AIST3720 Notes

A few reminders in one place for adding users in Linux and Windows Server environments. In all the examples below we are adding a user with ID demo1, full name Demo One, and Pw4AIST3720! as the password.

Linux Ubuntu Desktop

Refs:

Add a new user account (using desktop GUI)

Create User Account using useradd/adduser commands in Linux

GUI:

Using desktop Users app is straightforward (e.g., see refs above). Open it by searching for Users in applications and note that the app needs to be unlocked to validate your administrative credentials before adding new users.

Using bash terminal:

There's a 'low level' useradd command and a more complete interactive adduser utility (kind of like a script or program). With useradd the new user's details (e.g., password, home folders) are configured with parameters or separate commands; nice if you need that level of control and also helpful when adding users in script but a bit more work to onboard a user or two. More quick and complete but requiring some Q&A is adduser.

The sequence below applies adduser; note that while typing the password nothing will appear and what was actually typed by the person creating the new user appears in boldface.

sudo adduser demo1

Adding user `demo1' ...

Adding new group `demo1' (1002) ...

Adding new user `demo1' (1002) with group `demo1' ...

Creating home directory `/home/demo1' ...

Copying files from `/etc/skel' ...

New password: Pw4AIST3720!

Retype new password: Pw4AIST3720!

passwd: password updated successfully

Changing the user information for demo1

Enter the new value, or press ENTER for the default

       Full Name []: Demo One

       Room Number []: {Enter}

       Work Phone []: {Enter}

       Home Phone []: {Enter}

       Other []: {Enter}

Is the information correct? [Y/n] y

The minimal user add allowing a login (where the password is entered twice after executing the passwd command)

sudo useradd demo1

sudo passwd demo1

As a quick command-line test of whether a login works the command

su {user}

will ask for the user's password and open a terminal window as that user.

When using the GUI or adduser, the user's /home folder is created but their Documents, Downloads, etc. are not until the user actually logs in; using su to open a terminal window validates their login but does not create their personal folders.

Windows Server without Active Directory

Refs:

How to add a local user account to Windows Server 2019

net user, net localgroup, runas (Windows commands)

New-LocalUser, Add-LocalGroupMember , New-ADUser, (Windows PowerShell cmdlets)

GUI:

Using the Local Users and Groups snap-in is straightforward (e.g., see refs above). To open it use Start and begin typing 'Computer Management', selecting it from the search results or use the command compmgmt.msc. Select Local Users and Groups.in System Tools. Note that the command lusrmgr.msc will bring just Local Users and Groups (i.e., not the other Computer Management bits).

Command line:

From a command prompt

net user /add demo1 Pw4AIST3720! /fullname:"Demo One"

adds a user.

As a default demo1 will be a member of only the Users group. To add demo1 to, say, the Remote Desktop Users group use

net localgroup "Remote Desktop Users" demo1 /add

A quick check of whether the login works can be made by using

runas /user:demo1 cmd

which opens a command prompt as demo1 (a password for demo1 will be asked for). You could also sign-out and sign-in as the new user.

Windows PowerShell:

Using

New-LocalUser -Name demo1 -FullName "Demo One" `

-Password (ConvertTo-SecureString "Pw4AIST3720!" -AsPlainText -Force)

adds a user. Note that is command is shown in two lines using the PowerShell ` line continuation character but could be entered all on one line without it. Also, conversion of text to a secure string is required when used as a password.

As a default demo1 will not be a member of any groups. To add demo1 to, say, the Remote Desktop Users group use

Add-LocalGroupMember -Group "Remote Desktop Users" -Member demo1

To start a process (e.g., a PowerShell window) as the new user use

[pscredential]$uCred = New-Object System.Management.Automation.PSCredential("demo1", `

(ConvertTo-SecureString "Pw4AIST3720!" -AsPlainText -Force))

Start-Process -FilePath powershell -Credential $uCred

The first line is definitely a PowerShell ninja move but basically sets up a variable $uCred that has the user's credentials; the second line is the basic gist. Note that runas (as from a command line) would also work in PowerShell.

Windows Server with Active Directory

GUI:

Once a computer is part of a Windows AD the Local Users and Groups snap-in is not available since the AD controls access to the computers. Instead use Active Directory Users and Computers (e.g., click Start and begin typing this) or the command dsa.msc to get the snap-in. Like Local Users and Groups this is fairly straightforward to use for adding users.

Command line:

The same commands that work for to add a user to a server without AD work with AD. The user is added to the default domain and is a member of the Domain Users group as a default.

For an Active Directory controller it is rare for generic users to be able to log on locally (i.e., directly to the computer). If you try to test the login using runas as on a Windows Server with AD (or sign off and try to sign is as the new user) you will get an error that the login is not allowed. There are ways to adjust the AD domain policies to allow local logins for specific users or groups but a quick work around is to add the user to the Account Operators group (among other possibilities). This does give the user some other privileges but lets you test the login a bit including runas or local sign-in, after which you can remove the user from the group if needed.

PowerShell:

It turns out that New-LocalUser works in AD and in a Windows Server without AD, adding the user to the default domain and as a member of Domain Users. The Add-LocalGroupMember cmdlet works but so few of the groups available are local groups it seems not to (e.g., use Get-LocalGroup to see which are truly local groups under AD).

Better to use cmdlets designed for active directory. The following

New-ADUser -Name demo1 -DisplayName "Demo One" -Enabled $true `

-AccountPassword (ConvertTo-SecureString "Pw4AIST3720!" -AsPlainText -Force)

adds a new AD user and

Add-ADGroupMember -Identity "Remote Desktop Users" -Members demo1

adds user demo1 to the Remote Desktop Users group.

Note that adding the user does not create their /Users folder but logging in or using runas does (including the Documents, Downloads, etc. folders)