How to Create a Local Group in a Batch Script
Local groups are a fundamental tool for managing permissions on a Windows computer. Instead of assigning permissions to individual users one by one, you can create a local group, grant that group the necessary permissions, and then simply add or remove users from the group. This is essential for managing access to shared folders, printers, or application data.
This guide will teach you how to use the standard, built-in NET LOCALGROUP command to create and manage local groups from a batch script. You will learn the correct syntax for adding a new group, how to add a descriptive comment, and the critical importance of running the script with administrator privileges.
CRITICAL NOTE: Creating local groups is a system-level change that modifies the local security database. You must run this script with full administrator privileges.
The Core Command: NET LOCALGROUP
The NET.EXE utility is a powerful, built-in tool for managing a wide range of network and local account settings. The LOCALGROUP context is specifically for managing the local groups on a machine.
Syntax for Creation: NET LOCALGROUP "GroupName" /ADD
"GroupName": (Required) The name of the new local group you want to create. If the name contains spaces, it must be enclosed in quotes./ADD: The switch that performs the creation.
Basic Example: Creating a New Group
This script creates a new local group named "AppUsers".
@ECHO OFF
REM This script MUST be run as an Administrator.
SET "GroupName=AppUsers"
ECHO --- Creating a new local group ---
ECHO Creating group: '%GroupName%'
ECHO.
NET LOCALGROUP "%GroupName%" /ADD
IF %ERRORLEVEL% EQU 0 (
ECHO [SUCCESS] The group was created successfully.
) ELSE (
ECHO [FAILURE] An error occurred. Check if the group already exists or if you are running as Admin.
)
Adding a Descriptive Comment (/COMMENT)
A group name by itself might not be very descriptive. It is a very good practice to add a comment that explains the purpose of the group. This helps other administrators (and your future self) understand why the group exists.
Syntax: NET LOCALGROUP "GroupName" /ADD /COMMENT:"Your descriptive text"
An example of script with a comment:
@ECHO OFF
REM Run as Administrator.
SET "GroupName=ReportViewers"
SET "GroupComment=Members of this group can view the weekly sales reports."
ECHO Creating group with a comment...
NET LOCALGROUP "%GroupName%" /ADD /COMMENT:"%GroupComment%"
This comment is visible in the graphical "Local Users and Groups" manager (lusrmgr.msc), making your system's security configuration self-documenting.
Key NET LOCALGROUP Parameters Explained
GroupName: The name of the group./ADD: Adds a group or a user to a group. When used with a group name that doesn't exist, it creates the group./DELETE: Deletes a user from a group, or deletes the entire group./COMMENT:"text": Adds a descriptive comment for a new or existing group.- If you run
NET LOCALGROUPwith no arguments, it will list all local groups on the machine.
Common Pitfalls and How to Solve Them
-
"System error 5 has occurred. Access is denied.": This is the number one cause of failure. It means your script does not have the necessary permissions. Solution: You must run the script from an elevated command prompt ("Run as administrator").
-
"System error 1378 has occurred. The specified group already exists.": This error occurs if you try to create a group that already has that name.
- Solution: A robust script should check if the group exists before trying to create it. You can do this by parsing the output of
NET LOCALGROUP.NET LOCALGROUP | FIND /I "%GroupName%" > NUL
IF %ERRORLEVEL% EQU 0 (
ECHO [INFO] Group '%GroupName%' already exists.
) ELSE (
ECHO [ACTION] Group not found. Creating it...
NET LOCALGROUP "%GroupName%" /ADD
)
- Solution: A robust script should check if the group exists before trying to create it. You can do this by parsing the output of
-
Group Name with Spaces: If your group name contains spaces, it must be enclosed in double quotes. Solution: It is a universal best practice to always quote your group names (
"%GroupName%") to prevent errors.
Practical Example: Creating a Group for Application Access
This is a very common use case. The script creates a new data folder for an application, creates a new local group, and then uses ICACLS to grant that group permission to modify the folder's contents.
@ECHO OFF
SETLOCAL
REM This script must be run as an Administrator.
SET "AppGroup=ProjectX_Editors"
SET "AppFolder=C:\ProgramData\ProjectX"
ECHO --- Setting up Application Permissions ---
ECHO.
REM --- Step 1: Create the data folder ---
MKDIR "%AppFolder%" 2>NUL
REM --- Step 2: Create the local group (if it doesn't exist) ---
NET LOCALGROUP | FIND /I "%AppGroup%" > NUL
IF %ERRORLEVEL% NEQ 0 (
ECHO Creating local group '%AppGroup%'...
NET LOCALGROUP "%AppGroup%" /ADD /COMMENT:"Users who can edit ProjectX data."
)
REM --- Step 3: Grant the new group 'Modify' permissions on the folder ---
ECHO Granting permissions to the group...
ICACLS "%AppFolder%" /grant "%AppGroup%":(OI)(CI)M /T
REM --- Step 4: Add a user to the group ---
ECHO Adding user 'bwayne' to the group...
NET LOCALGROUP "%AppGroup%" "bwayne" /ADD
ECHO.
ECHO [SUCCESS] Setup is complete.
ENDLOCAL
Conclusion
The NET LOCALGROUP command is the standard, built-in tool for creating and managing local groups from a batch script.
For a successful and reliable script:
- Always run your script as an Administrator.
- Use the syntax
NET LOCALGROUP "GroupName" /ADDto create a group. - Always use the
/COMMENT:"..."switch to add a description, which is a crucial best practice for maintainability. - For robust scripts, check if the group already exists before attempting to create it.
By mastering this command, you can automate a key part of setting up and securing your Windows systems.