Working with Net User

The Net User command on page 142 of Windows Command-Line Administration Instant Reference seems to have generated a bit of confusion. The /Add command line switch is straightforward; /LogonPasswordChg isn’t. For one thing, the /LogonPasswordChg command line switch doesn’t appear to be documented, even in Windows 7. Here’s the help provided with Net User now:

NetUser01

As you can see, not even a mention for /LogonPasswordChg. Microsoft doesn’t help matters. For example, if you look at the “How to Use the Net User Command” Knowledge Base article, you won’t find any mention of this command line switch. While writing the book, I had found a tantalizing clue at Manage XP and Vista Users Using DOS Commands and decided to try it on Windows 7 as well. The command works fine when used correctly in Windows 7.

However, here is where the plot thickens. It seems that the command line switch doesn’t work in Windows XP. When you execute the command shown on page 142 you get an error message reading something like, “The option /LOGONPASSWORDCHG:YES is unknown.” Somewhere between Windows XP and Vista, Microsoft added the /LogPasswordChg command line switch to Net User and then didn’t tell anyone about it. Consequently, the command shown on page 142 won’t work under Windows XP.

There is another problem that occurs when using the /LogonPasswordChg command line switch. If the account currently has the Password Never Expires option checked as shown here:

NetUser03

the command appears to succeed, but doesn’t change anything. In order to make the command work properly, you must first set the password to expire using the WMIC Path Win32_UserAccount Where Name=’UserName’ Set PasswordExpires=True command. So, the sequence to set an existing account to force a password change during the next logon is like this:

NetUser04

When you execute these two commands, you’ll see the user account settings to change to appear like this:

NetUser05

which means the user must change the password during the next logon.

So, why does the command on page 142 work without this extra step? In this case you’re adding a new user and the Password Never Expires option is disabled by default. Creating the combined command works fine because there is nothing to hinder it with a new account. Please let me know if you encounter any problems with this particular command at [email protected].