A security incident occurred on a Windows 10 workstation where an attacker gained administrative access and created several hidden user accounts. You need to ensure no unauthorized accounts exist and that the built-in Administrator account is disabled. Which two tools can you use from the command line to list all user accounts and check the status of the Administrator account?
Net user displays all local user accounts, and piping to findstr can filter for the account's active status.
Why this answer
The 'net user' command lists all local user accounts on a Windows system, which is necessary to identify hidden or unauthorized accounts. Piping 'net user Administrator' through 'findstr /i active' filters the output to show whether the built-in Administrator account is enabled or disabled, as the status line contains 'Active' or 'Account active' depending on the locale. This combination directly fulfills the requirement to list all accounts and check the Administrator account's status from the command line.
Exam trap
CompTIA often tests the distinction between listing all accounts versus showing only the current user or group membership, leading candidates to confuse 'whoami' or 'net localgroup' with account enumeration commands.
How to eliminate wrong answers
Option B is wrong because 'whoami' only displays the currently logged-in user, not a list of all accounts, and 'net localgroup Administrators' shows group membership, not the status of the Administrator account itself. Option C is wrong because 'dir C:\Users' lists user profile folders, which may not exist for hidden accounts or system accounts, and 'net accounts' displays password and lockout policies, not account status. Option D is wrong because 'gpresult /R' shows applied Group Policy settings, not user accounts, and 'net start' lists running services, which is irrelevant to account enumeration or status checking.