How to List a User's Group Memberships in Batch Script
In a Windows environment, user permissions are almost always managed through group memberships. Knowing which groups a user belongs to is a fundamental task for troubleshooting access issues, performing security audits, or simply verifying a user's role. Windows provides several built-in command-line tools that allow you to list these memberships directly from a batch script.
This guide will teach you the two primary methods for this task. We will cover the standard net user command for looking up the direct group memberships of any user (local or domain), and the powerful whoami /groups command for seeing the complete, nested group list for the currently logged-in user.
Method 1: net user for Direct Memberships
The net user command is the classic tool for querying user account information. It can show the direct groups a user is a member of.
Syntax for a Local User: net user <username>
Syntax for a Domain User: net user <username> /DOMAIN
The output is a human-readable summary of the user's properties. The group information is at the bottom under "Local Group Memberships" or "Global Group Memberships."
Method 2: whoami /groups for the Current User's Full Token
The whoami command is used to get information about the current user. The /groups switch is extremely powerful because it shows the user's full security token, which includes not only their direct groups but also any nested groups.
Syntax: whoami /groups
This command is the most accurate way to see the "effective" group memberships for the user running the script.
Basic Example: Displaying a User's Groups
Let's check the group memberships for a domain user named jdoe.
@ECHO OFF
SET "UserName=jdoe"
ECHO --- Displaying group memberships for user: %UserName% ---
ECHO.
NET USER %UserName% /DOMAIN
The output is a long list of properties. The important part is at the end.
...
Local Group Memberships *Users
Global Group memberships *Domain Users *Marketing Team
*VPN Access
The command completed successfully.
How to Capture and Parse the Group List in a Script
The output of net user is messy and designed for humans. To use this list in a script, you need to parse it. This requires a moderately complex FOR /F loop.
@ECHO OFF
SETLOCAL
SET "UserName=jdoe"
ECHO --- Capturing groups for %UserName% ---
ECHO.
SET "in_group_section="
FOR /F "tokens=*" %%L IN ('NET USER %UserName% /DOMAIN') DO (
SET "line=%%L"
REM Check if we have reached the start of the group list.
IF "%%L"=="Global Group memberships *Domain Users *Marketing Team" (
SET "in_group_section=1"
)
REM If we are in the group section, process the line.
IF DEFINED in_group_section (
REM Replace the asterisks with spaces to make it a clean list.
SET "line=%%L"
SET "line=!line:*=!"
REM Loop through each group name on the line.
FOR %%G IN (!line!) DO (
ECHO Found group membership: %%G
)
)
)
ENDLOCAL
This script requires Delayed Expansion and is still fragile. Parsing net user is difficult.
CRITICAL: The Difference Between Direct and Nested Groups
This is the most important concept to understand.
- Direct Membership:
net useronly shows you the groups you were placed into directly. - Nested Membership (or "Effective"): If you are a member of the "Marketing Team" group, and that group is a member of the "All Employees" group,
net userwill NOT show that you are in "All Employees."
The whoami /groups command DOES show nested memberships. It is the definitive way to see all the permissions a user has inherited through group nesting, but it only works for the currently logged-in user.
Common Pitfalls and How to Solve Them
- Permissions: You do not need to be an administrator to read a user's group memberships. A standard domain user account has sufficient permissions.
- Parsing
net user: As shown, the output is difficult to parse. The script in section before is a functional attempt, but it can break if the output format changes. For serious AD querying, a PowerShell script (Get-ADPrincipalGroupMembership) is far more reliable. - User Not Found: If
net usercannot find the user, it will return an error. A robust script should check for this.
Practical Example: A User Group Membership Report Script
This script takes a username as an argument and creates a simple text file report of their direct group memberships.
@ECHO OFF
SETLOCAL ENABLEDELAYEDEXPANSION
SET "UserName=%~1"
IF "%UserName%"=="" (ECHO Usage: %~n0 <username> & GOTO :EOF)
SET "ReportFile=%USERPROFILE%\Desktop\%UserName%_Groups.txt"
ECHO --- User Group Membership Report for %UserName% --- > "%ReportFile%"
ECHO Generated on %DATE% at %TIME% >> "%ReportFile%"
ECHO. >> "%ReportFile%"
SET "in_groups="
FOR /F "tokens=*" %%L IN ('NET USER %UserName% /DOMAIN') DO (
SET "line=%%L"
IF "!line:~0,26!"=="Global Group memberships" SET "in_groups=1"
IF DEFINED in_groups (
SET "groups=!line:* =!"
FOR %%G IN (!groups!) DO (
ECHO %%G >> "%ReportFile%"
)
)
)
ECHO [SUCCESS] Report created at "%ReportFile%"
START "" "%ReportFile%"
ENDLOCAL
Conclusion
Windows provides several built-in tools for listing user group memberships, each with a specific purpose.
- Use
net user <username> /domainto get a list of the direct group memberships for any user in the domain. Be aware that its output is difficult to parse reliably. - Use
whoami /groupsto get a complete list of all direct and nested group memberships for the currently logged-in user. Its output is cleaner and more comprehensive for checking a user's own permissions.
For simple, interactive checks, net user is excellent. For determining a user's true "effective" permissions, whoami /groups is the authoritative tool.