Basic User Management
Basic User Management
Section titled âBasic User ManagementâTL;DR (Quick Start)
Section titled âTL;DR (Quick Start)âFor the impatient: hereâs the 30-second version.
# Create admin user and disable default admin/user add name=myadmin password=SecurePass123 group=full/user set admin disabled=yesOverview
Section titled âOverviewâThis guide demonstrates how to create and manage users on MikroTik RouterOS with different permission levels.
Prerequisites
Section titled âPrerequisitesâ- A MikroTik router running RouterOS 7.x or later
- Admin access to the router
Configuration Steps
Section titled âConfiguration StepsâStep 1: Create a Read-Only User
Section titled âStep 1: Create a Read-Only UserâCreate a user that can only view configuration:
/user add name=viewuser password=ViewPass123 group=read comment="Read-only monitoring user"Step 2: Create a Full Access User
Section titled âStep 2: Create a Full Access UserâCreate an administrator user with full permissions:
/user add name=netadmin password=AdminPass456 group=full comment="Network administrator"Step 3: Create a Custom User Group
Section titled âStep 3: Create a Custom User GroupâCreate a custom group with limited write permissions:
/user group add name=limited-write policy=read,write,test,winbox,web,!ftp,!reboot,!policy,!sensitive comment="Limited write access"Step 4: Create User with Custom Group
Section titled âStep 4: Create User with Custom GroupâAdd a user to the custom group:
/user add name=techuser password=TechPass789 group=limited-write comment="Technical support user"Verification
Section titled âVerificationâCheck 1: User Accounts
Section titled âCheck 1: User Accountsâ/user printExpected Output:
Flags: X - disabled # NAME GROUP ADDRESS 0 admin full 1 viewuser read 2 netadmin full 3 techuser limited-writeCheck 2: User Groups
Section titled âCheck 2: User Groupsâ/user group printExpected Output:
# NAME POLICY 0 read local,telnet,ssh,read,test,winbox,web,!ftp,!reboot,!write,... 1 write local,telnet,ssh,read,write,test,winbox,web,!ftp,!reboot,... 2 full local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,... 3 limited-write read,write,test,winbox,web,!ftp,!reboot,!policy,!sensitiveCheck 3: Active Sessions
Section titled âCheck 3: Active Sessionsâ/user active printExpected Output:
# USER ADDRESS VIA 0 admin 192.168.88.5 winbox 1 viewuser 192.168.88.10 sshTroubleshooting
Section titled âTroubleshootingâProblem: User cannot log in
Section titled âProblem: User cannot log inâSymptoms: Login attempt fails with âwrong username or passwordâ.
Causes & Solutions:
-
User disabled - Check user status:
/user print where name=viewuserIf disabled (X flag), enable:
/user enable viewuser -
Wrong password - Reset password:
/user set viewuser password=NewPassword123 -
IP address restriction - Check allowed-address:
/user print detail where name=viewuser
Problem: User canât access certain features
Section titled âProblem: User canât access certain featuresâSymptoms: User logged in but some menus/commands unavailable.
Causes & Solutions:
-
Insufficient group permissions - Check userâs group:
/user print where name=viewuser/user group print where name=read -
Policy restricts feature - Review group policies:
read- View configuration onlywrite- Modify configurationpolicy- Modify user policiessensitive- See passwords
Problem: Cannot create users with certain permissions
Section titled âProblem: Cannot create users with certain permissionsâSymptoms: Error when trying to create user or modify group.
Causes & Solutions:
- Current user lacks âpolicyâ permission:
Only users with/user print where name=[/user print as-value where .id=[/system resource print as-value]->"active-user"]
policypermission can modify users and groups.
Problem: Default admin account compromised
Section titled âProblem: Default admin account compromisedâSymptoms: Unauthorized access or configuration changes.
Causes & Solutions:
-
Immediately disable admin account:
/user set admin disabled=yes -
Create new admin with strong password:
/user add name=newadmin password=VeryStr0ng!Pass group=full -
Audit recent changes:
/log print where topics~"system"
Problem: Locked out of router
Section titled âProblem: Locked out of routerâSymptoms: Cannot log in with any account.
Causes & Solutions:
- Use Netinstall - Factory reset preserves users on some devices
- Reset button - Hold reset during boot to clear configuration
- Physical console - Some devices allow local console access
Related Topics
Section titled âRelated TopicsâSecurity
Section titled âSecurityâ- Firewall Basics - restrict management access by IP
- SSH Configuration - secure remote access
Related System Topics
Section titled âRelated System Topicsâ- System Backup - backup before user changes
- Logging - audit user activity
- Scheduler - automate user-related tasks
Authentication
Section titled âAuthenticationâ- RADIUS - centralized authentication