type a password for the user:
Retype the password to confirm:
The command completed successfully.

In the command, use * after the user name and hit enter.

It will prompt you to type the password for the user: and retype the password to confirm.

While typing a password, it won’t display password text on the command line.

Cool Tip: How to get-aduser password expiration date in PowerShell!

Net User /domain – change domain user account password

Using the net user Windows command-line tool, you can set the password for the domain user account.

The syntax for the command net user to set the password for the domain user account is:

net user username /domain

Run the following command to reset the domain user account password

net user garyw  * /domain

In the above command, the net user command takes the user id as input, * indicates to prompt for the password. /domain specifies to perform domain account password change operation.

The output of the above net user /domain password change as below

net user /domain password change
net user /domain password change

Cool Tip: How to use the Get-AdUser cmdlet to manage Active Directory Use Account!

Net User Disable Account

If you want to disable or lock a domain account using the net user command-line tool, run the following command

net user garyw /Active:No /domain

The above net user command will disable the user account or lock the domain user account specified using the user name and /Active set to No in the net user /domain

Run the command net user garyw /domain to check the user active account status

C:>net user garyw /domain
User name                    garyw
Full Name                    Gary Willy
Comment
User's comment
Country/region code          000 (System Default)
Account active               No
Account expires              Never

Cool Tip: How to find a disabled aduser using PowerShell!

Net User to Enable Domain Account

To enable or unlock domain account using the net user command, run the below command

net user garyw /Active:Yes /domain

net user /domain command using /Active option set to Yes enables user account.

Net User User Password Policy

If you want users to restrict them to change their domain account password or allow domain account user to change their password, run the below net user command

net user garyw /Passwordchg:No

In the above net user command, /Passwordchg option is set to No to prevent the user from changing the password.

To allow users to change the password, run the below command

net user garyw /Passwordchg:Yes

Above command, /Passwordchg option is set to Yes to allow the user to change their password.

Cool Tip: How to find active directory groups I m in using PowerShell!

Net User to find user full name

You can use the net user command-line tool to find the user’s full name in the domain as below

net user garyw /domain | Find /i "full name"

The above command finds the full name of the user in the domain, it uses the username /domain to find the user account in the domain and pipe the result to get the full name.

C:Windowssystem32>net user garyw /domain | Find /i "full name"
Full Name                    Gary Willy

How to set home directory for user?

Use the net user command-line tool to set a home directory for a new user or existing user using the homedir option as below

Set home directory for the new user

net user adams /domain /add /homedir:C:usersadams

In the above command, the net user creates a new user with the name adams in the domain and set up the home directory for the user to C:usersadams

You can set up a home directory for the existing user as below

net user garyw /domain /homedir:C:usersgaryw

In the above command, it set up the home directory for the existing user in the domain using the net user command and homdir option.

Cool Tip: How to unlock the ad account in the active directory using PowerShell!

Set Expiry date for User Account on Local and Domain

The expiration date for the user account has been good practice for organizations to manage security and resource management.

Using the net user command, you can easily set an expiry date for the user account on the local computer or domain user account.

If you want to set up an expiry date for user accounts on the local computer or a windows 11 user account, run the following command.

# Set expire date for local user account
Net User devadmin /expires:03/05/2023

In the above command, the net user command takes the username as the input parameter and uses /expires option to set up the expiry date for the user account on the local computer.

If you want to set up an expiry date for the user account on the domain controller, run the following command.

# Set expire date for domain user account
Net User Toms /domain /expires:09/20/2022

In the above command, the net user takes the user name and uses /domain to set up an expiry date in the domain using /expires option.

Set up Login Times for User Account

Using the net user command, you can set up login times for the user account to allow them to be used within specific hours only.

Run the following command to set login times for the user account.

# Set login time to allow user login in specific duration
Net User Toms /time:M-F,07:00-16:00

In the above command, the net user command takes the user name to set up login time for the account to allow login between 7 am to 4 pm on Monday-Friday only.

Net User Command Examples and FAQ

How to reset the user password using the net user command?

Open the Windows command prompt with Administrator privileges and run the following command to reset the password for a user account.

net user userid newpassword

How to use the net user command?

The net user is a command-line tool to manage user accounts on local and domain controllers. To use the net user command, open the command prompt and type the net user command, it will list all user accounts.

net user

How to check domain user details in cmd?

Use the net user command to view the user account details on the domain. The syntax to check user account information is:

net user userid

How to use the net user command to see when the password expires?

If you run net user userid on cmd terminal, it retrieves user information that includes the property “Password expires“. Use this property to see the user account password expiry date.

How to use the net user command to check the last login of the user?

To check the last login of the user on the domain using the net user command, run the command prompt and run the below command.

net user Toms /domain | Findstr "Last"
It returns the Last Login date for the user account on the domain.

How to use the net user command to set a password never expires using the command line?

To set the password never expires on the user account using the net user command in the cmd terminal, run the following command.

WMIC useraccount where Name='username' set PasswordExpires=FALSE

For example, to set the administrator password never expires using the net user command,

net user administrator |findstr /C:expires
Returns the output as
Account expires Never
Password expires 2/26/2023 4:10:20 PM

Run the WMIC command to set the PasswordExpires property for the administrator account to false.

WMIC useraccount where Name='administrator' SET PasswordExpires=FALSE

The above command line tool, set up the administrator password never set to expire.

Conclusion

I hope the above article on the net user command line tool in the Windows system helps you to understand how to manage net user accounts using the command line.

net user without any option gets all the user accounts on the computer. You can also use net users.

You can find more topics about PowerShell Active Directory commands and PowerShell basics on the ShellGeek home page.

Выводим список пользователей на удаленном компьютере

Иногда требуется выяснить, кто из пользователей в данный момент работает на удаленном компьютере. Это очень просто сделать с помощью PowerShell и WMI.

При входе в систему пользователя запускается экземпляр процесса explorer.exe, поэтому узнав, кто является владельцем этого процесса мы выясним и то, кто в данный момент находится в системе. Для этого создаем скрипт следующего содержания:

$ComputerName = Read-Host ″Enter remote computer name″
$credential = Get-Credential

Get-WMIObject Win32_Process -filter ‘name=″explorer.exe″’ -computername $computername -Credential $credential |
ForEach-Object {
$owner = $_.GetOwner()
‘{0}{1}’ -f $owner.Domain, $owner.User} |
Sort-Object |
Get-Unique |
ForEach-Object {
$rv = 1 | Select-Object ComputerName, User
$rv.ComputerName = $computername
$rv.User = $_
$rv
}

Запускаем скрипт, указываем имя компьютера, учетные данные для подключения и получаем список пользователей, залогинившихся на этом компьютере.

кто залогинен на сервере

Вот так просто, и не требуется никаких дополнительных оснасток.

Иногда может понадобится проверить какие в данный момент залогинены в системе, то есть являются активными. Такую информацию можно использовать для аудита, например для проверки какие учетные записи за какими компьютерами сидят или для последующей перезагрузки сервера, что бы не останавливать работу коллег. В примерах ниже рассмотрено как выполнять удаленные команды для получения активных пользователей и возврата включенных пользователей Active Directory.

Получение имени залогиненного пользователя

Я не могу вспомнить готовую команду Powershell, которая бы вернула логин пользователя, но такая возможность есть через WMI:

Get-WmiObject -Class Win32_ComputerSystem | Select-Object UserName

Есть еще вариант использовать CIM, который может работать немного быстрее:

Get-CimInstance -ClassName Win32_ComputerSystem | Select-Object UserName

Залогиненные пользователи с Win32_ComputerSystem и Win32_ComputerSystem

Обе команды могут работать удаленно если добавить атрибут ComputerName:

Get-WmiObject -ComputerName 'localhost' -Class Win32_ComputerSystem | Select-Object UserName

Получение активных сеансов в Powershell удаленно

Если вы планируете выполнять эти команды удаленно, то может понадобится выполнить предварительные настройки в виде открытия портов и необходимых правах.

Получить только имя пользователя можно так:

$userinfo = Get-WmiObject -ComputerName 'localhost' -Class Win32_ComputerSystem
$user = $userinfo.UserName -split '\'
$user[1]

Получение имени залогиненного пользователя в Powershell удаленно

Как вы знаете в Winodws есть так же параллельные сеансы сервисов. Если вам нужно вернуть имена этих аккаунтов нужно использовать класс «win32_LoggedOnUser»:

Get-CimInstance -ComputerName 'localhost' -Class win32_LoggedOnUser | ft

Получение всех активных сеансов пользователей в Powershell

Получение списка компьютеров

Если у вас нет списка компьютеров к которым вы планируете подключиться и узнать активного пользователя — это можно сделать через AD. На примере ниже будут возвращены все компьютеры:

Get-ADComputer -Filter *

Получение списка компьютеров в Powershell

Операция по получению списка компьютеров может быть очень долгой, если у вас большой парк ПК в AD. Вы можете вернуть только компьютеры, которые не отключены в AD (Disable) следующим способом:

Get-ADComputer -Filter * | where Enabled -eq $True

Получение включенных компьютеров AD в Powershell

Можно использовать и фильтрацию. Так я верну компьютеры имена которые начинаются на «CL»:

Get-ADComputer -Filter {Name -like 'CL*'} | where Enabled -eq $True

Фильтрация списка компьютеров в Powershell

Получить список имен мы можем так:

$pc = Get-ADComputer -Filter {Name -like 'CL*'} | where Enabled -eq $True
$pc.Name

Фильтрация списка компьютеров в Powershell

Если у вас список компьютеров не относится к AD или имеет другой формат — то просто преобразуйте его в массив:

# Текст с именами компьютеров
$pc = 'Computer1,Computer2,Computer3'
# Преобразование в массив
$pc_array = $pc -split ','
$pc_array

Split в Powershell 

Удаленное получение залогиненных пользователей

Выше уже рассматривался вариант получения имени пользователя удаленно используя WMI и CIM. Если обе команды, то всех  пользователей активных в данный момент мы можем получить так:

# Текст с именами компьютеров
$computers = (Get-AdComputer -Filter *).Name
# Удаленное получение пользователей
foreach ($computer in $computers){
    Get-CimInstance -ComputerName $computer -ClassName Win32_ComputerSystem | Select-Object UserName
}

Такой подход может привести к ошибкам так как мы не проверяем включены ли компьютеры:

Обход ошибок в Powershell

Мы можем просто не выводить ошибки с помощью «-ErrorAction SilentlyContinue» или заранее пинговать (что было бы правильнее с точки зрения времени выполнения). В примере ниже я так же разбиваю имя компьютера и логин в более удобный формат:

# Текст с именами компьютеров
$computers = (Get-AdComputer -Filter *).Name
# Удаленное получение имен учетных записей
foreach ($computer in $computers){
    $result = Get-CimInstance -ComputerName $computer -ClassName Win32_ComputerSystem -ErrorAction SilentlyContinue
    $computer_login = $result.UserName -split '\'
    if ($computer_login){
        Write-Host 'ComputerName: ' $computer_login[0]
        Write-Host 'UserName: ' $computer_login[1]
       }
}

Обход ошибок в Powershell с ErrorAction

Если вы не хотите выполнять команды удаленно через WMI, то вы можете использовать PSRemoting. От так же требует предварительных настроек, которые описаны в статье «Удаленное управление через Powershell». Команда, которая использует PSRemoting, будет выглядеть примерно так же:

# Текст с именами компьютеров
$computers = (Get-AdComputer -Filter *).Name
# Удаленное получение имен учетных записей
foreach ($computer in $computers){
    $result = Invoke-Command -ComputerName $computer `
          -ScriptBlock {
              Get-WMIObject -ClassName Win32_ComputerSystem `
                            -ErrorAction SilentlyContinue
                       } `
          -ErrorAction SilentlyContinue
    $computer_login = $result.UserName -split '\'
    if ($computer_login){
        Write-Host 'ComputerName: ' $computer_login[0]
        Write-Host 'UserName: ' $computer_login[1]
       }
}

Получение списка активных сеансов пользователей в Powershell

Получение включенных пользователей AD

Если вам нужно вернуть учетные записи, которые включены в AD выполните следующую команду:

Get-AdUser -Filter * | where 'Enabled' -eq $True

Фильтрация включенных пользователей в AD с Powershell

Для возврата только отключенных учетных записей используйте $False.

Такой подход работает и с объектами компьютеров в AD:

Get-AdComputer -Filter * | where 'Enabled' -eq $False

Для последующей выгрузки данных в Excel почитайте статью «Как в Powershell выгрузить из AD пользователей и группы CSV».

Whoami или WMI

Вы можете вспомнить команду, которая так же возвращает имя пользователя:

whoami

whoami в Powershell

Как можно увидеть она вернет ту же информацию, что и класс WMI. Ситуация меняется, когда эти команды используются удаленно:

# Пользователь вошедший в Windows и открывший Powershell
whoami
# Пользователь, который будет удаленно подключатся через Powershell
$new_psuser = Get-Credential 'admin'
# Способ с whoami
Invoke-Command -ComputerName 'localhost' `
               -Credential $new_psuser `
               -ScriptBlock {whoami}
# Способ с WMI
Invoke-Command -ComputerName 'localhost' `
               -Credential $new_psuser `
               -ScriptBlock {(Get-WmiObject -Class Win32_ComputerSystem).UserName}

Разница WMI и whoami в Powershell

Как видно, в случае с whoami у нас вернулось имя учетной записи выполнившей команду Powershell, а с WMI пользователь Windows. 

Теги:

#powershell

#wmi

#ad

Как мне получить список пользователей в Windows Server?

Откройте «Управление компьютером» и перейдите в «Локальные пользователи и группы -> Пользователи». С правой стороны вы видите все учетные записи пользователей, их имена, используемые Windows за кулисами, их полные имена (или отображаемые имена) и описание каждой из них.

Как мне получить список пользователей в Windows Server 2012?

Войдите в Windows Server 2012 R2 и следуйте инструкциям ниже, чтобы просмотреть активных удаленных пользователей:

  1. Щелкните правой кнопкой мыши панель задач и выберите в меню Диспетчер задач.
  2. Перейдите на вкладку Пользователи.
  3. Щелкните правой кнопкой мыши один из существующих столбцов, например «Пользователь» или «Состояние», а затем выберите «Сеанс» в контекстном меню.

16 июн. 2016 г.

Как управлять пользователями в Windows Server?

Настройка разрешений и групп (Windows Server)

  1. Войдите в Microsoft Windows Server как администратор.
  2. Создайте группу. Щелкните Пуск> Панель управления> Администрирование> Управление компьютером. …
  3. Настройте пользователей и группу DataStage для входа в систему.…
  4. Добавить пользователей в группу. …
  5. Установите разрешения для следующих папок:

Как мне добавить пользователей в Active Directory?

Использование графического интерфейса

  1. Перейдите в «Пользователи и компьютеры Active Directory».
  2. Щелкните «Пользователи» или папку, содержащую учетную запись пользователя.
  3. Щелкните правой кнопкой мыши учетную запись пользователя и выберите «Свойства».
  4. Щелкните вкладку «Участник».

29 мар. 2020 г.

Как мне добавить пользователей в Windows Server?

Чтобы добавить пользователей в группу:

  1. Щелкните значок диспетчера сервера (…
  2. Выберите меню «Инструменты» в правом верхнем углу, затем выберите «Управление компьютером».
  3. Разверните Локальные пользователи и группы.
  4. Разверните Группы.
  5. Дважды щелкните группу, в которую вы хотите добавить пользователей.
  6. Выберите Добавить.

Как мне найти пользователей на сервере?

Для просмотра списка учетных записей пользователей

  1. Откройте панель мониторинга Windows Server Essentials.
  2. На главной панели навигации щелкните Пользователи.
  3. На панели инструментов отображается текущий список учетных записей пользователей.

3 окт. 2016 г.

Как мне найти свой сервер RDS?

Чтобы открыть диспетчер лицензирования удаленных рабочих столов, нажмите кнопку Пуск, выберите «Администрирование», выберите «Службы удаленных рабочих столов», а затем щелкните «Диспетчер лицензирования удаленных рабочих столов». Щелкните правой кнопкой мыши сервер лицензий, для которого вы хотите просмотреть идентификатор сервера лицензий, а затем щелкните Свойства. Щелкните вкладку Метод подключения.

Как мне добавить пользователя в Server 2012?

КАК: Добавить новую учетную запись пользователя — Server 2012

  1. На начальном экране Server 2012 нажмите Windows Key + X. Откроется контекстное меню.
  2. В контекстном меню выберите «Управление компьютером». …
  3. В дереве навигации слева от окна «Управление компьютером» выберите «Локальные пользователи и группы». …
  4. Чтобы добавить дополнительных пользователей, щелкните правой кнопкой мыши на «Пользователи» и выберите «Новый пользователь…».

Как мне найти удаленных пользователей на моем сервере?

удаленно

  1. Удерживая нажатой клавишу Windows, нажмите «R», чтобы открыть окно «Выполнить».
  2. Введите «CMD», затем нажмите «Enter», чтобы открыть командную строку.
  3. В командной строке введите следующее и нажмите «Enter»: запросить пользователя / сервер: имя компьютера. …
  4. Отображается имя компьютера или домен, за которым следует имя пользователя.

Как мне предоставить себе доступ администратора к Windows Server?

Откройте инструмент «Локальные пользователи и группы» и перейдите на вкладку «Группы». Выберите группу читателей Windows Admin Center. В нижней части панели «Подробности» нажмите «Добавить пользователя» и введите имя пользователя или группы безопасности, которая должна иметь доступ только для чтения к серверу через Windows Admin Center.

Как управлять доступом пользователей?

Советы по эффективному управлению доступом пользователей

  1. Используйте принцип наименьших привилегий.
  2. Ограничьте или отмените права доступа суперпользователя.
  3. Планируйте привилегии заблаговременно.
  4. Используйте менеджер паролей.
  5. Просмотрите доступ к привилегированным пользователям.

Как управлять контролем доступа?

Управление контролем доступа — важный компонент эффективного управления потоками людей и ограничения доступа там, где это необходимо. Прошли те времена, когда запирание двери или установка временного барьера были достаточными формами контроля доступа.

Какой тип команды есть у пользователя сети?

Net User — это инструмент командной строки, который позволяет системным администраторам управлять учетными записями пользователей на ПК с Windows. Вы можете использовать команду для отображения информации об учетной записи или внесения изменений в учетные записи пользователей. Его можно использовать, среди прочего, для включения неактивной учетной записи администратора системы Windows.

Чтобы экспортировать данные, запустите Active Directory — пользователи и компьютеры. Перейдите к структуре домена организационной единицы, которую вы хотите экспортировать, и щелкните по ней. В меню выберите значок «Список экспорта» (см. Рис. 1). На этом этапе вам нужно будет выбрать, хотите ли вы.

Как я могу получить список всех пользователей домена?

Список всех пользователей и групп в домене

  1. ЧИСТЫЕ ПОЛЬЗОВАТЕЛИ / ДОМЕН> USERS.TXT.
  2. ЧИСТЫЕ СЧЕТА / ДОМЕН> ACCOUNTS.TXT.
  3. СЕРВЕР КОНФИГУРАЦИИ NET> SERVER.TXT.
  4. РАБОЧАЯ СТАНЦИЯ КОНФИГУРАЦИИ NET> WKST.TXT.
  5. ГРУППА / ДОМЕН ЧИСТА> DGRP.TXT.
  6. ЛОКАЛЬНАЯ ГРУППА ЧИСТА> LGRP.TXT.
  7. ВИД СЕТИ / ДОМЕН: ИМЯ ДОМЕНА> VIEW.TXT.
  8. ДОБАВИТЕЛИ ИМЯ КОМПЬЮТЕРА / D USERINFO.TXT.
title description ms.date ms.topic ms.assetid author ms.author manager

Manage User Accounts in Windows Server Essentials

Learn about the Users page of the Windows Server Essentials Dashboard and how it centralizes information and tasks that help you manage the user accounts.

10/03/2016

article

0d115697-532b-48c2-a659-9f889e235326

nnamuhcs

wscontent

mtillman

Manage User Accounts in Windows Server Essentials

Applies To: Windows Server 2016 Essentials, Windows Server 2012 R2 Essentials, Windows Server 2012 Essentials

The Users page of the Windows Server Essentials Dashboard centralizes information and tasks that help you manage the user accounts on your small business network. For an overview of the Users Dashboard, see Dashboard Overview.

Managing user accounts

The following topics provide information about how to use the Windows Server Essentials Dashboard to manage the user accounts on the server:

  • Add a user account

  • Remove a user account

  • View user accounts

  • Change the display name for the user account

  • Activate a user account

  • Deactivate a user account

  • Understand user accounts

  • Manage user accounts using the Dashboard

Add a user account

When you add a user account, the assigned user can log on to the network, and you can give the user permission to access network resources such as shared folders and the Remote Web Access site. Windows Server Essentials includes the Add a User Account Wizard that helps you:

  • Provide a name and password for the user account.

  • Define the account as either an administrator or as a standard user.

  • Select which shared folders the user account can access.

  • Specify if the user account has remote access to the network.

  • Select email options if applicable.

  • Assign a Microsoft Online Services account (referred to as a Microsoft 365 account in Windows Server Essentials) if applicable.

  • Assign user groups ( Windows Server Essentials only).

[!NOTE]

  • Non-ASCII characters are not supported in Microsoft Azure Active Directory (Azure AD). Do not use any non-ASCII characters in your password, if your server is integrated with Azure AD.
    • The email options are only available if you install an add-in that provides email service.
To add a user account
  1. Open the Windows Server Essentials Dashboard.

  2. On the navigation bar, click Users.

  3. In the Users Tasks pane, click Add a user account. The Add a User Account Wizard appears.

  4. Follow the instructions to complete the wizard.

Remove a user account

When you choose to remove a user account from the server, a wizard deletes the selected account. Because of this, you can no longer use the account to log on to the network or to access any of the network resources. As an option, you can also delete the files for the user account at the same time that you remove the account. If you do not want to permanently remove the user account, you can deactivate the user account instead to suspend access to network resources.

[!IMPORTANT]
If a user account has a Microsoft online account assigned, when you remove the user account, the online account also is removed from Microsoft Online Services, and the user’s data, including email, is subject to data retention policies in Microsoft Online Services. If you want to retain user data for the online account, deactivate the user account instead of removing it. For more information, see Manage Online Accounts for Users.

To remove a user account
  1. Open the Windows Server Essentials Dashboard.

  2. On the navigation bar, click Users.

  3. In the list of user accounts, select the user account that you want to remove.

  4. In the <User Account> Tasks pane, click Remove the user account. The Delete a User Account Wizard appears.

  5. On the Do you want to keep the files? page of the wizard, you can choose to delete the user’s files, including File History backups and the redirected folder for the user account. To keep the user’s files, leave the check box empty. After making your selection, click Next.

  6. Click Delete account.

[!NOTE]
After you remove a user account, the account no longer appears in the list of user accounts. If you chose to delete the files, the server permanently deletes the user’s folder from the Users server folder and from the File History Backups server folder.

If you have an integrated email provider, the email account assigned to the user account will also be removed.

View user accounts

The Users section of the Windows Server Essentials Dashboard displays a list of network user accounts. The list also provides additional information about each account.

To view a list of user accounts
  1. Open the Windows Server Essentials Dashboard.

  2. On the main navigation bar, click Users.

  3. The Dashboard displays a current list of user accounts.

To view or change properties for a user account
  1. In the list of user accounts, select the account for which you want to view or change properties.

  2. In the <User Account> Tasks pane, click View the account properties. The Properties page for the user account appears.

  3. Click a tab to display the properties for that account feature.

  4. To save any changes that you make to the user account properties, click Apply.

Change the display name for the user account

The display name is the name that appears in the Name column on the Users page of the Dashboard. Changing the display name does not change the logon or sign-in name for a user account.

To change the display name for a user account
  1. Open the Windows Server Essentials Dashboard.

  2. On the navigation bar, click Users.

  3. In the list of user accounts, select the user account that you want to change.

  4. In the <User Account> Tasks pane, click View the account properties. The Properties page for the user account appears.

  5. On the General tab, type a new First name and Last name for the user account, and then click OK.

    The new display name appears in the list of user accounts.

Activate a user account

When you activate a user account, the assigned user can log on to the network and access network resources to which the account has permission, such as shared folders and the Remote Web Access site.

[!NOTE]
You can only activate a user account that is deactivated. You cannot activate a user account after you remove it from the server.

To activate a user account
  1. Open the Windows Server Essentials Dashboard.

  2. On the navigation bar, click Users.

  3. In the list view, select the user account that you want to activate.

  4. In the <User Account> Tasks pane, click Activate the user account.

  5. In the confirmation window, click Yes to confirm your action.

[!NOTE]
After you activate a user account, the status for the account displays Active. The user account regains the same access rights that were assigned prior to account deactivation.

If you have an integrated email provider, the email account assigned to the user account will also be activated.

Deactivate a user account

When you deactivate a user account, account access to the server is temporarily suspended. Because of this, the assigned user cannot use the account to access network resources such as shared folders or the Remote Web Access site until you activate the account.

If the user account has a Microsoft online account assigned, the online account is also deactivated. The user cannot use resources in Microsoft 365 and other online services that you subscribe to, but the user’s data, including email, is retained in Microsoft Online Services.

[!NOTE]
You can only deactivate a user account that is currently active.

To deactivate a user account
  1. Open the Windows Server Essentials Dashboard.

  2. On the navigation bar, click Users.

  3. In the list view, select the user account that you want to deactivate.

  4. In the <User Account> Tasks pane, click Deactivate the user account.

  5. In the confirmation window, click Yes to confirm your action.

[!NOTE]
After you deactivate a user account, the status for the account displays Inactive.

If you have an integrated email provider, the email account assigned to the user account will also be deactivated.

Understand user accounts

A user account provides important information to Windows Server Essentials, which enables individuals to access information that is stored on the server, and makes it possible for individual users to create and manage their files and settings. Users can log on to any computer on the network if they have a Windows Server Essentials user account and they have permissions to access a computer. Users access their user accounts with their user name and password.

There are two main types of user accounts. Each type gives users a different level of control over the computer:

  • Standard accounts are for everyday computing. The standard account helps protect your network by preventing users from making changes that affect other users, such as deleting files or changing network settings.

  • Administrator accounts provide the most control over a computer network. You should assign the administrator account type only when necessary.

Manage user accounts using the Dashboard

Windows Server Essentials makes it possible to perform common administrative tasks by using the Windows Server Essentials Dashboard. By default, the Users page of the Dashboard includes two tabs: Users and Users Groups.

[!NOTE]

  • If you integrate your server that is running Windows Server Essentials with Microsoft 365, a new tab called Distribution Groups is also added within the Users page of the Dashboard.
    • In Windows Server Essentials, the Users page of the Dashboard includes only a single tab — Users.

The Users tab includes the following:

  • A list of user accounts, which displays:

    • The name of the user.

    • The Logon name for the user account.

    • Whether the user account has Anywhere Access permission. Anywhere Access permission for a user account is either Allowed or Not allowed.

    • Whether the File History for this user account is managed by the server running Windows Server Essentials. The File History status for a user account is either Managed or Not managed.

    • The level of access that is assigned to the user account. You can assign either Standard user access or Administrator access for a user account.

    • The user account status. A user account can be Active, Inactive, or Incomplete.

    • In Windows Server Essentials, if the server is integrated with Microsoft 365 or Windows Intune, the Microsoft online account is displayed.

    • In Windows Server Essentials, if the server is integrated with Microsoft 365, the status of the account (known in Windows Server Essentials as the Microsoft online account) for the user account is displayed.

  • A details pane with additional information about a selected user account.

  • A tasks pane that includes:

    • A set of user account administrative tasks such as viewing and removing user accounts, and changing passwords.

    • Tasks that allow you to globally set or change settings for all user accounts in the network.

    The following table describes the various user account tasks that are available from the Users tab. Some of the tasks are user account-specific, and they are only visible when you select a user account in the list.

[!NOTE]
If you integrate Microsoft 365 with Windows Server Essentials, additional tasks will become available. For more information, see Manage Online Accounts for Users.

User account tasks in the Dashboard

Task name Description
View the account properties Enables you to view and change the properties of the selected user account, and to specify folder access permissions for the account.
Deactivate the user account A user account that is deactivated cannot log on to the network or access network resources such as shared folders or printers.
Activate the user account A user account that is activated can log on to the network and can access network resources as defined by the account permissions.
Remove the user account Enables you to remove the selected user account.
Change the user account password Enables you to reset the network password for the selected user account.
Add a user account Starts the Add a User Account Wizard, which enables you to create a single new user account that has either standard user access or administrator access.
Assign a Microsoft online account Adds a Microsoft online account to the local network user account that is selected.

This task is displayed when your server is integrated with Microsoft online services, such as Microsoft 365.

Add Microsoft online accounts Adds Microsoft online accounts and associates them to local network user accounts.

This task is displayed when your server is integrated with Microsoft online services, such as Microsoft 365.

Set the password policy Enables you to change the values of the password polices for your network.
Import Microsoft online accounts Performs a bulk import of accounts from Microsoft online services into the local network.

This task is displayed when your server is integrated with Microsoft online services, such as Microsoft 365.

Refresh Refreshes the Users tab.

This task is applicable to Windows Server Essentials.

Change File History settings Enables you to change File History settings, such as backup frequency, or backup duration.

This task is applicable to Windows Server Essentials.

Export all remote connections Creates a .CSV-format file of all remote connections to the server that have occurred over the past 30 days.

Managing passwords and access

The following topics provide information about how to use the Windows Server Essentials Dashboard to manage user account passwords and user access to the shared folders on the server:

  • Change or reset the password for a user account

  • What you should know about password policies

  • Change the password policy

  • Level of access to shared folders

  • Retain and manage access to files for removed user accounts

  • Synchronize the DSRM password with the network administrator password

  • Give user accounts remote desktop permission

  • Enable users to access resources on the server

  • Change remote access permissions for a user account

  • Change virtual private network permissions for a user account

  • Change access to internal shared folders for a user account

  • Allow user accounts to establish a remote desktop session to their computer

Change or reset the password for a user account

To change or reset a user account password, follow these steps.

To reset the password for a user account
  1. Open the Windows Server Essentials Dashboard.

  2. On the navigation bar, click Users.

  3. In the list of user accounts, select the user account that you want to reset.

  4. In the <User Account> Tasks pane, click Change the user account password. The Change User Account Password Wizard appears.

  5. Type a new password for the user account, and then type the password again to confirm it.

  6. Click Change password.

  7. Provide the new password to the user.

    [!IMPORTANT]

    • You may not be able to change your password if the password policy for your account has been set to Passwords never expire.
      • Non-ASCII characters are not supported in Azure AD. Therefore, if your server is integrated with Azure AD, do not use any non-ASCII characters in your password.
      • If a Microsoft online account (known in Windows Server Essentials as a Microsoft 365 account) is assigned to the user, the password is synchronized with the online account password. The user will use the new password to sign in on the server or sign in to Microsoft 365. For more information, see Manage Online Accounts for Users.

What you should know about password policies

The password policy is a set of rules that define how users create and use passwords. The policy helps to prevent unauthorized access to user data and other information that is stored on the server. The password policy is applied to all user accounts that access the network.

The Windows Server Essentials password policy consists of three primary elements as follows:

  • Password length. The longer a password is, the more secure it is. Blank passwords are not secure.

  • Password complexity. Complex passwords contain a mixture of uppercase and lowercase letters (a-z, A-Z), base numbers (0-9), and non-alphabetic symbols (such as; !,@,#,_,-). Complex passwords are much less susceptible to unauthorized access. Passwords that contain user names, birthdates, or other personal information do not provide adequate security.

  • Password age. Windows Server Essentials requires that users change their password at least once every 180 days. As an option, you can choose to have passwords never expire.

    To make it easier to implement a password policy on your computer network, Windows Server Essentials provides a simple tool that allows you to set or change the password policy to any of the following four pre-defined policy profiles:

  • Weak. Users can specify any password that is not blank.

  • Medium. These passwords must contain at least 5 characters. A complex password is not required.

  • Medium Strong. These passwords must contain at least 5 characters, and must include letters, numbers, and symbols.

  • Strong. These passwords must contain at least 7 characters, and must include letters, numbers, and symbols. These passwords are more secure, but may be more difficult for users to remember.

    [!NOTE]
    Passwords cannot contain the user name or email address.

    If you integrate with Microsoft 365, the integration enforces the Strong password policy, and updates the policy to include the following requirements:

    • Passwords must contain 8 �16 characters.
      • Passwords cannot contain a space or the Microsoft 365 email name.

    By default, server installation sets the default password policy to the Strong option.

Change the password policy

Use the following procedure to set or change the password policy to any of four pre-defined policy profiles.

To change the password policy
  1. Open the Windows Server Essentials Dashboard, and then click Users.

  2. In the Users Tasks pane, click Set the password policy.

  3. On the Change the Password Policy screen, set the level of password strength by moving the slider.

    Microsoft recommends that you set the password strength to Strong.

    [!NOTE]
    As an option, you can also select Passwords never expire. This setting is less secure, and so it is not recommended.

  4. Click Change policy.

Level of access to shared folders

As a best practice, you should assign the most restrictive permissions available that still allow users to perform required tasks.

You have three access settings available for the shared folders on the server:

  • Read/Write. Choose this setting if you want to allow the user account permission to create, change, and delete any files in the shared folder.

  • Read only. Choose this setting if you want to allow the user account permission to only read the files in the shared folder. User accounts with read-only access cannot create, change, or delete any files in the shared folder.

  • No access. Choose this setting if you do not want the user account to access any files in the shared folder.

Retain and manage access to files for removed user accounts

The network administrator can remove a user account and choose to keep the user’s files for future use. In this scenario, the removed user account can no longer be used to sign in to the network; however, the files for this user will be saved in a shared folder, which can be shared with another user.

[!IMPORTANT]
Be aware that if you remove a user account that has a Microsoft online account assigned, the online account is also removed, and the user data, including email, is subject to data retention policies in Microsoft Online Services. To retain the user data for the online account, deactivate the user account instead of removing it. For more information, see Manage Online Accounts for Users.

To remove a user account but retain access to the user’s files
  1. Open the Windows Server Essentials Dashboard.

  2. On the navigation bar, click Users.

  3. In the list of user accounts, select the user account that you want to remove.

  4. In the <User Account> Tasks pane, click Remove the user account. The Delete a User Account Wizard appears.

  5. On the Do you want to keep the files? page, make sure that the Delete the files including File History backups and redirected folder for this user account check box is clear, and then click Next.

    A confirmation page appears warning you that are deleting the account but keeping the files.

  6. Click Delete account to remove the user account.

    After the user account is removed, the administrator can give another user account access to the shared folder.

To give a user account permission to access a shared folder
  1. Open the Windows Server Essentials Dashboard.

  2. On the navigation bar, click Storage, and then click the Server Folders tab.

  3. In the list of folders, select the Users folder.

  4. In the Users Tasks pane, click Open the folder. Windows Explorer opens and displays the contents of the Users folder.

  5. Right-click the folder for the user account that you want to share, and then click Properties.

  6. In <User Account> Properties, click the Sharing tab, and then click Share.

  7. In the File Sharing window, type or select the user account name with whom you want to share the folder, and then click Add.

  8. Choose the Permission Level that you want the user account to have, and then click Share.

Synchronize the DSRM password with the network administrator password

Directory Services Restore Mode (DSRM) is a special boot mode for repairing or recovering Active Directory. The operating system uses DSRM to log on to the computer if Active Directory fails or needs to be restored. If your network administrator password and the DSRM password are different, DSRM will not load.

During a clean, first-time installation of Windows Server Essentials, the program sets the DSRM password to the network administrator account password that you specify during setup or in the migration answer file. When you change your network administrator password (as recommended typically every 60 days for increased server security), the password change is not forwarded to DSRM. This results in a password mismatch. If this occurs, you can use the following solutions to manually or automatically synchronize your network administrator’s password with the DSRM password.

To manually synchronize the DSRM password to a network administrator account
  1. At a command prompt, run ntdsutil.exe to open the ntdsutil tool.

  2. To reset the DSRM password, type set dsrm password.

  3. To synchronize the DSRM password on a domain controller with the current network administrator’s account, type:

    sync from domain account <current_network_administrator_account>, and then press Enter.

    Because you will periodically change the password for the network administrator account, to ensure that the DSRM password is always the same as the current password of the network administrator, we recommend that you create a schedule task to automatically synchronize the DSRM password to the network administrator password daily.

To automatically synchronize the DSRM password to a network administrator account
  1. From the server, open Administrative Tools, and then double-click Task Scheduler.

  2. In the Task Scheduler Actions pane, click Create Task.

  3. In the Name text box, type a name for the task such as AutoSync DSRM Password, and then select the Run with highest privileges option.

  4. Define when the task should run:

    1. In the Create Task dialog box, click the Triggers tab, and then click New.

    2. In the New Trigger dialog box, select your recurrence option, specify the recurrence interval, and choose a start time.

      [!NOTE]
      As a best practice, you should set the task to run daily during non-business hours.

    3. Click OK to save your changes and return to the Create Task dialog box.

  5. Define the task actions:

    1. Click the Actions tab, and then click New. The New Action dialog box appears.

    2. In the Action list, click Start a program, and then browse to C:WINDOWSSYSTEM32ntdsutil.exe.

    3. In the Add arguments(optional) text box, type the following (you must include the quotation marks): set dsrm password sync from domain account SBS_network_administrator_account q q where SBS_network_administrator_account is the current network administrator’s account name.

  6. Click OK twice to save the task and close the Create Task dialog box. The new task appears in the Active Tasks section of Task Schedule.

Give user accounts remote desktop permission

In the default installation of Windows Server Essentials, network users do not have permission to establish a remote connection to computers or other resources on the network.

Before network users can establish a remote connection to network resources, you must first set up Anywhere Access. After you set up Anywhere Access, users can access files, applications, and computers in your office network from a device in any location with an Internet connection.

The Set up Anywhere Access Wizard allows you to enable two methods of remote access:

  • Virtual private network (VPN)

  • Remote Web Access

    When you run the wizard, you can also choose to allow Anywhere Access for all current and newly added user accounts.

    To set up Anywhere Access, open the Dashboard Home page, click SETUP, and then click Set up Anywhere Access.

    For more information about Anywhere Access, see Manage Anywhere Access.

Enable users to access resources on the server

This section applies to a server running Windows Server Essentials or Windows Server Essentials, or to a server running Windows Server 2012 R2 Standard or Windows Server 2012 R2 Datacenter with the Windows Server Essentials Experience role installed.

If you want users to use remote access, and/or have individual user accounts, after you finish connecting a computer to the server, you can create new network user accounts for the users of the networked computer on the server by using the Dashboard. For more information about creating a user account, see Add a user account. After creating the user accounts, you must provide the network user name and password information to the users of the client computer so that they can access resources on the server by using the Launchpad.

For each user account that you create you can set access for the following through the user account properties:

  • Shared folders. By default, network administrators have Read/Write permission to all the shared folders, and standard user accounts have Read-only permissions to the Company folder. If media streaming is enabled, you can assign folder access permissions for individual standard user accounts for the following shared folders: Music, Pictures, Recorded TV, and Videos. You can set permissions for user accounts to access shared folders on the Shared folders tab of the user account properties.

  • Anywhere Access. By default, network administrators can use either VPN or Remote Web Access to access server resources. For standard user accounts, you must set user account permissions on the Anywhere Access tab.

  • Computer access. By default, network administrators can access all the computers in the network. However, for standard user accounts you can set individual user account permissions for accessing computers on the network on the Computer access tab of the user account properties.

To edit user account properties in Windows Server Essentials 2012 R2
  1. Open the Windows Server Essentials Dashboard.

  2. On the navigation bar, click USERS.

  3. In the list of user accounts, select the user account that you want to edit.

  4. In the <User Account> Tasks pane, click View the account properties.

  5. In the <User Account> Properties, do the following:

    1. On the Shared folders tab, set the appropriate folder permissions for each shared folder as needed.

    2. On the Anywhere Access tab:

      1. To allow a user to connect to the server by using VPN, select the Allow Virtual Private Network (VPN) check box.

      2. To allow a user to connect to the server by using Remote Web Access, select the Allow Remote Web Access and access to web services applications check box.

    3. On the Computer access tab, select the network computers that you would like the user to have access to.

To edit user account properties in Windows Server Essentials 2012
  1. Open the Windows Server Essentials Dashboard.

  2. On the navigation bar, click USERS.

  3. In the list of user accounts, select the user account that you want to edit.

  4. In the <User Account> Tasks pane, click Properties.

  5. In the <User Account> Properties, do the following:

    1. On the General tab, select User can view network health alerts if the user account needs to access network health reports.

    2. On the Shared folders tab, set the appropriate folder permissions for each shared folder as needed.

    3. On the Anywhere Access tab:

      1. To allow a user to connect to the server by using VPN, select the Allow Virtual Private Network (VPN) check box.

      2. To allow a user to connect to the server by using Remote Web Access, select the Allow Remote Web Access and access to web services applications check box.

    4. On the Computer access tab, select the network computers that you would like the user to have access to.

Change remote access permissions for a user account

A user can access resources located on the server from a remote location by using a virtual private network (VPN), Remote Web Access, or other web services applications. By default, remote access permissions are turned on for network users when you configure Anywhere Access in Windows Server Essentials by using the Dashboard.

To change remote access permissions for a user account
  1. Open the Windows Server Essentials Dashboard.

  2. On the navigation bar, click Users.

  3. In the list of user accounts, select the user account that you want to change.

  4. In the <User Account> Tasks pane, click View the account properties. The Properties page for the user account appears.

  5. On the Anywhere Access tab, do the following:

    • Select the Allow Virtual Private Network (VPN) check box to allow a user to connect to the server by using VPN.

    • Select the Allow Remote Web Access and access to web services applications check box to allow a user to connect to the server by using Remote Web Access.

  6. Click Apply, and then click OK.

Change virtual private network permissions for a user account

You can use a virtual private network (VPN) to connect to Windows Server Essentials and access all your resources that are stored on the server. This is especially useful if you have a client computer that is set up with network accounts that can be used to connect to a hosted Windows Server Essentials server through a VPN connection. All the newly created user accounts on the hosted Windows Server Essentials server must use VPN to log on to the client computer for the first time.

To change VPN permissions for network users
  1. Open the Windows Server Essentials Dashboard.

  2. On the navigation bar, click USERS.

  3. In the list of user accounts, select the user account to which you want to grant permissions to access the desktop remotely.

  4. In the <User Account> Tasks pane, click Properties.

  5. In the <User Account> Properties, click the Anywhere Access tab.

  6. On the Anywhere Access tab, to allow a user to connect to the server by using VPN, select the Allow Virtual Private Network (VPN) check box.

  7. Click Apply, and then click OK.

Change access to internal shared folders for a user account

You can manage access to any shared folders on the server by using the tasks on the Server Folders tab of the Dashboard. By default, the following server folders are created when you install Windows Server Essentials:

  • Client Computer Backups. Used to store client computer backups created by Windows Server backup. This server folder is not shared.

  • Company. Used to store and access documents related to your organization by network users.

  • File History Backups. By default, Windows Server Essentials stores file backups created by using File History. This server folder is not shared.

  • Folder Redirection. Used to store and access folders that are set up for folder redirection by network users. This server folder is not shared.

  • Music. Used to store and access music files by network users. This folder is created when you turn on media sharing.

  • Pictures. Used to store and access pictures by network users. This folder is created when you turn on media sharing.

  • Recorded TV. Used to store and access recorded TV programs by network users. This folder is created when you turn on media sharing.

  • Videos. Used to store and access videos by network users. This folder is created when you turn on media sharing.

  • Users. Used to store and access files by network users. A user-specific folder is automatically generated in the Users server folder for every network user account that you create.

To change access to a shared folder for a user account
  1. Open the Windows Server Essentials Dashboard.

  2. Click STORAGE, and then click Server Folders.

  3. Navigate to and select the server folder for which you want to modify permissions.

  4. In the task pane, click View the folder properties.

  5. In <FolderName> Properties, click Sharing, and select the appropriate user access level for the listed user accounts, and then click Apply.

    [!NOTE]
    You cannot modify the sharing permissions for File History Backups, Folder Redirection, and Users server folders. Hence, the folder properties of these server folders do not include a Sharing tab.

Allow user accounts to establish a remote desktop session to their computer

This section applies to a server running Windows Server Essentials or Windows Server Essentials, or to a server running Windows Server 2012 R2 Standard or Windows Server 2012 R2 Datacenter with the Windows Server Essentials Experience role installed.

The network administrator can grant permissions to network users that allow them to access their network computers from a remote location.

To enable users to access their network computers from a remote location
  1. Open the Windows Server Essentials Dashboard.

  2. On the navigation bar, click USERS.

  3. In the list of user accounts, select the user account that you want to grant permissions for accessing the desktop remotely.

  4. In the <User Account> Tasks pane, click Properties.

  5. In the <User Account> Properties, click the Computer Access tab.

  6. Select the computers that you want this user account to be able to access remotely, and then click OK.

Additional References

  • Manage Online Accounts for Users

  • Get Connected

  • Use Windows Server Essentials

  • Manage Windows Server Essentials

title description ms.date ms.topic ms.assetid author ms.author manager

Manage User Accounts in Windows Server Essentials

Learn about the Users page of the Windows Server Essentials Dashboard and how it centralizes information and tasks that help you manage the user accounts.

10/03/2016

article

0d115697-532b-48c2-a659-9f889e235326

nnamuhcs

wscontent

mtillman

Manage User Accounts in Windows Server Essentials

Applies To: Windows Server 2016 Essentials, Windows Server 2012 R2 Essentials, Windows Server 2012 Essentials

The Users page of the Windows Server Essentials Dashboard centralizes information and tasks that help you manage the user accounts on your small business network. For an overview of the Users Dashboard, see Dashboard Overview.

Managing user accounts

The following topics provide information about how to use the Windows Server Essentials Dashboard to manage the user accounts on the server:

  • Add a user account

  • Remove a user account

  • View user accounts

  • Change the display name for the user account

  • Activate a user account

  • Deactivate a user account

  • Understand user accounts

  • Manage user accounts using the Dashboard

Add a user account

When you add a user account, the assigned user can log on to the network, and you can give the user permission to access network resources such as shared folders and the Remote Web Access site. Windows Server Essentials includes the Add a User Account Wizard that helps you:

  • Provide a name and password for the user account.

  • Define the account as either an administrator or as a standard user.

  • Select which shared folders the user account can access.

  • Specify if the user account has remote access to the network.

  • Select email options if applicable.

  • Assign a Microsoft Online Services account (referred to as a Microsoft 365 account in Windows Server Essentials) if applicable.

  • Assign user groups ( Windows Server Essentials only).

[!NOTE]

  • Non-ASCII characters are not supported in Microsoft Azure Active Directory (Azure AD). Do not use any non-ASCII characters in your password, if your server is integrated with Azure AD.
    • The email options are only available if you install an add-in that provides email service.
To add a user account
  1. Open the Windows Server Essentials Dashboard.

  2. On the navigation bar, click Users.

  3. In the Users Tasks pane, click Add a user account. The Add a User Account Wizard appears.

  4. Follow the instructions to complete the wizard.

Remove a user account

When you choose to remove a user account from the server, a wizard deletes the selected account. Because of this, you can no longer use the account to log on to the network or to access any of the network resources. As an option, you can also delete the files for the user account at the same time that you remove the account. If you do not want to permanently remove the user account, you can deactivate the user account instead to suspend access to network resources.

[!IMPORTANT]
If a user account has a Microsoft online account assigned, when you remove the user account, the online account also is removed from Microsoft Online Services, and the user’s data, including email, is subject to data retention policies in Microsoft Online Services. If you want to retain user data for the online account, deactivate the user account instead of removing it. For more information, see Manage Online Accounts for Users.

To remove a user account
  1. Open the Windows Server Essentials Dashboard.

  2. On the navigation bar, click Users.

  3. In the list of user accounts, select the user account that you want to remove.

  4. In the <User Account> Tasks pane, click Remove the user account. The Delete a User Account Wizard appears.

  5. On the Do you want to keep the files? page of the wizard, you can choose to delete the user’s files, including File History backups and the redirected folder for the user account. To keep the user’s files, leave the check box empty. After making your selection, click Next.

  6. Click Delete account.

[!NOTE]
After you remove a user account, the account no longer appears in the list of user accounts. If you chose to delete the files, the server permanently deletes the user’s folder from the Users server folder and from the File History Backups server folder.

If you have an integrated email provider, the email account assigned to the user account will also be removed.

View user accounts

The Users section of the Windows Server Essentials Dashboard displays a list of network user accounts. The list also provides additional information about each account.

To view a list of user accounts
  1. Open the Windows Server Essentials Dashboard.

  2. On the main navigation bar, click Users.

  3. The Dashboard displays a current list of user accounts.

To view or change properties for a user account
  1. In the list of user accounts, select the account for which you want to view or change properties.

  2. In the <User Account> Tasks pane, click View the account properties. The Properties page for the user account appears.

  3. Click a tab to display the properties for that account feature.

  4. To save any changes that you make to the user account properties, click Apply.

Change the display name for the user account

The display name is the name that appears in the Name column on the Users page of the Dashboard. Changing the display name does not change the logon or sign-in name for a user account.

To change the display name for a user account
  1. Open the Windows Server Essentials Dashboard.

  2. On the navigation bar, click Users.

  3. In the list of user accounts, select the user account that you want to change.

  4. In the <User Account> Tasks pane, click View the account properties. The Properties page for the user account appears.

  5. On the General tab, type a new First name and Last name for the user account, and then click OK.

    The new display name appears in the list of user accounts.

Activate a user account

When you activate a user account, the assigned user can log on to the network and access network resources to which the account has permission, such as shared folders and the Remote Web Access site.

[!NOTE]
You can only activate a user account that is deactivated. You cannot activate a user account after you remove it from the server.

To activate a user account
  1. Open the Windows Server Essentials Dashboard.

  2. On the navigation bar, click Users.

  3. In the list view, select the user account that you want to activate.

  4. In the <User Account> Tasks pane, click Activate the user account.

  5. In the confirmation window, click Yes to confirm your action.

[!NOTE]
After you activate a user account, the status for the account displays Active. The user account regains the same access rights that were assigned prior to account deactivation.

If you have an integrated email provider, the email account assigned to the user account will also be activated.

Deactivate a user account

When you deactivate a user account, account access to the server is temporarily suspended. Because of this, the assigned user cannot use the account to access network resources such as shared folders or the Remote Web Access site until you activate the account.

If the user account has a Microsoft online account assigned, the online account is also deactivated. The user cannot use resources in Microsoft 365 and other online services that you subscribe to, but the user’s data, including email, is retained in Microsoft Online Services.

[!NOTE]
You can only deactivate a user account that is currently active.

To deactivate a user account
  1. Open the Windows Server Essentials Dashboard.

  2. On the navigation bar, click Users.

  3. In the list view, select the user account that you want to deactivate.

  4. In the <User Account> Tasks pane, click Deactivate the user account.

  5. In the confirmation window, click Yes to confirm your action.

[!NOTE]
After you deactivate a user account, the status for the account displays Inactive.

If you have an integrated email provider, the email account assigned to the user account will also be deactivated.

Understand user accounts

A user account provides important information to Windows Server Essentials, which enables individuals to access information that is stored on the server, and makes it possible for individual users to create and manage their files and settings. Users can log on to any computer on the network if they have a Windows Server Essentials user account and they have permissions to access a computer. Users access their user accounts with their user name and password.

There are two main types of user accounts. Each type gives users a different level of control over the computer:

  • Standard accounts are for everyday computing. The standard account helps protect your network by preventing users from making changes that affect other users, such as deleting files or changing network settings.

  • Administrator accounts provide the most control over a computer network. You should assign the administrator account type only when necessary.

Manage user accounts using the Dashboard

Windows Server Essentials makes it possible to perform common administrative tasks by using the Windows Server Essentials Dashboard. By default, the Users page of the Dashboard includes two tabs: Users and Users Groups.

[!NOTE]

  • If you integrate your server that is running Windows Server Essentials with Microsoft 365, a new tab called Distribution Groups is also added within the Users page of the Dashboard.
    • In Windows Server Essentials, the Users page of the Dashboard includes only a single tab — Users.

The Users tab includes the following:

  • A list of user accounts, which displays:

    • The name of the user.

    • The Logon name for the user account.

    • Whether the user account has Anywhere Access permission. Anywhere Access permission for a user account is either Allowed or Not allowed.

    • Whether the File History for this user account is managed by the server running Windows Server Essentials. The File History status for a user account is either Managed or Not managed.

    • The level of access that is assigned to the user account. You can assign either Standard user access or Administrator access for a user account.

    • The user account status. A user account can be Active, Inactive, or Incomplete.

    • In Windows Server Essentials, if the server is integrated with Microsoft 365 or Windows Intune, the Microsoft online account is displayed.

    • In Windows Server Essentials, if the server is integrated with Microsoft 365, the status of the account (known in Windows Server Essentials as the Microsoft online account) for the user account is displayed.

  • A details pane with additional information about a selected user account.

  • A tasks pane that includes:

    • A set of user account administrative tasks such as viewing and removing user accounts, and changing passwords.

    • Tasks that allow you to globally set or change settings for all user accounts in the network.

    The following table describes the various user account tasks that are available from the Users tab. Some of the tasks are user account-specific, and they are only visible when you select a user account in the list.

[!NOTE]
If you integrate Microsoft 365 with Windows Server Essentials, additional tasks will become available. For more information, see Manage Online Accounts for Users.

User account tasks in the Dashboard

Task name Description
View the account properties Enables you to view and change the properties of the selected user account, and to specify folder access permissions for the account.
Deactivate the user account A user account that is deactivated cannot log on to the network or access network resources such as shared folders or printers.
Activate the user account A user account that is activated can log on to the network and can access network resources as defined by the account permissions.
Remove the user account Enables you to remove the selected user account.
Change the user account password Enables you to reset the network password for the selected user account.
Add a user account Starts the Add a User Account Wizard, which enables you to create a single new user account that has either standard user access or administrator access.
Assign a Microsoft online account Adds a Microsoft online account to the local network user account that is selected.

This task is displayed when your server is integrated with Microsoft online services, such as Microsoft 365.

Add Microsoft online accounts Adds Microsoft online accounts and associates them to local network user accounts.

This task is displayed when your server is integrated with Microsoft online services, such as Microsoft 365.

Set the password policy Enables you to change the values of the password polices for your network.
Import Microsoft online accounts Performs a bulk import of accounts from Microsoft online services into the local network.

This task is displayed when your server is integrated with Microsoft online services, such as Microsoft 365.

Refresh Refreshes the Users tab.

This task is applicable to Windows Server Essentials.

Change File History settings Enables you to change File History settings, such as backup frequency, or backup duration.

This task is applicable to Windows Server Essentials.

Export all remote connections Creates a .CSV-format file of all remote connections to the server that have occurred over the past 30 days.

Managing passwords and access

The following topics provide information about how to use the Windows Server Essentials Dashboard to manage user account passwords and user access to the shared folders on the server:

  • Change or reset the password for a user account

  • What you should know about password policies

  • Change the password policy

  • Level of access to shared folders

  • Retain and manage access to files for removed user accounts

  • Synchronize the DSRM password with the network administrator password

  • Give user accounts remote desktop permission

  • Enable users to access resources on the server

  • Change remote access permissions for a user account

  • Change virtual private network permissions for a user account

  • Change access to internal shared folders for a user account

  • Allow user accounts to establish a remote desktop session to their computer

Change or reset the password for a user account

To change or reset a user account password, follow these steps.

To reset the password for a user account
  1. Open the Windows Server Essentials Dashboard.

  2. On the navigation bar, click Users.

  3. In the list of user accounts, select the user account that you want to reset.

  4. In the <User Account> Tasks pane, click Change the user account password. The Change User Account Password Wizard appears.

  5. Type a new password for the user account, and then type the password again to confirm it.

  6. Click Change password.

  7. Provide the new password to the user.

    [!IMPORTANT]

    • You may not be able to change your password if the password policy for your account has been set to Passwords never expire.
      • Non-ASCII characters are not supported in Azure AD. Therefore, if your server is integrated with Azure AD, do not use any non-ASCII characters in your password.
      • If a Microsoft online account (known in Windows Server Essentials as a Microsoft 365 account) is assigned to the user, the password is synchronized with the online account password. The user will use the new password to sign in on the server or sign in to Microsoft 365. For more information, see Manage Online Accounts for Users.

What you should know about password policies

The password policy is a set of rules that define how users create and use passwords. The policy helps to prevent unauthorized access to user data and other information that is stored on the server. The password policy is applied to all user accounts that access the network.

The Windows Server Essentials password policy consists of three primary elements as follows:

  • Password length. The longer a password is, the more secure it is. Blank passwords are not secure.

  • Password complexity. Complex passwords contain a mixture of uppercase and lowercase letters (a-z, A-Z), base numbers (0-9), and non-alphabetic symbols (such as; !,@,#,_,-). Complex passwords are much less susceptible to unauthorized access. Passwords that contain user names, birthdates, or other personal information do not provide adequate security.

  • Password age. Windows Server Essentials requires that users change their password at least once every 180 days. As an option, you can choose to have passwords never expire.

    To make it easier to implement a password policy on your computer network, Windows Server Essentials provides a simple tool that allows you to set or change the password policy to any of the following four pre-defined policy profiles:

  • Weak. Users can specify any password that is not blank.

  • Medium. These passwords must contain at least 5 characters. A complex password is not required.

  • Medium Strong. These passwords must contain at least 5 characters, and must include letters, numbers, and symbols.

  • Strong. These passwords must contain at least 7 characters, and must include letters, numbers, and symbols. These passwords are more secure, but may be more difficult for users to remember.

    [!NOTE]
    Passwords cannot contain the user name or email address.

    If you integrate with Microsoft 365, the integration enforces the Strong password policy, and updates the policy to include the following requirements:

    • Passwords must contain 8 �16 characters.
      • Passwords cannot contain a space or the Microsoft 365 email name.

    By default, server installation sets the default password policy to the Strong option.

Change the password policy

Use the following procedure to set or change the password policy to any of four pre-defined policy profiles.

To change the password policy
  1. Open the Windows Server Essentials Dashboard, and then click Users.

  2. In the Users Tasks pane, click Set the password policy.

  3. On the Change the Password Policy screen, set the level of password strength by moving the slider.

    Microsoft recommends that you set the password strength to Strong.

    [!NOTE]
    As an option, you can also select Passwords never expire. This setting is less secure, and so it is not recommended.

  4. Click Change policy.

Level of access to shared folders

As a best practice, you should assign the most restrictive permissions available that still allow users to perform required tasks.

You have three access settings available for the shared folders on the server:

  • Read/Write. Choose this setting if you want to allow the user account permission to create, change, and delete any files in the shared folder.

  • Read only. Choose this setting if you want to allow the user account permission to only read the files in the shared folder. User accounts with read-only access cannot create, change, or delete any files in the shared folder.

  • No access. Choose this setting if you do not want the user account to access any files in the shared folder.

Retain and manage access to files for removed user accounts

The network administrator can remove a user account and choose to keep the user’s files for future use. In this scenario, the removed user account can no longer be used to sign in to the network; however, the files for this user will be saved in a shared folder, which can be shared with another user.

[!IMPORTANT]
Be aware that if you remove a user account that has a Microsoft online account assigned, the online account is also removed, and the user data, including email, is subject to data retention policies in Microsoft Online Services. To retain the user data for the online account, deactivate the user account instead of removing it. For more information, see Manage Online Accounts for Users.

To remove a user account but retain access to the user’s files
  1. Open the Windows Server Essentials Dashboard.

  2. On the navigation bar, click Users.

  3. In the list of user accounts, select the user account that you want to remove.

  4. In the <User Account> Tasks pane, click Remove the user account. The Delete a User Account Wizard appears.

  5. On the Do you want to keep the files? page, make sure that the Delete the files including File History backups and redirected folder for this user account check box is clear, and then click Next.

    A confirmation page appears warning you that are deleting the account but keeping the files.

  6. Click Delete account to remove the user account.

    After the user account is removed, the administrator can give another user account access to the shared folder.

To give a user account permission to access a shared folder
  1. Open the Windows Server Essentials Dashboard.

  2. On the navigation bar, click Storage, and then click the Server Folders tab.

  3. In the list of folders, select the Users folder.

  4. In the Users Tasks pane, click Open the folder. Windows Explorer opens and displays the contents of the Users folder.

  5. Right-click the folder for the user account that you want to share, and then click Properties.

  6. In <User Account> Properties, click the Sharing tab, and then click Share.

  7. In the File Sharing window, type or select the user account name with whom you want to share the folder, and then click Add.

  8. Choose the Permission Level that you want the user account to have, and then click Share.

Synchronize the DSRM password with the network administrator password

Directory Services Restore Mode (DSRM) is a special boot mode for repairing or recovering Active Directory. The operating system uses DSRM to log on to the computer if Active Directory fails or needs to be restored. If your network administrator password and the DSRM password are different, DSRM will not load.

During a clean, first-time installation of Windows Server Essentials, the program sets the DSRM password to the network administrator account password that you specify during setup or in the migration answer file. When you change your network administrator password (as recommended typically every 60 days for increased server security), the password change is not forwarded to DSRM. This results in a password mismatch. If this occurs, you can use the following solutions to manually or automatically synchronize your network administrator’s password with the DSRM password.

To manually synchronize the DSRM password to a network administrator account
  1. At a command prompt, run ntdsutil.exe to open the ntdsutil tool.

  2. To reset the DSRM password, type set dsrm password.

  3. To synchronize the DSRM password on a domain controller with the current network administrator’s account, type:

    sync from domain account <current_network_administrator_account>, and then press Enter.

    Because you will periodically change the password for the network administrator account, to ensure that the DSRM password is always the same as the current password of the network administrator, we recommend that you create a schedule task to automatically synchronize the DSRM password to the network administrator password daily.

To automatically synchronize the DSRM password to a network administrator account
  1. From the server, open Administrative Tools, and then double-click Task Scheduler.

  2. In the Task Scheduler Actions pane, click Create Task.

  3. In the Name text box, type a name for the task such as AutoSync DSRM Password, and then select the Run with highest privileges option.

  4. Define when the task should run:

    1. In the Create Task dialog box, click the Triggers tab, and then click New.

    2. In the New Trigger dialog box, select your recurrence option, specify the recurrence interval, and choose a start time.

      [!NOTE]
      As a best practice, you should set the task to run daily during non-business hours.

    3. Click OK to save your changes and return to the Create Task dialog box.

  5. Define the task actions:

    1. Click the Actions tab, and then click New. The New Action dialog box appears.

    2. In the Action list, click Start a program, and then browse to C:WINDOWSSYSTEM32ntdsutil.exe.

    3. In the Add arguments(optional) text box, type the following (you must include the quotation marks): set dsrm password sync from domain account SBS_network_administrator_account q q where SBS_network_administrator_account is the current network administrator’s account name.

  6. Click OK twice to save the task and close the Create Task dialog box. The new task appears in the Active Tasks section of Task Schedule.

Give user accounts remote desktop permission

In the default installation of Windows Server Essentials, network users do not have permission to establish a remote connection to computers or other resources on the network.

Before network users can establish a remote connection to network resources, you must first set up Anywhere Access. After you set up Anywhere Access, users can access files, applications, and computers in your office network from a device in any location with an Internet connection.

The Set up Anywhere Access Wizard allows you to enable two methods of remote access:

  • Virtual private network (VPN)

  • Remote Web Access

    When you run the wizard, you can also choose to allow Anywhere Access for all current and newly added user accounts.

    To set up Anywhere Access, open the Dashboard Home page, click SETUP, and then click Set up Anywhere Access.

    For more information about Anywhere Access, see Manage Anywhere Access.

Enable users to access resources on the server

This section applies to a server running Windows Server Essentials or Windows Server Essentials, or to a server running Windows Server 2012 R2 Standard or Windows Server 2012 R2 Datacenter with the Windows Server Essentials Experience role installed.

If you want users to use remote access, and/or have individual user accounts, after you finish connecting a computer to the server, you can create new network user accounts for the users of the networked computer on the server by using the Dashboard. For more information about creating a user account, see Add a user account. After creating the user accounts, you must provide the network user name and password information to the users of the client computer so that they can access resources on the server by using the Launchpad.

For each user account that you create you can set access for the following through the user account properties:

  • Shared folders. By default, network administrators have Read/Write permission to all the shared folders, and standard user accounts have Read-only permissions to the Company folder. If media streaming is enabled, you can assign folder access permissions for individual standard user accounts for the following shared folders: Music, Pictures, Recorded TV, and Videos. You can set permissions for user accounts to access shared folders on the Shared folders tab of the user account properties.

  • Anywhere Access. By default, network administrators can use either VPN or Remote Web Access to access server resources. For standard user accounts, you must set user account permissions on the Anywhere Access tab.

  • Computer access. By default, network administrators can access all the computers in the network. However, for standard user accounts you can set individual user account permissions for accessing computers on the network on the Computer access tab of the user account properties.

To edit user account properties in Windows Server Essentials 2012 R2
  1. Open the Windows Server Essentials Dashboard.

  2. On the navigation bar, click USERS.

  3. In the list of user accounts, select the user account that you want to edit.

  4. In the <User Account> Tasks pane, click View the account properties.

  5. In the <User Account> Properties, do the following:

    1. On the Shared folders tab, set the appropriate folder permissions for each shared folder as needed.

    2. On the Anywhere Access tab:

      1. To allow a user to connect to the server by using VPN, select the Allow Virtual Private Network (VPN) check box.

      2. To allow a user to connect to the server by using Remote Web Access, select the Allow Remote Web Access and access to web services applications check box.

    3. On the Computer access tab, select the network computers that you would like the user to have access to.

To edit user account properties in Windows Server Essentials 2012
  1. Open the Windows Server Essentials Dashboard.

  2. On the navigation bar, click USERS.

  3. In the list of user accounts, select the user account that you want to edit.

  4. In the <User Account> Tasks pane, click Properties.

  5. In the <User Account> Properties, do the following:

    1. On the General tab, select User can view network health alerts if the user account needs to access network health reports.

    2. On the Shared folders tab, set the appropriate folder permissions for each shared folder as needed.

    3. On the Anywhere Access tab:

      1. To allow a user to connect to the server by using VPN, select the Allow Virtual Private Network (VPN) check box.

      2. To allow a user to connect to the server by using Remote Web Access, select the Allow Remote Web Access and access to web services applications check box.

    4. On the Computer access tab, select the network computers that you would like the user to have access to.

Change remote access permissions for a user account

A user can access resources located on the server from a remote location by using a virtual private network (VPN), Remote Web Access, or other web services applications. By default, remote access permissions are turned on for network users when you configure Anywhere Access in Windows Server Essentials by using the Dashboard.

To change remote access permissions for a user account
  1. Open the Windows Server Essentials Dashboard.

  2. On the navigation bar, click Users.

  3. In the list of user accounts, select the user account that you want to change.

  4. In the <User Account> Tasks pane, click View the account properties. The Properties page for the user account appears.

  5. On the Anywhere Access tab, do the following:

    • Select the Allow Virtual Private Network (VPN) check box to allow a user to connect to the server by using VPN.

    • Select the Allow Remote Web Access and access to web services applications check box to allow a user to connect to the server by using Remote Web Access.

  6. Click Apply, and then click OK.

Change virtual private network permissions for a user account

You can use a virtual private network (VPN) to connect to Windows Server Essentials and access all your resources that are stored on the server. This is especially useful if you have a client computer that is set up with network accounts that can be used to connect to a hosted Windows Server Essentials server through a VPN connection. All the newly created user accounts on the hosted Windows Server Essentials server must use VPN to log on to the client computer for the first time.

To change VPN permissions for network users
  1. Open the Windows Server Essentials Dashboard.

  2. On the navigation bar, click USERS.

  3. In the list of user accounts, select the user account to which you want to grant permissions to access the desktop remotely.

  4. In the <User Account> Tasks pane, click Properties.

  5. In the <User Account> Properties, click the Anywhere Access tab.

  6. On the Anywhere Access tab, to allow a user to connect to the server by using VPN, select the Allow Virtual Private Network (VPN) check box.

  7. Click Apply, and then click OK.

Change access to internal shared folders for a user account

You can manage access to any shared folders on the server by using the tasks on the Server Folders tab of the Dashboard. By default, the following server folders are created when you install Windows Server Essentials:

  • Client Computer Backups. Used to store client computer backups created by Windows Server backup. This server folder is not shared.

  • Company. Used to store and access documents related to your organization by network users.

  • File History Backups. By default, Windows Server Essentials stores file backups created by using File History. This server folder is not shared.

  • Folder Redirection. Used to store and access folders that are set up for folder redirection by network users. This server folder is not shared.

  • Music. Used to store and access music files by network users. This folder is created when you turn on media sharing.

  • Pictures. Used to store and access pictures by network users. This folder is created when you turn on media sharing.

  • Recorded TV. Used to store and access recorded TV programs by network users. This folder is created when you turn on media sharing.

  • Videos. Used to store and access videos by network users. This folder is created when you turn on media sharing.

  • Users. Used to store and access files by network users. A user-specific folder is automatically generated in the Users server folder for every network user account that you create.

To change access to a shared folder for a user account
  1. Open the Windows Server Essentials Dashboard.

  2. Click STORAGE, and then click Server Folders.

  3. Navigate to and select the server folder for which you want to modify permissions.

  4. In the task pane, click View the folder properties.

  5. In <FolderName> Properties, click Sharing, and select the appropriate user access level for the listed user accounts, and then click Apply.

    [!NOTE]
    You cannot modify the sharing permissions for File History Backups, Folder Redirection, and Users server folders. Hence, the folder properties of these server folders do not include a Sharing tab.

Allow user accounts to establish a remote desktop session to their computer

This section applies to a server running Windows Server Essentials or Windows Server Essentials, or to a server running Windows Server 2012 R2 Standard or Windows Server 2012 R2 Datacenter with the Windows Server Essentials Experience role installed.

The network administrator can grant permissions to network users that allow them to access their network computers from a remote location.

To enable users to access their network computers from a remote location
  1. Open the Windows Server Essentials Dashboard.

  2. On the navigation bar, click USERS.

  3. In the list of user accounts, select the user account that you want to grant permissions for accessing the desktop remotely.

  4. In the <User Account> Tasks pane, click Properties.

  5. In the <User Account> Properties, click the Computer Access tab.

  6. Select the computers that you want this user account to be able to access remotely, and then click OK.

Additional References

  • Manage Online Accounts for Users

  • Get Connected

  • Use Windows Server Essentials

  • Manage Windows Server Essentials

Like this post? Please share to your friends:
  • Как посмотреть состояние системы windows 10
  • Как посмотреть стиль разделов gpt или mbr в управлении дисками windows
  • Как посмотреть список пользователей в домене windows
  • Как посмотреть состояние сети на windows 10
  • Как посмотреть статус лицензии windows 10