Skip to content
MikroTik RouterOS Docs

Basic User Management

Basic User Management

Section titled “Basic User Management”

TL;DR (Quick Start)

Section titled “TL;DR (Quick Start)”

For the impatient: here’s the 30-second version.

# Create admin user and disable default admin
/user add name=myadmin password=SecurePass123 group=full
/user set admin disabled=yes

Overview

Section titled “Overview”

This guide demonstrates how to create and manage users on MikroTik RouterOS with different permission levels.

Prerequisites

Section titled “Prerequisites”
  • A MikroTik router running RouterOS 7.x or later
  • Admin access to the router

Configuration Steps

Section titled “Configuration Steps”

Step 1: Create a Read-Only User

Section titled “Step 1: Create a Read-Only User”

Create a user that can only view configuration:

/user add name=viewuser password=ViewPass123 group=read comment="Read-only monitoring user"

Step 2: Create a Full Access User

Section titled “Step 2: Create a Full Access User”

Create an administrator user with full permissions:

/user add name=netadmin password=AdminPass456 group=full comment="Network administrator"

Step 3: Create a Custom User Group

Section titled “Step 3: Create a Custom User Group”

Create a custom group with limited write permissions:

/user group add name=limited-write policy=read,write,test,winbox,web,!ftp,!reboot,!policy,!sensitive comment="Limited write access"

Step 4: Create User with Custom Group

Section titled “Step 4: Create User with Custom Group”

Add a user to the custom group:

/user add name=techuser password=TechPass789 group=limited-write comment="Technical support user"

Verification

Section titled “Verification”

Check 1: User Accounts

Section titled “Check 1: User Accounts”
/user print

Expected Output:

Flags: X - disabled
 #   NAME       GROUP         ADDRESS
 0   admin      full
 1   viewuser   read
 2   netadmin   full
 3   techuser   limited-write

Check 2: User Groups

Section titled “Check 2: User Groups”
/user group print

Expected Output:

 #   NAME          POLICY
 0   read          local,telnet,ssh,read,test,winbox,web,!ftp,!reboot,!write,...
 1   write         local,telnet,ssh,read,write,test,winbox,web,!ftp,!reboot,...
 2   full          local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,...
 3   limited-write read,write,test,winbox,web,!ftp,!reboot,!policy,!sensitive

Check 3: Active Sessions

Section titled “Check 3: Active Sessions”
/user active print

Expected Output:

 #   USER      ADDRESS          VIA
 0   admin     192.168.88.5     winbox
 1   viewuser  192.168.88.10    ssh

Troubleshooting

Section titled “Troubleshooting”

Problem: User cannot log in

Section titled “Problem: User cannot log in”

Symptoms: Login attempt fails with “wrong username or password”.

Causes & Solutions:

  1. User disabled - Check user status:

    /user print where name=viewuser

    If disabled (X flag), enable: /user enable viewuser

  2. Wrong password - Reset password:

    /user set viewuser password=NewPassword123

  3. IP address restriction - Check allowed-address:

    /user print detail where name=viewuser

Problem: User can’t access certain features

Section titled “Problem: User can’t access certain features”

Symptoms: User logged in but some menus/commands unavailable.

Causes & Solutions:

  1. Insufficient group permissions - Check user’s group:

    /user print where name=viewuser
    /user group print where name=read

  2. Policy restricts feature - Review group policies:

    • read - View configuration only
    • write - Modify configuration
    • policy - Modify user policies
    • sensitive - See passwords

Problem: Cannot create users with certain permissions

Section titled “Problem: Cannot create users with certain permissions”

Symptoms: Error when trying to create user or modify group.

Causes & Solutions:

  1. Current user lacks ‘policy’ permission: 
    /user print where name=[/user print as-value where .id=[/system resource print as-value]->"active-user"]
    Only users with policy permission can modify users and groups.

Problem: Default admin account compromised

Section titled “Problem: Default admin account compromised”

Symptoms: Unauthorized access or configuration changes.

Causes & Solutions:

  1. Immediately disable admin account:

    /user set admin disabled=yes

  2. Create new admin with strong password:

    /user add name=newadmin password=VeryStr0ng!Pass group=full

  3. Audit recent changes:

    /log print where topics~"system"

Problem: Locked out of router

Section titled “Problem: Locked out of router”

Symptoms: Cannot log in with any account.

Causes & Solutions:

  1. Use Netinstall - Factory reset preserves users on some devices
  2. Reset button - Hold reset during boot to clear configuration
  3. Physical console - Some devices allow local console access
Section titled “Related Topics”

Security

Section titled “Security”
Section titled “Related System Topics”

Authentication

Section titled “Authentication”
  • RADIUS - centralized authentication

References

Section titled “References”