Is there a command line way to list all the users in a particular Active Directory group?
I can see who is in the group by going to Manage Computer —> Local User / Groups —> Groups and double clicking the group.
I just need a command line way to retrieve the data, so I can do some other automated tasks.
asked Aug 3, 2009 at 17:19
try
dsget group "CN=GroupName,DC=domain,DC=name,DC=com" -members
answered Aug 3, 2009 at 17:22
pQdpQd
30k6 gold badges66 silver badges109 bronze badges
5
Here’s another way from the command prompt, not sure how automatable though since you would have to parse the output:
If group is «global security group»:
net group <your_groupname> /domain
If you are looking for «domain local security group»:
net localgroup <your_groupname> /domain
answered Jan 4, 2010 at 20:11
7
Here’s a version of the ds command I found more typically useful, especially if you have a complex OU structure and don’t necessarily know the full distinguished name of the group.
dsquery group -samid "Group_SAM_Account_Name" | dsget group -members -expand
or if you know the CN of the group, usually the same as the SAM ID, quoted in case there are spaces in the name:
dsquery group -name "Group Account Name" | dsget group -members -expand
As stated in the comments, by default the ds* commands (dsquery, dsget, dsadd, dsrm) are only available on a Domain Controller. However, you can install the Admin Tools pack from the Support Tools on the Windows Server installation media or download it from the Microsoft Download site.
You can also perform these queries using PowerShell. PowerShell is already available as an installable feature for Server 2008, 2008 R2, and Windows 7, but you’ll need to download the WinRM Framework to install it on XP or Vista.
To get access to any AD-specific cmdlets in PowerShell you will ALSO need to perform at least one of the following installs:
- For Win 7 and 2008 R2 clients, you can install the Remote Server Admin Tools. The RSAT also requires that you have installed the Active Directory Web Services feature on your Server 2008 R2 Domain Controllers, or the Active Directory Management Gateway Service for any Server 2003/2008 DCs.
- For any XP or higher client, download and install the Quest ActiveRoles Management Shell for Active Directory. The Quest tools do not require any additional changes to your DCs.
answered Aug 3, 2009 at 19:09
Ryan FisherRyan Fisher
2,22816 silver badges13 bronze badges
4
For a PowerShell solution that doesn’t require the Quest AD add-in, try the following
Import-Module ActiveDirectory
Get-ADGroupMember "Domain Admins" -recursive | Select-Object name
This will enumerate the nested groups as well. If you don’t wish to do so, remove the -recursive switch.
answered Mar 24, 2011 at 16:41
pk.pk.
6,4612 gold badges42 silver badges63 bronze badges
1
A very easy way which works on servers and clients:
NET GROUP "YOURGROUPNAME" /DOMAIN | find /I /C "%USERNAME%"
Returns 1 if user is in group YOURGROUPNAME, else will return 0
You can then use the %ERRORLEVEL% value (0 if user in group, 1 if not) like
IF %ERRORLEVEL%==0 NET USE %LOGONSERVER%\YOURGROUPSHARE
user9517
116k20 gold badges215 silver badges297 bronze badges
answered Oct 8, 2012 at 9:37
deajandeajan
1811 silver badge2 bronze badges
1
The answers here using dsget and dsquery will only work on server versions of Windows as those command’s aren’t shipped on other versions of Windows (e.g. Windows 7). On machines without those commands you can get the information you want using the AdFind command.
Here’s an example query for getting group membership:
AdFind.exe -default -f name="Domain Admins" member -list
answered Mar 31, 2011 at 10:34
markshepmarkshep
2182 silver badges3 bronze badges
1
For display members of the UserGroup1 try:
dsquery group -name UserGroup1 | dsget group -members | dsget user -display
jscott
24.5k8 gold badges79 silver badges100 bronze badges
answered Oct 10, 2012 at 0:54
vadimvadim
511 bronze badge
6
How to list local groups and users?
Use the following powershell script to list the local groups and members of those groups.
$server="YourServerName"
$computer = [ADSI]"WinNT://$server,computer"
$computer.psbase.children | where {
$_.psbase.schemaClassName -eq 'group' } | foreach {
write-host $_.name
write-host "------"
$group =[ADSI]$_.psbase.Path
$group.psbase.Invoke("Members") | foreach {
$_.GetType().InvokeMember("Name", 'GetProperty',
$null, $_, $null)}
write-host
}
Copy the text above in to notepad and save as filename.ps1. Then run the file. I should display the Groups and Users in each group, or you can just run this from powershell.
peterh
4,95313 gold badges30 silver badges44 bronze badges
answered Jan 14, 2015 at 19:12
2
You must log in to answer this question.
To list users, use the net user command:
net user
Your output will look something like this:
User accounts for \\LOCALHOST
-------------------------------------------------------------------------------
joeuser administrator guest
The command completed successfully.
If you need a list of users in a specific group, the use net localgroup:
net localgroup Users
Your output will look something like this:
Alias name Users
Comment Users are prevented from making accidental or intentional system-wide changes and can run most applications
Members
-------------------------------------------------------------------------------
NT AUTHORITY\Authenticated Users
NT AUTHORITY\INTERACTIVE
The command completed successfully.
This is for local system users, not domain accounts. If you want to know the membership of the Administrators group, you would just supply that as a parameter: net localgroup Administrators.
on September 4, 2010
On Windows OS we can find the list of local user groups created on a system from Contorl Panel -> User Accounts. This information can be obtained from command line also using net command. Syntax is shown below.
net localgroup
Example: Running this command shows the following local groups on my system.
C:\>net localgroup Aliases for \\techblogger-pc ---------------------------------------------------------------------------- *Administrators *Backup Operators *Debugger Users *Guests *Network Configuration Operators *Power Users *Remote Desktop Users *Replicator *Users The command completed successfully.
How to list the users in a local group?
Use the below command to know the list of members of a group from command line.
net localgroup groupName
For example to get the list of all remote desktop users on a system we can run the below command.
net localgroup "Remote Desktop users"
How to find the list of all groups a user is member of?
You can run the below command to list the groups a user is member of. This command prints the details of the given user account. You can find the group membership information in the last two line of this command output.
net user userName
Example:
H:\>net user John User name John Full Name Comment User's comment Country code 000 (System Default) Account active Yes Account expires Never Password last set 12/2/2010 11:00 PM Password expires 4/1/2011 11:00 PM Password changeable 12/2/2010 11:00 PM Password required Yes User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon Logon hours allowed All Local Group Memberships *Debugger Users *Users Global Group memberships *None
Related Posts:
Add user to group from windows command line
Remove user from group using windows command prompt
Windows users and groups are a way to manage access to resources on a computer. Users can be added to groups, and the permissions for the group can be set to allow or deny access to specific resources, such as files, folders, and system settings.
There are several built-in groups in Windows, such as the Administrators group, which has full control over the computer, and the Users group, which has limited access. You can also create custom groups and add users to them.
However, as a sys administrator, you will often be working in the terminal session, and managing users and groups from the terminal can be hugely beneficial.
List Windows Users in PowerShell using Get-LocalUser Cmdlet.
The Get-LocalUser cmdlet is a PowerShell cmdlet retrieves the local user accounts on a computer. It returns a list of Microsoft.Management.Infrastructure.CimInstance objects that represent the local user accounts.
By default, the cmdlet returns all local user accounts on the computer. Example:
Get-LocalUser
This should return details of the available user accounts as:
Name Enabled Description
---- ------- -----------
admin True
Administrator False Built-in account for administering the computer/domain
DefaultAccount False A user account managed by the system.
Guest False Built-in account for guest access to the computer/domain
WDAGUtilityAccount False A user account managed and used by the system for Windows....
You can also use the -Name parameter to specify a specific user account by name. For example, to get the local user account with the name «admin», you can use the following command:
Get-LocalUser -Name "admin"
Output:
Name Enabled Description
---- ------- -----------
admin True
The Get-LocalUser cmdlet has several other parameters that allow you to control the properties that are returned for each user account, such as FullName, Description, and PasswordLastSet. You can use these parameters to customize the output of the cmdlet.
For example, to list the names only of all local user accounts, you can use the following command:
Get-LocalUser | Select-Object Name
Output:
Name
----
admin
Administrator
DefaultAccount
Guest
WDAGUtilityAccount
List Users in PowerShell Using net Command
You can also use the net command to list users and groups. To list all users, you can use the following command:
net user
Output:
User accounts for \\SERVER
-------------------------------------------------------------------------------
admin Administrator DefaultAccount
Guest WDAGUtilityAccount
The command completed successfully.
List Users in PowerShell Using Get-WmiObject Cmdlet
You can also use the Get-WmiObject cmdlet to list users and groups. To list all users, you can use the following command:
Get-WmiObject -Class Win32_UserAccount
Output:
AccountType : 512
Caption : SERVER\admin
Domain : SERVER
SID : S-1-5-21-697903660-3891131852-320673488-1001
FullName :
Name : admin
AccountType : 512
Caption : SERVER\Administrator
Domain : SERVER
SID : S-1-5-21-697903660-3891131852-320673488-500
FullName :
Name : Administrator
AccountType : 512
Caption : SERVER\DefaultAccount
Domain : SERVER
SID : S-1-5-21-697903660-3891131852-320673488-503
FullName :
Name : DefaultAccount
AccountType : 512
Caption : SERVER\Guest
Domain : SERVER
SID : S-1-5-21-697903660-3891131852-320673488-501
FullName :
Name : Guest
AccountType : 512
Caption : SERVER\WDAGUtilityAccount
Domain : SERVER
SID : S-1-5-21-697903660-3891131852-320673488-504
FullName :
Name : WDAGUtilityAccount
List Groups in PowerShell using Get-LocalGroup Cmdlet
The Get-LocalGroup cmdlet is a PowerShell cmdlet retrieves the local groups on a computer. It returns a list of Microsoft.Management.Infrastructure.CimInstance objects that represent the local groups.
Example:
Get-LocalGroup
Output:
Name Description
---- -----------
docker-users Users of Docker Desktop
Access Control Assistance Operators Members of this group can remotely query authorization..
Administrators Administrators have complete and unrestricted access...
Backup Operators Backup Operators can override security restrictions for..
Cryptographic Operators Members are authorized to perform cryptographic...
Device Owners Members of this group can change system-wide settings.
Distributed COM Users Members are allowed to launch, activate and use...
Event Log Readers Members of this group can read event logs from local...
Guests Guests have the same access as members of the Users group
Hyper-V Administrators Members of this group have complete and unrestricted...
IIS_IUSRS Built-in group used by Internet Information Services.
Network Configuration Operators Members in this group can have some administrative...
Performance Log Users Members of this group may schedule logging of performance
Performance Monitor Users Members of this group can access performance counter data
Power Users Power Users are included for backwards compatibility and.
Remote Desktop Users Members in this group are granted the right to logon...
Remote Management Users Members of this group can access WMI resources over...
Replicator Supports file replication in a domain
System Managed Accounts Group Members of this group are managed by the system.
Users Users are prevented from making accidental or...
You can also use the -Name parameter to specify a specific group by name. For example, to get the local group with the name «Administrators», you can use the following command:
Get-LocalGroup -Name "Power Users"
Output:
Name Description
---- -----------
Power Users Power Users are included for backwards compatibility and possess limited administrative powers
The Get-LocalGroup cmdlet has several other parameters that allow you to control the properties returned for each group, such as Description, GroupType, and SID. You can use these parameters to customize the output of the cmdlet.
For example, to list the names of all local groups, you can use the following command:
Get-LocalGroup | Select-Object Name
Output:
Name
----
docker-users
Access Control Assistance Operators
Administrators
Backup Operators
Cryptographic Operators
Device Owners
Distributed COM Users
Event Log Readers
Guests
Hyper-V Administrators
IIS_IUSRS
Network Configuration Operators
Performance Log Users
Performance Monitor Users
Power Users
Remote Desktop Users
Remote Management Users
Replicator
System Managed Accounts Group
Users
List Groups in PowerShell Using Get-WmiObject Cmdlet
We can also list local groups using the Get-WmiObject cmdlet as shown:
Get-WmiObject -Class Win32_Group
Output:
Caption Domain Name SID
------- ------ ---- ---
SERVER\Access Control Assistance Operators SERVER Access Control Assistance Operators S-1-5-32-579
SERVER\Administrators SERVER Administrators S-1-5-32-544
SERVER\Backup Operators SERVER Backup Operators S-1-5-32-551
SERVER\Cryptographic Operators SERVER Cryptographic Operators S-1-5-32-569
SERVER\Device Owners SERVER Device Owners S-1-5-32-583
SERVER\Distributed COM Users SERVER Distributed COM Users S-1-5-32-562
SERVER\Event Log Readers SERVER Event Log Readers S-1-5-32-573
SERVER\Guests SERVER Guests S-1-5-32-546
SERVER\Hyper-V Administrators SERVER Hyper-V Administrators S-1-5-32-578
SERVER\IIS_IUSRS SERVER IIS_IUSRS S-1-5-32-568
SERVER\Network Configuration Operators SERVER Network Configuration Operators S-1-5-32-556
SERVER\Performance Log Users SERVER Performance Log Users S-1-5-32-559
SERVER\Performance Monitor Users SERVER Performance Monitor Users S-1-5-32-558
SERVER\Power Users SERVER Power Users S-1-5-32-547
SERVER\Remote Desktop Users SERVER Remote Desktop Users S-1-5-32-555
SERVER\Remote Management Users SERVER Remote Management Users S-1-5-32-580
SERVER\Replicator SERVER Replicator S-1-5-32-552
SERVER\System Managed Accounts Group SERVER System Managed Accounts Group S-1-5-32-581
SERVER\Users SERVER Users S-1-5-32-545
SERVER\docker-users SERVER docker-users S-1-5-21-697903660-3891131852-320673488-1002
List Local Groups in PowerShell Using net Command
We can also list local groups using the net command as shown:
net localgroup
Output:
Aliases for \\SERVER
-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Administrators
*Backup Operators
*Cryptographic Operators
*Device Owners
*Distributed COM Users
*docker-users
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Power Users
*Remote Desktop Users
*Remote Management Users
*Replicator
*System Managed Accounts Group
*Users
The command completed successfully.
Conclusion
In this tutorial, you discovered various methods to get a list of all local users and groups on a Windows system using PowerShell.
We hope you enjoyed this tutorial; leave us a comment below and share!!
If you enjoy our content, please consider buying us a coffee to support our work:
Published by
A highly-skilled software engineer with a passion for teaching and sharing knowledge. From development to hardware, get articles with
high technical accuracy, clarity, and an engaging writing style.
To view users in a local group:
- Type net localgroup groupname, where groupname is the name of the group you want to list. For example, if the group name is Administrators, you would type net localgroup Administrators. Then press Enter.
- Observe the list of users in the local group.
How do I know my CMD username?
In the box, type cmd and press Enter. The command prompt window will appear. Type whoami and press Enter. Your current username will be displayed.
How do I list users in Groups?
There are multiple ways to find out the groups a user belongs to. The primary user’s group is stored in the /etc/passwd file and the supplementary groups, if any, are listed in the /etc/group file. One way to find the user’s groups is to list the contents of those files using cat , less or grep .
How to get list of all user groups?
Use the below command to know the list of members of a group from command line. For example to get the list of all remote desktop users on a system we can run the below command. How to find the list of all groups a user is member of? You can run the below command to list the groups a user is member of.
How to see all users in Windows command line?
How to see users using the Windows command line (PowerShell & CMD list users) This method works both in the Command Prompt and PowerShell. Open the command-line app that you prefer, type net user, and press Enter. Net user lists the users that have accounts configured on a Windows PC, including hidden ones or disabled user accounts.
Where can I find list of local users?
Normally, we can find the list of local users or groups created on a windows system from User Accounts applet in Control Panel, User Accounts in Control Panel Or, more in detail in Computer Management MMC, which is my favorite place when checking things like this. Users and Groups in Computer Management MMC
Where can I find list of CMD commands?
List of All 200+ CMD Commands For Your Windows. To Open CMD, you need to search for CMD in the Search box or you can simply press Windows Key + R that will eventually open the Run window, where you need to type CMD and hit enter. 1. Accessibility Controls – zaccess.cpl. 2. Accessibility Wizard – accwiz. 3. Add Hardware Wizard – hdwwiz.cpl.