Windows 10: Writing "net user name localgroups" changed my password to localgroups

It was the last line I wrote on the cmd and it didn't ask me to write the password again, took me some thinking when later I couldn't log in.

:)

 

The command net localgroup someGroup someUser /delete fails.

Windows version: Windows 10 Home, migrated from Windows 8.1

The migration to Windows 10 set the Guest account of Windows 8.1 inactive and terminated its support.
Therefore, I made a standard local user account and wanted to convert it to a "Guest" account:

• Create the user account:
  
  >net user Visitor /add
• Set its initial passworD:
  
  >net user Visitor pw
• Set the other options:
  
  >net user Visitor active:yes /passwordchg:no /comment:"Limited account for visitors"

and tried to modify this account to a Guest account:

• Add it to the Guests group:
  
  >net localgroup Guests Visitor /add
• Remove it from the Users group:
  
  >net localgroup Users Visitor /delete

Soon I noticed that the user=Visitor has the same access permissions as the members of the group=Users.

Investigation



I made a folder D:\testACL with:

>icacls D:\testACL

D:\testACL BUILTIN\AdministratorsF)

BUILTIN\UsersOI)(CI)(RX)

BUILTIN\AdministratorsOI)(CI)(IO)(F)

NT AUTHORITY\SYSTEMF)

NT AUTHORITY\SYSTEMOI)(CI)(IO)(F)





The command net localgroup gives results as expected.




>net localgroup Users

Members

--------------------------------------

UserB

NT AUTHORITY\Authenticated Users

NT AUTHORITY\INTERACTIVE



>net localgroup Guests

Members

--------------------------------------

Visitor

Guest



>net user Visitor

User name Visitor

Password required Yes

User may change password No

some lines omitted

Local Group Memberships *Guests

Global Group memberships *Geen





The File Explorer

File Explorer → Properties → Security → View Effective Access of:



Group = Users as expected

Group = Guests no access; as expected

User = Visitor access same as Group = Users;
ERROR, SHOULD BE NO ACCESS!

User = Guest no access; as expected





The command whoami /groups executed as:



The administrator – Microsoft account

Group Name
Type SID .

Mandatory Label\Medium Mandatory Level Label S-1-16-8192

Everyone Well-known group S-1-1-0

NT AUTHORITY\Local account and member of Administrators group

Well-known group S-1-5-114

compX\HomeUsers Alias

S-1-5-21-3959489222-1251720881-413830006-1002

BUILTIN\Administrators Alias
S-1-5-32-544

BUILTIN\Users Alias
S-1-5-32-545

NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4

CONSOLE LOGON Well-known group S-1-2-1

NT AUTHORITY\Authenticated Users Well-known group S-1-5-11

NT AUTHORITY\This Organization Well-known group S-1-5-15

MicrosoftAccount\XXXXXXXXXXXXXX.nl User
S-1-11-96-very long SID

NT AUTHORITY\Local account Well-known group S-1-5-113

LOCAL Well-known group S-1-2-0

NT AUTHORITY\Cloud Account Authentication Well-known group S-1-5-64-36



A not-changed standard user

Group Name
Type SID .

Everyone Well-known group S-1-1-0\

compX\HomeUsers Alias

S-1-5-21-3959489222-1251720881-413830006-1002

BUILTIN\Users Alias
S-1-5-32-545

NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4

CONSOLE LOGON Well-known group S-1-2-1

NT AUTHORITY\Authenticated Users Well-known group S-1-5-11

NT AUTHORITY\This Organization Well-known group S-1-5-15

NT AUTHORITY\Local account Well-known group S-1-5-113

LOCAL Well-known group S-1-2-0

NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10

Mandatory Label\Medium Mandatory Level Label S-1-16-8192



The user=Visitor

Group Name
Type SID .

Everyone Well-known group S-1-1-0

BUILTIN\Guests Alias
S-1-5-32-546

BUILTIN\Users Alias
S-1-5-32-545

NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4

CONSOLE LOGON Well-known group S-1-2-1

NT AUTHORITY\Authenticated Users Well-known group S-1-5-11

NT AUTHORITY\This Organization Well-known group S-1-5-15

NT AUTHORITY\Local account Well-known group S-1-5-113

LOCAL Well-known group S-1-2-0

NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10

Mandatory Label\Medium Mandatory Level Label S-1-16-8192



Notes and questions:

What is the difference between type=Alias and type=" Well-known group"?

I could not found a possibility get this information by wmic

The output of the following items match, show Visitor as a member of the group=Users and indicate a failing
>net localgroup Users Visitor /delete

• user=Gebruiker→ whoami
• File Explorer → Properties → Security → View Effective Access user=Gebruiker
• Access of folders by all programs, I runned.

The output of the following commands match. However, its output doesnot match the output above.

>net localgroup Users

>net localgroup Guests

>net user Visitor



Finally, I searched the registry



The SIDs of the user accounts are:

>wmic useraccount get name,sid

Name SID

Administrator S-1-5-21-3959489222-1251720881-413830006-500

UserB S-1-5-21-3959489222-1251720881-413830006-1004

Visitor S-1-5-21-3959489222-1251720881-413830006-1005

DefaultAccount S-1-5-21-3959489222-1251720881-413830006-503

Guest S-1-5-21-3959489222-1251720881-413830006-501

HomeGroupUser$ S-1-5-21-3959489222-1251720881-413830006-1003

UserK S-1-5-21-3959489222-1251720881-413830006-1001



The key

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy]

contains some user accounts and their memberships. Only the

S-1-5-21-3959489222-1251720881-413830006 -500, -1001, -1004, -1005 ;

Missing -501, -503, -1000, -1002, -1003 ;



About the user=Visitor with SID …-1005

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\S-1-5-21-3959489222-1251720881-413830006-1005]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\S-1-5-21-3959489222-1251720881-413830006-1005\GroupMembership]

"Group0"="S-1-5-21-3959489222-1251720881-413830006-513"

"Group1"="S-1-1-0"

"Group2"="S-1-5-32-546"

"Group3"="S-1-5-32-545"

"Group4"="S-1-5-4"

"Group5"="S-1-2-1"

"Group6"="S-1-5-11"

"Group7"="S-1-5-15"

"Group8"="S-1-5-113"

"Group9"="S-1-2-0"

"Group10"="S-1-5-64-10"

"Group11"="S-1-16-8192"

"Count"=dword:0000000c

Appearently, this key is used by the whoami.exe and others with the same result.

The group Users="S-1-5-32-545"

This coding scheme is difficult to edit manually!

If this user is logged-in, then the same information is also in

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\GroupMembership]



I could not found the registry keys used by:

>net localgroup Users

>net user





The "net localgroup someGroup someUser /add" adds someUser to the said not-found key and to

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\someSID]

However, the "net localgroup someGroup someUser /delete" removes someUser only from the said not-found key and "net localgroup someGroup" reads only from this not-found key.



Final questions

What is wrong with "net localgroup someGroup someUser /delete" ?

How can I remove the membership of localgroup=Users from a user account?

Note that the goal of a guest account is to give access to a very few folders out of a huge amount of folders.

 

The command net localgroup someGroup someUser /delete fails.

Hello Sayan_Gosh,

Your response is not an answer om my question.

The command net localgroup Users Visitor /delete

returned with:

The command completed successfully.However, the user=Visitor can still access the same folders as the members of the group=Users. As I wrote, inquiries about membership give conflicting results: corrupt registry?

Moreover, if removal of someUser from the group=Users is not allowed, then this command should do nothing and return an error message.

I tried to summarize the problem without repeating the evidence that something went wrong. I cannot trust the responses of some commands. My question is not answered!

 

Locked out of my master drive getting access denied on every fix

There are three commands that you can use to find out the correct username:

• net localgroup administrators
• net localgroup users
• net localgroup guests

Don't forget to press Enter after typing them in the Command Prompt. These commands will show the list of the administrator accounts, the standard accounts, and the guest accounts currently on your computer. Your account is very likely a standard user account
right now, so we suggest trying that first. Once you find your user account, follow step 7 from my earlier post to change it to an administrator account. If your user account isn't listed, please post a screenshot of the results of these commands so that we
can study it.

Keep us updated on what happens to your account after following these steps.