on September 4, 2010
On Windows OS we can find the list of local user groups created on a system from Contorl Panel -> User Accounts. This information can be obtained from command line also using net command. Syntax is shown below.
net localgroup
Example: Running this command shows the following local groups on my system.
C:\>net localgroup Aliases for \\techblogger-pc ---------------------------------------------------------------------------- *Administrators *Backup Operators *Debugger Users *Guests *Network Configuration Operators *Power Users *Remote Desktop Users *Replicator *Users The command completed successfully.
How to list the users in a local group?
Use the below command to know the list of members of a group from command line.
net localgroup groupName
For example to get the list of all remote desktop users on a system we can run the below command.
net localgroup "Remote Desktop users"
How to find the list of all groups a user is member of?
You can run the below command to list the groups a user is member of. This command prints the details of the given user account. You can find the group membership information in the last two line of this command output.
net user userName
Example:
H:\>net user John User name John Full Name Comment User's comment Country code 000 (System Default) Account active Yes Account expires Never Password last set 12/2/2010 11:00 PM Password expires 4/1/2011 11:00 PM Password changeable 12/2/2010 11:00 PM Password required Yes User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon Logon hours allowed All Local Group Memberships *Debugger Users *Users Global Group memberships *None
Related Posts:
Add user to group from windows command line
Remove user from group using windows command prompt
We use the command net localgroup to display and manage groups from the command prompt (CMD or PowerShell) in the Windows operating system.
Administrators can perform the following tasks using the net localgroup command:
- Add new groups to the local computer or domain.
- Remove existing groups from the local computer or domain.
- Add users and groups to the Windows groups.
- Remove users and groups from Windows groups.
Command options
| GroupName | Name of the group to be added or modified. If the group name includes spaces, enclose it in quotation marks. |
| /domain | Use this command switch to execute the net localgroup command on the Active Directory domain controller rather than on the local computer. |
| /add | Use this option to add new groups to the Windows system or add users to existing groups. |
| /delete | Use this option to delete groups or remove members from groups. |
| /comment:»text» | Adds a description to a Windows group. |
Notes
When operating in an Active Directory domain environment, always use the /domain command switch.
There is another Windows command, the net group, which has the same syntax as the net localgroup. The net group command creates global groups; the net localgroup command creates local groups.
In the CMD, you can get help by running the net help localgroup command.
Next, we will learn more about the net localgroup command by looking at several examples.
Display Information on Existing Windows Groups
We can use the net localgroup command to list groups and view detailed information about a particular group.
To get a list of groups on the local computer, type net localgroup and press Enter:
net localgroupTo do the same thing on an Active Directory domain controller, use the /domain command switch:
net localgroup /domainTo get detailed information about a group, type net localgroup followed by the group name. For example, to view the Administrators group, you will run the following command:
net localgroup Administrators
net localgroup /domain AdministratorsThe command lists the users in the Administrators group.
Add/Delete Groups
To add a new local group, use the following syntax, where GroupName is the name of the new group:
net localgroup /add GroupNameFor example, to create a group called sales, you will run the following command:
net localgroup /add salesTo remove a group from Windows, use the /delete option. For example, to remove an existing group called sales, you will run the following command:
net localgroup /delete salesAdd a description while creating the group:
net localgroup /add sales /comment:"This is Sales Group"Add a description to the existing group:
net localgroup sales /comment:"Sales group"Add (or Remove) User to the Groups
To add a user to a group, use the following syntax:
net localgroup /add GroupName UserNameThe following command adds user user1 to the sales group:
net localgroup /add sales user1You can add multiple users to a group at once:
net localgroup /add sales user1 user2To remove a user from a group, use the /delete option:
net localgroup /delete sales user1
net localgroup /delete sales user1 user2Examples
List all the local groups:
net localgroupAdd a new local group called sales:
net localgroup /add salesDelete sales group:
net localgroup /delete salesThis command lists the users in the Remote Desktop Users group:
net localgroup "Remote Desktop Users"The following command adds user user1 to the Remote Desktop Users group:
net localgroup /add "Remote Desktop Users" user1The following command removes user1 from the Remote Desktop Users group:
net localgroup /delete "Remote Desktop Users" user1What Next?
That brings the end to this tutorial. Next, you can learn the net user command, which is used to manage Windows users from the command prompt.
Native Solution
Netwrix Auditor for Active Directory
Steps
To See Which Groups a Particular User Belongs to:
- Open the command prompt by navigating to Start → Run (or pressing Win + R) and entering «cmd».
- Type the following command in the command line, specifying the user account you want to find group membership for:
net userusername
- At the end of the resulting report, you will find a list of the local groups and global groups that the user belongs to:
To List All the Users in a Particular Group:
- Open the command prompt by navigating to Start → Run (or pressing Win + R) and entering «cmd».
- Enter the following command, specifying the required group name:
net group groupname
- At the end of the resulting report, you will find a list of the members of the group:
NET commands also work for Windows 10 local users and groups.
To See Which Groups a Particular User Belongs to:
- Run Netwrix Auditor → Navigate to «Reports» → Click “Predefined” → Expand the «Active Directory» section → Go to «Active Directory — State-in-Time» → Select «User Accounts — Group Membership»→ Click “View».
- Specify “Enabled” in the “Status” field and type “user” in the “Member Type” field -> Click “View Report”.
To List All the Users in a Particular Group:
- Run Netwrix Auditor → Navigate to “Reports” → Click “Predefined” → Expand the “Active Directory” section → Go to “Active Directory – State-in-Time” → Select “Group Members” → Click “View”.
- Set up the following filters:
- Status: Enabled
- Member Type: User
- Group path: The group path. You can specify the partial path to a particular group, using % as a wildcard character, or leave wildcard to see report for all groups.
- Click “View Report”.
Grasp the Full Picture Instead of Tinkering with the Command Line
Best practices advise using Active Directory groups to grant access privileges to users — for example, access to specific computers, tools and servers. But over time, AD group configuration can get very complicated, making it challenging to understand who has access to what and ensure each user has only the permissions they need. IT admins often need to list the membership of each security group or detail all the groups that a particular user belongs to, and then either provide that information to departmental leaders for access privilege attestation, or analyze it themselves to fix broken inheritance and other issues.
You can check group membership with the Active Directory Users and Computers (ADUC) console snap-in by finding the user or group of interest and drilling down into the object’s properties and clicking the “Members” or “Member Of” tab. Another option is to get group membership with command line — you can use the dsget user and dsquery group tools from the Active Directory Domain Services (AD DS) package, or native NET commands from the command line. However, the results of the NET GROUP, NET USER and NET LOCALGROUP command are hard to parse, and while dsget and dsquery provide more structured output, those commandswork only on server versions of Windows and require you to input the distinguished name in LDAP Data Interchange Format. The last option is to use the Get-ADGroupMember PowerShell cmdlet, but that requires some scripting skills. As a result, reviewing Active Directory group membership with native tools can be both difficult and time consuming.
Netwrix Auditor for Active Directory can save a great deal of precious time. Instead of checking AD group membership with command line, system operators can get a summary of group membership in a few clicks. In addition, Netwrix Auditor also reports on modifications, logon activity, and the configuration of Active Directory and Group Policy, including inactive user and computer accounts, Active Directory object permissions, and more. It will alert you to possible threats and offers an advanced search to speed investigations. You can take advantage of a wide variety of predefined reports, all with filtering, exporting and subscription options, and easily create your own custom reports. This comprehensive functionality streamlines many common IT tasks, from change monitoring and access control to privilege review and anomalous behavior detection.
В этой статье речь пойдет о том, как вывести список групп, в которых состоит пользователь. Конечно, это можно сделать из GUI, но не всегда такой вывод удовлетворяет цели.
Также, через GUI вы не определите ПОЛНЫЙ список членства (т.н. косвенное членство), когда одни группы могут быть вложены в другие.
Если группа, в которой состоит пользователь, является вложенной группой другой группы — пользователь наделяется полномочиями, заданными конечной группе, хотя и не является ее членом напрямую. Эту группу вы не увидите на вкладке пользователя «Член групп» (Member of)
Рассмотрим в рамках этой статьи следующие инструменты:
- whoami /groups — членство в группах текущего пользователя
- dsget user — покажет прямое и косвенное членство
- Get-ADUser (Powershell)
1) Whoami /groups
Если нам необходимо узнать, в каких группах состоит текущий пользователь, под которым мы залогинены, можно воспользоваться командой:
whoami /groups
Правда вывод не очень удобен для восприятия. Будут отображены все группы с прямым и косвенным членством
2) Утилита dsget
Вывести список групп, в которых состоит пользователь:
(в данном примере выводим список групп, в которых состоит пользователь Peter Parker, находящийся в OU «IT department\Support team»)
dsget user "CN=Peter Parker,OU=Support team,OU=IT department,DC=Contoso,DC=com" -memberof
Следующая команда отобразит расширенный список групп, в т.ч. в которых косвенно состоит пользователь (ключ -expand)
dsget user "CN=Peter Parker,OU=Support team,OU=IT department,DC=Contoso,DC=com" -expand
Утилита dsget доступна только на контроллерах домена
3) Get-ADUser
Для выполнения командлета Get-ADUser требуется установить Powershell модуль Active-Directory.
Чтобы вывести список групп требуемого пользователя в удобном формате, необходимо выполнить следующий конвейер команд в powershell:
Get-ADUser username -properties memberof | select memberof -expandproperty memberof
Примечание: данная команда выведет прямое членство (по сути, содержимое закладки пользователя «Член групп» (Member of)
Based on answer by P.Brian.Mackey— I tried using gpresult /user <UserName> /r command, but it only seemed to work for my user account; for other users accounts I got this result: The user "userNameHere" does not have RSOP data.
So I read through this blog— https://blog.thesysadmins.co.uk/group-policy-gpresult-examples.html— and came upon a solution. You have to know the users computer name:
gpresult /s <UserComputer> /r /user:<UserName>
After running the command, you have to ENTER a few times for the program to complete because it will pause in the middle of the ouput. Also, the results gave a bunch of data including a section for «COMPUTER SETTINGS> Applied Group Policy Objects» and then «COMPUTER SETTINGS> Security groups» and finally «USER SETTINGS> security groups» (this is what we are looking for with the AD groups listed with non-truncated descriptions!).
Interesting to note that GPRESULT had some extra members not seen in NET USER command. Also, the sort order does not match and is not alphabetical. Any body who can add more insights in the comments that would be great.
RESULTS: gpresult (with ComputerName, UserName)
For security reasons, I have included only a subset of the membership results. (36 TOTAL, 12 SAMPLE)
The user is a part of the following security groups
---------------------------------------------------
..
Internet Email
GEVStandardPSMViewers
GcoFieldServicesEditors
AnimalWelfare_Readers
Business Objects
Zscaler_Standard_Access
..
GCM
..
GcmSharesEditors
GHVStandardPSMViewers
IntranetReportsViewers
JetDWUsers -- (NOTE: this one was deleted today, the other "Jet" one was added)
..
Time and Attendance Users
..
RESULTS: net user /DOMAIN (with UserName)
For security reasons, I have included only a subset of the membership results. (23 TOTAL, 12 SAMPLE)
Local Group Memberships
Global Group memberships ...
*Internet Email *GEVStandardPSMViewers
*GcoFieldServicesEdito*AnimalWelfare_Readers
*Business Objects *Zscaler_Standard_Acce
...
*Time and Attendance U*GCM
...
*GcmSharesEditors *GHVStandardPSMViewers
*IntranetReportsViewer*JetPowerUsers
The command completed successfully.