How to Get the Member Count of a Local Group in Batch Script
Auditing group size is a key metric for system health and security. If your "Administrators" group suddenly grows from 2 members to 10, it's a major red flag for a potential security breach. If your "Remote Desktop Users" group is at zero, it explains why deployment scripts are failing. While the net localgroup command lists members, it doesn't provide a "Count" out of the box. By using some clever parsing with for /f loops, you can calculate exactly how many people are in any local group.
This guide explains how to get a membership count via Batch.
Why Count Group Members?
- Security Thresholds: Automatically alerting IT if the number of administrative accounts exceeds a specific corporate baseline (e.g., more than 3 admins).
- Compliance Reporting: Quickly checking if a new classroom of 30 students has exactly 30 entries in the "Students" local group.
- Troubleshooting: Identifying empty groups that should have service accounts or backup operators configured.
This method targets Local groups on the workstation. If you need to count members in a "Domain Group" (e.g., Domain Admins), you must use the net group command instead.
Method 1: Counting Members (The Reliable Way)
The net localgroup output includes several lines of headers and footers. To get an accurate count, we skip the header lines and exclude the footer.
@echo off
setlocal EnableDelayedExpansion
set "TARGET_GRP=Administrators"
echo [PROCESS] Calculating membership for: %TARGET_GRP%
:: Verify the group exists
net localgroup "%TARGET_GRP%" >nul 2>&1
if %errorlevel% neq 0 (
echo [ERROR] Group "%TARGET_GRP%" not found.
pause
exit /b 1
)
:: Count members by skipping the 6-line header and excluding the footer
set "COUNT=0"
for /f "skip=6 tokens=*" %%a in ('net localgroup "%TARGET_GRP%" 2^>nul') do (
echo %%a | findstr /c:"The command completed successfully" >nul
if !errorlevel! neq 0 set /a "COUNT+=1"
)
echo.
echo [RESULT] There are !COUNT! member(s^) in the "%TARGET_GRP%" group.
pause
Method 2: Detailed Reporting with Count Logic
A professional script can identify empty groups and provide different feedback based on the count.
@echo off
setlocal EnableDelayedExpansion
set "GRP=Remote Desktop Users"
echo [PROCESS] Auditing access level: "%GRP%"
:: Verify the group exists
net localgroup "%GRP%" >nul 2>&1
if %errorlevel% neq 0 (
echo [ERROR] Group "%GRP%" not found on this machine.
pause
exit /b 1
)
:: Count members
set "COUNT=0"
for /f "skip=6 tokens=*" %%a in ('net localgroup "%GRP%" 2^>nul') do (
echo %%a | findstr /c:"The command completed successfully" >nul
if !errorlevel! neq 0 set /a "COUNT+=1"
)
echo.
if !COUNT! equ 0 (
echo [WARNING] The "%GRP%" group is EMPTY. No one can log in remotely!
echo [ACTION] Add users with: net localgroup "%GRP%" USERNAME /add
) else if !COUNT! gtr 5 (
echo [ALERT] Large membership detected (!COUNT! users^). Review recommended.
) else (
echo [OK] Group has !COUNT! active member(s^).
)
pause
Creating a Global Group Audit Report
This script loops through the most critical security groups and generates a summary of their size.
@echo off
setlocal EnableDelayedExpansion
echo ============================================================
echo Security Group Capacity Auditor
echo %COMPUTERNAME% - %DATE%
echo ============================================================
echo.
:: List of groups to audit (one per line for clarity with spaces)
set "G1=Administrators"
set "G2=Remote Desktop Users"
set "G3=Power Users"
set "G4=Backup Operators"
for %%g in ("!G1!" "!G2!" "!G3!" "!G4!") do (
set "GRP_NAME=%%~g"
:: Check if group exists on this machine
net localgroup "!GRP_NAME!" >nul 2>&1
if !errorlevel! equ 0 (
:: Count members
set "CNT=0"
for /f "skip=6 tokens=*" %%m in ('net localgroup "!GRP_NAME!" 2^>nul') do (
echo %%m | findstr /c:"The command completed successfully" >nul
if !errorlevel! neq 0 set /a "CNT+=1"
)
echo [AUDIT] !GRP_NAME!: !CNT! member(s^)
) else (
echo [SKIP] !GRP_NAME!: Group does not exist
)
)
echo.
echo ============================================================
pause
Common Pitfalls and How to Avoid Them
Administrative Rights
While standard users can often query local group lists, you must run your Batch script (and the CMD window) as an Administrator to ensure you see all members and get an accurate count.
Sub-Groups (Nesting)
Note that if a Domain Group is a member of your local group, it counts as one member in this script, even if that domain group contains 1,000 people.
Advise your users that this script counts "Direct Entries." If they need a "Nested Count" (counting everyone inside the sub-groups too), they must use PowerShell: (Get-LocalGroupMember -Group 'Administrators').Count.
Best Practices for Membership Auditing
- Baseline Comparison: If your script detects a count higher than your "Golden Image" standard, have it automatically export the member names to a log file for review.
- Quotes in Group Names: Group names with spaces (like "Remote Desktop Users") MUST be wrapped in "Quotes" or the
net localgroupcommand will fail with an "invalid group" error. - Handle Missing Groups: Use
2>nuland anerrorlevelcheck to prevent "System error 1378" from appearing if a group doesn't exist on that specific machine.
On some systems, specialized "Built-in" accounts might be hidden from the standard net localgroup view. These accounts are usually managed by the system and don't count toward your security risk.
Conclusion
Getting the number of users in a local group via Batch script is a critical competency for any security-conscious IT professional. By programmatically calculating membership counts, you can transform a raw list of names into actionable intelligence, allowing for automated security alerts and compliance monitoring. This professional approach to system identification ensures that your workstation's most powerful privileges remain within authorized limits, providing a clear and reliable mechanism for maintaining a lean and secure access policy across your entire Windows fleet.