I do a lot of testing with security in SQL Server. And of course to do a thorough job of it I need not just SQL Server logins but Windows logins. And that means I need to be able to create and delete windows users and groups. I could do this with the GUI, but first of all I’m a command line kind of guy and second if I’m creating a dozen or more users at once then the GUI is just too slow.

Now I’m moving a little bit outside my normal comfort zone here. I’m not a windows guy. I’m a SQL guy. I did however manage to find just the commands I needed. And in the interest of documenting them for myself (that being one of the great benefits of blogging) here they are:

• Add a new user

  NET USER "NewUser" "NewPassword" /ADD

• Remove a user

  NET USER "NewUser" /DELETE

• List group membership of a user. Note: this also returns a lot of other information about the user.

  NET USER "NewUser"

• Add a new local windows group

  NET LOCALGROUP "NewGroup" /ADD

• Remove a local windows group

  NET LOCALGROUP "NewGroup" /DELETE

• Add a user to a local windows group

  NET LOCALGROUP "NewGroup" "NewUser" /ADD

• Remove a user from a local windows group

  NET LOCALGROUP "NewGroup" "NewUser" /DELETE

• List members of a local windows group

  NET LOCALGROUP "NewGroup"

If you just open a command shell and run these you will get the following error even if your user is a member of the admin group.

System error 5 has occurred.

Access is denied.

In order to avoid this error you need to run the command shell as administrator. If you hold down the shift key and right click on the shortcut you will get a much longer menu then you normally see. And near the top is the option Run as administrator.

Select that option and you will open the command shell in such a way that these commands will work. Of course this does assume that you are a member of the administrators group.