none
Revoke Net user command for non admin users RRS feed

  • Question

  • In my domain local users can fetch users, groups and OU information by using net user or net group commands. I want to restrict local users by accessing such information by active directory. From where in AD I can set such settings?
    Tuesday, July 7, 2020 10:29 AM

All replies

  • This is by design.

    Domain users are considered as Authenticated users hence they are capable to read the domain objects.

    Restriction is possible if you follow below method

    1.) disable CMD prompt and powershell in end user pc so that they cannot execute the net use command

    2.) Avoid installationing RSAT tool on desktops so that they cannot open AD console.


    Tuesday, July 7, 2020 3:00 PM
  • Type the command "net user username /delete" and press Enter to delete administrator account without password login or admin rights.
    Tuesday, July 7, 2020 3:12 PM
  • Hello,
    Thank you for posting in our TechNet froum.

    1.What do we mean "local users"? Do we mean normal domain users in AD or local users on member servers/domain clients?
    2.Which machine do we logon using the "local users"?


    I log on domain client with local user account on this domain client or normal domain users, and run net user and net group.

    After running net user, the result is all local user accounts on this machine.

    After running net group, the result is: 
    This command can be used only on a Windows Domain Controller.
    More help is available by typing NET HELPMSG 3515.





    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 8, 2020 2:30 AM
    Moderator
  • By local users I mean all other domain users those do not have domain admin rights explicitly. Every user in my domain can fetch users list by following command "NET USERS /DOMAIN >USERS.TXT ".
    Wednesday, July 8, 2020 6:12 AM
  • Hi,

    Maybe we can block domain users to get the result through changing the permission, here is a similar case with marked answer.

    How do I prevent the enumeration of Domain user's accounts by the net user command?
    https://social.technet.microsoft.com/Forums/en-US/9587e0a1-a1bf-402f-aefb-d0a712dfa73d/how-do-i-prevent-the-enumeration-of-domain-users-accounts-by-the-net-user-command?forum=winserversecurity


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, July 10, 2020 3:28 AM
    Moderator
  • Hi,
    I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.
    Thanks for your time and have a nice day!
    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 13, 2020 1:03 AM
    Moderator
  • Hi,
    I just want to confirm the current situations.
     
    Please feel free to let us know if you need further assistance.
     
    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, July 16, 2020 7:28 AM
    Moderator