How to List All Local Administrators in Batch Script
The "Administrators" group holds the keys to the kingdom on any Windows workstation. Members of this group have full control over the operating system, including the ability to install software, modify system files, and access other users' data. For security auditing and compliance, it is critical to regularly verify exactly who is in this group. A rogue account or an unauthorized domain user added to the local admins can be a major security vulnerability.
This guide explains how to use the net localgroup command to generate a clear roster of all privileged users.
Why Audit Local Administrators?
- Security Hygiene: Identifying and removing unauthorized users who have been granted admin rights (privilege creep).
- Compliance Reporting: Generating a list of all administrative accounts for annual security audits (e.g., ISO 27001).
- Troubleshooting: Verifying that a specific service account has the necessary permissions to run a legacy application.
The net localgroup command lists the members of the local Administrators group on the specific machine where the script is run. This list often includes the "Domain Admins" group if the machine is joined to a domain.
Method 1: Using Net Localgroup (Quick View)
The simplest way to view the administrators is to dump the group membership to the console.
@echo off
echo [PROCESS] Auditing Local Administrators on %COMPUTERNAME%...
echo.
net localgroup Administrators
echo.
pause
Method 2: Extracting a Clean List to a File
For automated reporting, you need to filter out the header and footer text provided by the net command.
@echo off
setlocal EnableDelayedExpansion
set "REPORT_DIR=%~dp0AdminAudits"
if not exist "!REPORT_DIR!" mkdir "!REPORT_DIR!"
set "REPORT_FILE=!REPORT_DIR!\LocalAdmins_%COMPUTERNAME%_%date:~-4%%date:~-10,2%%date:~-7,2%.txt"
echo [PROCESS] Generating admin report for %COMPUTERNAME%...
:: Generate report header
(
echo === LOCAL ADMINISTRATORS AUDIT ===
echo Computer: %COMPUTERNAME%
echo Date: %DATE% %TIME%
echo.
echo === MEMBERS ===
) > "!REPORT_FILE!"
:: Extract members by skipping header and filtering footer
set "COUNT=0"
for /f "skip=6 tokens=*" %%a in ('net localgroup Administrators 2^>nul') do (
echo %%a | findstr /c:"The command completed successfully" >nul
if !errorlevel! neq 0 (
echo %%a >> "!REPORT_FILE!"
set /a "COUNT+=1"
)
)
:: Summary
(
echo.
echo === SUMMARY ===
echo Total members: !COUNT!
) >> "!REPORT_FILE!"
echo [SUCCESS] Found !COUNT! administrator(s^).
echo [SAVED] Report: !REPORT_FILE!
echo.
type "!REPORT_FILE!"
pause
Creating a Security Alert Tool
This professional script checks the admin group membership and alerts on specific concerns like unauthorized accounts or excessive membership.
@echo off
setlocal EnableDelayedExpansion
echo ============================================================
echo Privilege Escalation Detector
echo %COMPUTERNAME% - %DATE%
echo ============================================================
:: 1. List all administrators
echo.
echo [CHECK 1] Current Administrators:
echo -----------------------------------------
set "COUNT=0"
for /f "skip=6 tokens=*" %%a in ('net localgroup Administrators 2^>nul') do (
echo %%a | findstr /c:"The command completed successfully" >nul
if !errorlevel! neq 0 (
echo %%a
set /a "COUNT+=1"
)
)
echo -----------------------------------------
echo Total: !COUNT! member(s^)
echo.
:: 2. Check for specific suspicious accounts
echo [CHECK 2] Suspicious Account Detection:
set "SUSPECTS=Guest DefaultAccount"
set "ALERT=0"
for %%s in (!SUSPECTS!) do (
net localgroup Administrators 2>nul | findstr /i /c:"%%s" >nul
if !errorlevel! equ 0 (
echo [ALERT] "%%s" is a Local Administrator!
set "ALERT=1"
)
)
if !ALERT! equ 0 (
echo [OK] No suspicious accounts detected.
)
:: 3. Check membership count threshold
echo.
echo [CHECK 3] Membership Threshold:
if !COUNT! gtr 5 (
echo [WARNING] !COUNT! administrators exceeds the recommended maximum of 5.
echo [ACTION] Review and remove unnecessary admin accounts.
) else (
echo [OK] Admin count (!COUNT!^) is within acceptable limits.
)
echo.
echo ============================================================
pause
Common Pitfalls and How to Avoid Them
Nested Groups
In a domain environment, you will often see "DOMAIN\Domain Admins" listed as a member. This is a Group, not a user.
Advise your users that net localgroup does not recursively list the members of nested domain groups. To see who is inside "Domain Admins," they would need to query the Domain Controller using net group "Domain Admins" /domain.
Access Denied
You generally do not need to be an administrator to read the members of the Administrators group, but on some hardened systems, this visibility might be restricted.
Best Practices for Admin Management
- Least Privilege: Only the specific users who need to manage the system should be in this group. Standard users should never be local admins.
- Rename the Admin Account: Use
wmic useraccount where name='Administrator' rename 'SysAdmin'to make it harder for attackers to guess the admin username. - Regular Audits: Schedule this script to run monthly and email the output to the security team to detect unauthorized changes.
The built-in account named "Administrator" is disabled by default on modern Windows versions for security. However, it is always a member of the Administrators group.
Conclusion
Listing all local administrators via Batch script is a fundamental step in maintaining a secure Windows environment. By leveraging the net localgroup command to programmatically audit privileged access, you can prevent unauthorized changes, ensure compliance with security policies, and maintain strict control over your infrastructure. This professional approach to system monitoring transforms raw permission data into actionable intelligence, keeping your workstations and servers safe from privilege escalation attacks.