on September 4, 2010
On Windows OS we can find the list of local user groups created on a system from Contorl Panel -> User Accounts. This information can be obtained from command line also using net command. Syntax is shown below.
net localgroup
Example: Running this command shows the following local groups on my system.
C:\>net localgroup Aliases for \\techblogger-pc ---------------------------------------------------------------------------- *Administrators *Backup Operators *Debugger Users *Guests *Network Configuration Operators *Power Users *Remote Desktop Users *Replicator *Users The command completed successfully.
How to list the users in a local group?
Use the below command to know the list of members of a group from command line.
net localgroup groupName
For example to get the list of all remote desktop users on a system we can run the below command.
net localgroup "Remote Desktop users"
How to find the list of all groups a user is member of?
You can run the below command to list the groups a user is member of. This command prints the details of the given user account. You can find the group membership information in the last two line of this command output.
net user userName
Example:
H:\>net user John User name John Full Name Comment User's comment Country code 000 (System Default) Account active Yes Account expires Never Password last set 12/2/2010 11:00 PM Password expires 4/1/2011 11:00 PM Password changeable 12/2/2010 11:00 PM Password required Yes User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon Logon hours allowed All Local Group Memberships *Debugger Users *Users Global Group memberships *None
Related Posts:
Add user to group from windows command line
Remove user from group using windows command prompt
cmd Viewing user groups
Viewing user groups in the Windows Command Prompt (cmd) allows you to see the various groups that exist on your system, as well as which users are part of those groups. This is particularly useful for system administrators who need to manage permissions and access rights effectively. Below, I’ll explain how to view user groups in cmd, along with examples and expected outputs.
1. Viewing All User Groups
To view all user groups on your Windows system, you can use the net localgroup command.
Basic Syntax:
Example:
To list all local groups, simply enter:
Output:
Output Explanation:
- This command displays a list of all local groups on the computer. Groups like
Administrators,Guests, andUsersare commonly found on Windows systems.
2. Viewing Members of a Specific User Group
To view the members of a specific user group, you can use the net localgroup command followed by the group name.
Basic Syntax:
Example:
To view the members of the Administrators group, enter:
Output:
Output Explanation:
- This command lists all users that are members of the
Administratorsgroup. In this example,YourUsernameandAdministratorare shown as members.
3. Viewing Group Membership of a Specific User
To view which groups a specific user belongs to, you can use the net user command followed by the username.
Basic Syntax:
Example:
To view the group memberships of a user named YourUsername, enter:
Output:
Output Explanation:
- This command provides detailed information about the specified user, including their local group memberships (e.g.,
Usersin this case).
4. Summary
Viewing user groups in the Windows Command Prompt can be accomplished using commands like net localgroup to list all groups and net user to find group memberships for specific users. These commands are valuable for managing user access and permissions within a Windows environment, helping administrators ensure that users have appropriate rights based on their roles.
We use the command net localgroup to display and manage groups from the command prompt (CMD or PowerShell) in the Windows operating system.
Administrators can perform the following tasks using the net localgroup command:
- Add new groups to the local computer or domain.
- Remove existing groups from the local computer or domain.
- Add users and groups to the Windows groups.
- Remove users and groups from Windows groups.
Command options
| GroupName | Name of the group to be added or modified. If the group name includes spaces, enclose it in quotation marks. |
| /domain | Use this command switch to execute the net localgroup command on the Active Directory domain controller rather than on the local computer. |
| /add | Use this option to add new groups to the Windows system or add users to existing groups. |
| /delete | Use this option to delete groups or remove members from groups. |
| /comment:»text» | Adds a description to a Windows group. |
Notes
When operating in an Active Directory domain environment, always use the /domain command switch.
There is another Windows command, the net group, which has the same syntax as the net localgroup. The net group command creates global groups; the net localgroup command creates local groups.
In the CMD, you can get help by running the net help localgroup command.
Next, we will learn more about the net localgroup command by looking at several examples.
Display Information on Existing Windows Groups
We can use the net localgroup command to list groups and view detailed information about a particular group.
To get a list of groups on the local computer, type net localgroup and press Enter:
net localgroupTo do the same thing on an Active Directory domain controller, use the /domain command switch:
net localgroup /domainTo get detailed information about a group, type net localgroup followed by the group name. For example, to view the Administrators group, you will run the following command:
net localgroup Administrators
net localgroup /domain AdministratorsThe command lists the users in the Administrators group.
Add/Delete Groups
To add a new local group, use the following syntax, where GroupName is the name of the new group:
net localgroup /add GroupNameFor example, to create a group called sales, you will run the following command:
net localgroup /add salesTo remove a group from Windows, use the /delete option. For example, to remove an existing group called sales, you will run the following command:
net localgroup /delete salesAdd a description while creating the group:
net localgroup /add sales /comment:"This is Sales Group"Add a description to the existing group:
net localgroup sales /comment:"Sales group"Add (or Remove) User to the Groups
To add a user to a group, use the following syntax:
net localgroup /add GroupName UserNameThe following command adds user user1 to the sales group:
net localgroup /add sales user1You can add multiple users to a group at once:
net localgroup /add sales user1 user2To remove a user from a group, use the /delete option:
net localgroup /delete sales user1
net localgroup /delete sales user1 user2Examples
List all the local groups:
net localgroupAdd a new local group called sales:
net localgroup /add salesDelete sales group:
net localgroup /delete salesThis command lists the users in the Remote Desktop Users group:
net localgroup "Remote Desktop Users"The following command adds user user1 to the Remote Desktop Users group:
net localgroup /add "Remote Desktop Users" user1The following command removes user1 from the Remote Desktop Users group:
net localgroup /delete "Remote Desktop Users" user1What Next?
That brings the end to this tutorial. Next, you can learn the net user command, which is used to manage Windows users from the command prompt.
If your computer is running in a corporate environment, one day you may wonder which Active Directory (AD) groups your current user is a member of.
The easiest way to see what AD groups i am a member of is by executing the appropriate commands from a command prompt (CMD or PowerShell) and this short note shows how to do this.
Cool Tip: How to determine whether the current user is a Domain User account or a Local User account! Read more →
To find out what Active Directory groups i am a member of, run one the following commands from the command prompt (CMD or PowerShell):
C:\> whoami /groups
– or –
C:\> gpresult /r
The commands above will list all the AD groups the current user is a member of.
Cool Tip: Find out what domain controller am i connected to! Read more →
Was it useful? Share this post with the world!
Native Solution
Netwrix Auditor for Active Directory
Steps
To see user’s AD group membership using the command line:
- Open the command prompt by navigating to Start → Run (or pressing Win + R) and entering «cmd».
- Type the following command in the command line, specifying the user account you want to find group membership for:
net user username
- At the end of the resulting report, you will find a list of the local groups and global groups that the user belongs to:
To list members of AD group using the command line:
- Open the command prompt by navigating to Start → Run (or pressing Win + R) and entering «cmd».
- Enter the following command, specifying the required group name:
net localgroup groupname
- At the end of the resulting report, you will find a list of the members of the group:
NET commands also work if you need to check local users and group membership in Windows 10.
To see which groups a particular user belongs to:
- Run Netwrix Auditor → Navigate to «Reports» → Click “Predefined” → Expand the «Active Directory» section → Go to «Active Directory — State-in-Time» → Select «User Accounts — Group Membership»→ Click “View.»
- Specify “Enabled” in the “Status” field and type “user” in the “Member Type” field -> Click “View Report.”
To check AD group members:
- Run Netwrix Auditor → Navigate to “Reports” → Click “Predefined” → Expand the “Active Directory” section → Go to “Active Directory – State-in-Time” → Select “Group Members” → Click “View”.
- Set up the following filters:
- Status: Enabled
- Member Type: User
- Group path: The group path. You can specify the partial path to a particular group, using % as the wildcard character, or leave the wildcard to see a report for all groups.
- Click “View Report”.
Grasp the Full Picture Instead of Tinkering with the Command Line
Best practices advise using Active Directory groups to grant access privileges to users — for example, access to specific computers, tools, and servers. However, over time, AD group configuration can get very complicated, making it challenging to understand who has access to what and ensure each user only has the permissions they need. IT admins often need to check AD group members in Windows 10 or detail all the groups that a particular user belongs to and then either provide that information to departmental leaders for access privilege attestation or analyze it themselves to fix broken inheritance and other security issues.
You can view AD group membership with the Active Directory Users and Computers (ADUC) console snap-in by finding the user or group of interest, drilling down into the object’s properties, and clicking the “Members” or “Member Of” tab. Another option is to get group membership with the command line — you can use the dsget user and dsquery group tools from the Active Directory Domain Services (AD DS) package, or native NET commands from the command line. However, the results of the NET USER and NET LOCALGROUP commands are hard to parse. While dsget and dsquery can be used to query ad group membership and provide more structured output, those commands work only on server versions of Windows and require you to input the distinguished name in LDAP Data Interchange Format. The last option is to use the Get-ADGroupMemberPowerShell cmdlet, which requires some scripting skills. As a result, reviewing Active Directory group membership with native tools can be difficult and time-consuming.
Netwrix Auditor for Active Directory can save a great deal of precious time. Instead of checking AD group membership with a command line, system operators can get a group membership summary in a few clicks. In addition, Netwrix Auditor also reports on modifications, logon activity, and the configuration of Active Directory and Group Policy, including inactive user and computer accounts, Active Directory object permissions, and more. It will alert you to possible threats and offers an advanced search to speed investigations. You can use various predefined reports, all with filtering, exporting, and subscription options, and easily create your custom reports. This comprehensive functionality streamlines many everyday IT tasks, from change monitoring and access control to privilege review and anomalous behavior detection.