Back to docs
Tools - ConfigurationUpdated: November 23, 2024

net localgroup

Manage local groups and view group memberships.

net localgroup

Command: net localgroup

Category: Configuration

Type: CMD

Purpose

Displays, creates, and modifies local group accounts on the computer. Use it to view existing local groups, see group memberships, add or remove users from groups, and create or delete local groups. Essential for managing local computer security and permissions.

Quick Summary

Manage local groups and their members from the command line. See all local groups, check who's in the Administrators group, add or remove users from groups, and create custom groups. Perfect for quick security audits, user management, and scripting administrative tasks.

How to Use

View all local groups:

net localgroup

View members of specific group:

net localgroup Administrators
net localgroup Users

Add user to group (requires admin):

net localgroup Administrators JohnDoe /add
net localgroup "Remote Desktop Users" JohnDoe /add

Remove user from group (requires admin):

net localgroup Administrators JohnDoe /delete

Create new local group (requires admin):

net localgroup "Custom Group" /add
net localgroup "Custom Group" /add /comment:"Description of group"

Delete local group (requires admin):

net localgroup "Custom Group" /delete

Tips and Best Practices

  • Use quotes around group names with spaces: "Remote Desktop Users"
  • Check Administrators group regularly for unauthorized additions.
  • Document group memberships before making changes.
  • Use domain\username for domain accounts: net localgroup Administrators DOMAIN\User /add
  • Verify changes: run net localgroup GroupName after modifications.
  • Create custom groups for organizing permissions.
  • Standard users can view groups; admin rights required to modify.

Common Use Cases

  • Security audits: Check who has administrator access.
  • User management: Add or remove users from local groups.
  • Permission troubleshooting: Verify group memberships affecting access.
  • Automated setup: Script user group assignments during deployment.
  • Remote desktop access: Manage Remote Desktop Users group.
  • Custom permissions: Create groups for specific access needs.

Prerequisites

  • Windows Command Prompt or PowerShell
  • No administrator rights required to view groups and members
  • Administrator rights required to modify groups or memberships
  • Available on all Windows versions

Common Local Groups

Built-in groups:

  • Administrators: Full system control
  • Users: Standard user permissions
  • Guests: Limited guest access (often disabled)
  • Power Users: Legacy group with some admin-like permissions
  • Remote Desktop Users: Can log in via Remote Desktop
  • Backup Operators: Can back up and restore files
  • Network Configuration Operators: Can modify network settings
  • Remote Management Users: Can access WMI resources remotely
  • Event Log Readers: Can read event logs
  • Performance Monitor Users: Can access performance counter data
  • Distributed COM Users: Can launch DCOM objects

Understanding the Output

Example output for viewing all groups:

Aliases for \\COMPUTERNAME

-------------------------------------------------------------------------------
*Administrators
*Backup Operators
*Distributed COM Users
*Event Log Readers
*Guests
*IIS_IUSRS
*Network Configuration Operators
*Performance Monitor Users
*Power Users
*Remote Desktop Users
*Remote Management Users
*Replicator
*Users

Example output for group members:

Alias name     Administrators
Comment        Administrators have complete and unrestricted access

Members

-------------------------------------------------------------------------------
Administrator
DOMAIN\JohnDoe
DOMAIN\Domain Admins

Adding Users to Groups

Add local user:

net localgroup Administrators JohnDoe /add

Add domain user:

net localgroup Administrators DOMAIN\JohnDoe /add

Add domain group:

net localgroup Administrators "DOMAIN\Domain Users" /add

Add multiple users (separate commands):

net localgroup "Remote Desktop Users" User1 /add
net localgroup "Remote Desktop Users" User2 /add

Removing Users from Groups

Remove local user:

net localgroup Administrators JohnDoe /delete

Remove domain user:

net localgroup Administrators DOMAIN\JohnDoe /delete

Remove domain group:

net localgroup Administrators "DOMAIN\Domain Users" /delete

Creating and Deleting Groups

Create new group:

net localgroup "Developers" /add

Create with comment:

net localgroup "Developers" /add /comment:"Development team members"

Delete group:

net localgroup "Developers" /delete

Warning: Deleting a group removes all permissions assigned to that group.

Security Best Practices

Regular audits:

net localgroup Administrators
net localgroup "Remote Desktop Users"

Principle of least privilege:

  • Only add users to Administrator group when necessary
  • Use standard accounts for daily work
  • Create custom groups for specific permission needs
  • Regularly review and remove unnecessary memberships

Important groups to monitor:

  • Administrators (full system control)
  • Remote Desktop Users (remote access)
  • Backup Operators (bypass some file permissions)
  • Remote Management Users (WMI/PowerShell remoting)

Troubleshooting

  • "Access is denied" - Requires administrator rights to modify groups; run Command Prompt as Administrator.
  • "The group name could not be found" - Check spelling, use quotes for names with spaces.
  • "The user belongs to this group already" - User is already a member; command has no effect.
  • "The specified user does not exist" - User account doesn't exist; create account first with net user.
  • "The local group name is invalid" - Group name contains invalid characters or reserved words.

Viewing Domain Groups (on domain-joined computers)

Domain groups can't be modified locally, but you can:

  • Add domain users/groups to local groups
  • View domain group memberships
  • Query domain controller for domain group info

Add domain group to local group:

net localgroup Administrators "DOMAIN\IT Admins" /add

Scripting Examples

Batch - add user to multiple groups:

@echo off
set USERNAME=JohnDoe
net localgroup "Remote Desktop Users" %USERNAME% /add
net localgroup "Performance Monitor Users" %USERNAME% /add
net localgroup "Event Log Readers" %USERNAME% /add
echo User %USERNAME% added to groups.

Check if user is in Administrators group:

net localgroup Administrators | find /I "%USERNAME%" >nul
if %errorlevel%==0 (
    echo You are an Administrator
) else (
    echo You are not an Administrator
)

PowerShell alternative (more powerful):

# List all local groups
Get-LocalGroup

# List group members
Get-LocalGroupMember -Group "Administrators"

# Add user to group
Add-LocalGroupMember -Group "Administrators" -Member "JohnDoe"

# Remove user from group
Remove-LocalGroupMember -Group "Administrators" -Member "JohnDoe"

# Create new group
New-LocalGroup -Name "Developers" -Description "Development team"

Remote Computer Support

View groups on remote computer:

net localgroup /domain:COMPUTERNAME

Note: Requires appropriate permissions on remote computer.

Common Scenarios

Scenario 1: Grant Remote Desktop access

net localgroup "Remote Desktop Users" JohnDoe /add

Scenario 2: Audit Administrator access

net localgroup Administrators > admins-list.txt
notepad admins-list.txt

Scenario 3: Create developers group and add members

net localgroup "Developers" /add /comment:"Development team members"
net localgroup "Developers" Dev1 /add
net localgroup "Developers" Dev2 /add
net localgroup "Developers" Dev3 /add

Scenario 4: Remove user from all administrative groups

net localgroup Administrators JohnDoe /delete
net localgroup "Backup Operators" JohnDoe /delete
net localgroup "Remote Management Users" JohnDoe /delete

Output to File for Documentation

Save all groups:

net localgroup > local-groups.txt

Save specific group membership:

net localgroup Administrators > admins-%date:/=-%.txt

Create comprehensive audit report:

@echo off
echo Local Group Audit Report > group-audit.txt
echo Generated: %date% %time% >> group-audit.txt
echo. >> group-audit.txt

echo Administrators: >> group-audit.txt
net localgroup Administrators >> group-audit.txt
echo. >> group-audit.txt

echo Remote Desktop Users: >> group-audit.txt
net localgroup "Remote Desktop Users" >> group-audit.txt
echo. >> group-audit.txt

echo Report saved to group-audit.txt
  • net user - Manage local user accounts
  • net accounts - View and modify account policies
  • net group - Manage domain groups (on domain controllers)
  • Get-LocalGroup (PowerShell) - PowerShell local group management
  • Get-LocalGroupMember (PowerShell) - View group members
  • lusrmgr.msc - Local Users and Groups GUI (Pro editions)
  • compmgmt.msc - Computer Management console (includes Users and Groups)