Commands related to user and group accounts
package require twapi
This module provides procedures related to management of user and group accounts on Windows operating systems.
Most commands allow the following options to be specified:
-system SYSTEMNAME | Several commands, for example, looking up account names or adding users, may be carried out on a target system other than the local system. The -system option allows specification of the target system. This option defaults to the local system if unspecified. |
The command lookup_account_name, map_account_to_name, lookup_account_sid and map_account_to_sid translate between user and group account names and their SID's. The command is_valid_sid_syntax validates the syntax of an SID.
The commands get_users, get_global_groups and get_local_groups may be used to enumerate users and groups on a system.
The commands new_user and delete_user allow addition and deletion of user accounts. The commands enable_user, disable_user and unlock_user may be used to change the state of a user account. The command get_user_account_info returns various attributes and properties of a user account. These may be modified through the set_user_account_info function or alternatively, modified individually through the following set of functions: set_user_name, set_user_password, set_user_home_dir, set_user_comment, set_user_script_path, set_user_full_name, set_user_country_code, set_user_profile, set_user_home_dir_drive, set_user_priv_level, set_user_expiration.
Information about global and local groups may be retrieved through the get_global_group_info and get_local_group_info commands. New global groups may be created and deleted through the new_global_group and delete_global_group commands. The equivalent commands for local groups are new_local_group and delete_local_group. Users may be added and removed using the commands add_user_to_global_group, add_member_to_local_group, remove_user_from_global and remove_member_from_local_group. The commands get_local_group_members and get_global_group_members allow enumeration of the members of a group. get_user_local_groups_recursive returns information about the local groups in which the user account has direct or indirect membership.
The rights and privileges associated with accounts can be managed through the get_account_rights, find_accounts_with_right, add_account_rights and remove_account_rights commands.
-all | Returns all data items. |
-comment | Returns the comment associated with the group account. |
-name | Returns the name of the group. |
-sid | Returns the SID for the group. |
-members | Returns the members of the group. |
-all | Returns all data items. |
-comment | Returns the comment associated with the group account. |
-name | Returns the name of the group. |
-sid | Returns the SID for the group. |
-members | Returns the members of the group. |
-all | Returns all data items. |
-comment | Returns the comment associated with the user account. |
-password_expired | Returns a value of 1 if the account password has expired, and 0 otherwise. |
-full_name | Returns the full name of the user. |
-parms | Returns an application specific string. |
-sid | Returns the SID of the user. |
-units_per_week | Returns an integer indicating the number of equal time units into which a week is divided (see -logon_hours). |
-primary_group_id | Returns the the RID (relative id component of a SID) of the primary global group for the account. |
-global_groups | Returns the global groups of which the account is a member. |
-local_groups | Returns the local groups of which the account is a member. This includes only groups of which the account is directly a member and does not include indirect membership through a global group which is itself a member of a local group. See get_user_local_groups_recursive for a command that will recursively include groups. |
-status | Returns one of the values disabled, enabled or locked. |
-logon_server | Returns the name of the server to which logon requests are sent. |
-country_code | Returns an integer country/region value for the user's preferred language. |
-home_dir | Returns the full path to the user's home directory. |
-password_age | Returns the number of seconds since the password was last changed for the account. |
-home_dir_drive | Returns the drive letter assigned to the user's home directory. |
-num_logons | Returns the number of times the user has logged on. In an environment with backup domain controllers, each domain controller maintains this value independently and must be queried (using the -system option) separately. A value of -1 indicates the number is unknown. |
-acct_expires | Returns the time in GMT when the account is set to expire. This value may also be never or unknown. |
-last_logon | Returns the time in GMT when the user last logged in. This value may also be never or unknown. In an environment with backup domain controllers, each domain controller maintains this value independently and must be queried separately (using the -system option). |
-last_logoff | Returns the time in GMT when the user last logged off. This value may also be never or unknown. In an environment with backup domain controllers, each domain controller maintains this value independently and must be queried separately (using the -system option). |
-user_id | Returns RID component of the user's SID. |
-usr_comment | Returns the user comment for the account. |
-bad_pw_count | Returns the number of login attempts for that account that failed because of a bad password. In an environment with backup domain controllers, each domain controller maintains this value independently and must be queried separately (using the -system option). |
-code_page | Returns an integer corresponding to the code page for the user's preferred language. |
-logon_hours | Returns a bit string of 1's and 0's corresponding to each hour in the week that the user is allowed to log on. Note the week starts based on GMT time, not local time. |
-workstations | Returns a comma-separated list of upto eight workstations from which the user can log in. |
-name | Returns the name of the account. |
-script_path | Returns the full path to the user's logon script. |
-priv | Returns one of the values admin, user or guest corresponding to the privilege level for the account. |
-profile | Returns the full path to the user's profile. |
-max_storage | Returns the maximum amount of disk space the user is allowed to use. |
-all | Returns all values. |
-sid | Returns the SID for the account. |
-domain | Returns the domain in which the account was found. |
-system | Specifies the name of the system on which the account is to be looked up. If unspecified, the local system is used. |
-type | Returns the account type. This may be one of user, group (domain group), domain, alias (system local group), logonid, wellknowngroup, deletedaccount, invalid, unknown, or computer. The logonid type is returned for SID's that identify a logon session. |
-all | Returns all values. |
-name | Returns the name for the account. |
-domain | Returns the domain in which the account was found. |
-system | Specifies the name of the system on which the account is to be looked up. If unspecified, the local system is used. |
-type | Returns the account type. This may be one of user, group (domain group), domain, alias (system local group), wellknowngroup, deletedaccount, invalid, unknown, or computer. |
-system SYSTEMNAME | Indicates the system on which to create the account. |
-comment STRING | Sets the comment associated with the account. |
-home_dir PATH | Sets the account's home directory path. |
-script_path PATH | Sets the path to the logon script for the account. |
-priv PRIVLEVEL | Sets the privilege level for the account. PRIVLEVEL should be one of the values admin, user or guest. If unspecified, this defaults to user. |
-password STRING | Sets the password for the account. |
-comment STRING | Sets the comment associated with the account. |
-full_name STRING | Sets the full name of the user. |
-country_code INTEGER | Sets the country code associated with the user account. |
-home_dir PATH | Sets the account's home directory path. |
-home_dir_drive | Sets the account's home directory drive. |
-acct_expires DATETIME | Sets the time at which the account will expire. DATETIME may be specified in any format accepted by the clock scan command, or may be the string never to indicate that the account should never expire. |
-name STRING | Sets the name field containing the name of the account. |
-script_path PATH | Sets the path to the logon script for the account. |
-priv PRIVLEVEL | Sets the privilege level for the account. PRIVLEVEL should be one of the values admin, user or guest. |
-profile PATH | Sets the path to the account's profile. |
Copyright © 2004-2006, Ashok P. Nadkarni