The Add Users utility (addusers.exe) is a command-line program that you can use to either dump the users on a system to a file or load users from a file to a system. Earlier resource kits included Add Users: You can see the program in the Books Online (BOL) documentation, which Microsoft hasn't updated for Windows 2000 (e.g., references to User Manager still exist).
Add Users is useful when you need to load a set of users or groups to several servers. For example, to automate the maintenance of your systems architecture in a Web farm, you need a way to update the local users on each system automatically. With Add Users, you can run the utility from a command prompt window, Windows Script Host (WSH), or batch file. As always with Windows NT 4.0 and now Win2K, you must log on with the correct security context to add or dump user information. If you don't have the correct rights to add users, the Add Users command will fail.
Adding Users and Groups
Add Users reads the data it uses from a simple ASCII text file. The file is a modified version of a Comma Separated Values (CSV) file. The format from BOL looks like this:
\[User\] UserName,FullName,Password,_ Comment,HomeDriveAndPath,_ Profile,Script, \[Global\] GlobalGroupName,Comment,_ UserName, ... \[Local\] LocalGroupName,Comment,_ UserName, ...
The format of the input file and the syntax for Add Users look simple enough, but the proof is always in how things work. Here's an example. You can place the following text in a file named AddStandardUsers.txt:
\[User\] joes,Joe Smith,joeno1,_ Programming administrator, _ c:\data\joes,, suzyw, Suzy Wells, suzyw, _ Programmer, c:\data\suzyw,, \[Global\] \[Local\] Programmers,Programmers,_ WebServer1\suzyw, ProgrammingTeamLeader,_ Programming Team _ leader,WebServer1\joes
This .txt file adds two users and two groups, then adds the two users to the new groups.
I use Notepad to create text files like this, although you can use any program that generates a simple ASCII file with no extra characters. When you've created this file, use this syntax to feed it to the Add Users utility:
C:\addusers /c _ AddStandardUsers.txt
This syntax executes the Add Users utility, specifying your new file as the input file. If the command executes successfully, you see output similar to this:
User account created "joes" User account created "suzyw" Local group "Programmers" _ created - User "WebServer1\suzyw" _ added to group _ "Programmers" Local group _ "ProgrammingTeamLeader" _ created - User "WebServer1\joes" _ added to group _ "ProgrammingTeamLeader"
This output tells you that your input data was correct and that no errors occurred during the process.
Add Users is picky about the syntax of entries in the input file. For example, when you use the syntax
\[Local\] Programmers,Programmers,_ WebServer1\suzyw, ProgrammingTeamLeader, _ Programming Team leader, _ WebServer1\joes
to add the user joes to the ProgrammingTeamLeader group, the last statement fails with a Cannot retrieve user: 1332 error. The tool interprets the space after the comma and before the server name as part of the name. Here's what the output looks like when you execute the command and generate the error:
User account created "joes" User account created "suzyw" Local group "Programmers" _ created - User "WebServer1\suzyw" _ added to group _ "Programmers" Local group _ "ProgrammingTeamLeader" _ created - Error adding user to group _ " WebServer1\joes" _ (cannot retrieve user: _ 1332)
To fix the problem, simply change the statement by dropping the space before WebServer1. If you have blank lines in a file, those lines can't contain space or tab characters.
In the previous examples, the system name appears before the username. If you leave out the system name, Add Users will find the users on the system from which you're executing the command.
Deleting Users and Groups
If you want to delete users or groups from a system, you use a slightly different format for your input file. Here's the syntax for a file to delete users and groups:
\[User\] joes, suzyw, \[Global\] \[Local\] Programmers, ProgrammingTeamLeader,You can use this file to delete users and groups by executing this command:
C:\addusers /e filenameThe main difference in the two file formats is that the Delete format doesn't require all the information for a user or group that the Create command does. For example, I didn't specify the full username or anything else for the usernames. Instead, I simply listed one username per line and ended each line with a comma.
Account-Creation Options
By default, any users you add with Add Users need to change their passwords the first time they log on. To eliminate this requirement, use the /p switch to set account-creation options when you're adding users. To use the /p switch, you must specify /p: followed by one or more of the options in Table 1 (from BOL). You can combine these options in one command. For example, the commandC:\addusers /c _ AddStandardUsers.txt /p:eladds users with passwords that don't expire (option e) and doesn't force the users to change their passwords when they first log on (option l).
You can't specify different /p options for particular records within a file because you must specify the option on the command line, where it applies to all entries in the file. So, if you need to use /p with different settings for different users, break the users into smaller files and run each file independently.
Another option that isn't obvious from BOL is using Add Users to create groups only. To add groups only, you create a .txt file with the group names and no users. The following text demonstrates the format for adding local groups:
\[User\] \[Global\] \[Local\] WebProgrammers,Web _ Programmers,, WebProgrammingTeamLeader, _ WebProgramming Team leader,You use this file with the /c switch just as you did when you created users and groups. You can add users to the new groups either when you create the groups or later. In either case, you use the file format in the first example. For example, you could add the users suzyw and joes to the WebProgrammers group by using this file with the /c switch. The /c switch creates user accounts, local groups, and global groups:
\[User\] \[Global\] \[Local\] WebProgrammers, _ ,WebServer1\suzyw, WebProgrammers, _ ,WebServer1\joesThe command reports that the group already exists, but it adds the users.
You can use the /d command to dump the existing users and groups on your system to a file. The syntax is
C:\addusers /d WebServer1Users.txtYou can also use Add Users from a remote computer by specifying the computer name:
C:\addusers \\WebServer2 /d _ WebServer1Users.txtThis version of the command is useful because you can execute it from any system on your network. Because you can use it from any system, you can extract and load users remotely in batches.
Next Month
The Add Users utility is a handy tool for automating the addition and deletion of groups and users. Because you can use it either in a batch file or from the command line, the utility is doubly useful. The tool also lets you remotely execute Add/Delete commands against any servers on your network or any server that you can connect to with a tool such as Win2K Server Terminal Services; NT Server 4.0, Terminal Server Edition (WTS); or Symantec's pcAnywhere.Next month, I'll dig into the Audit Policy tool. I'll also discuss the implications of auditing for Web servers.
