How to List All Local Groups in a Batch Script
Local groups are a key component of security on a standalone Windows computer or a server. They are collections of user accounts that can be used to assign permissions to shared resources. Before you can add a user to a group or assign permissions, you often need to see what groups already exist on the machine.
This guide will teach you how to get a list of all local groups on a computer using the standard, built-in NET LOCALGROUP command. You will learn the simple command to display the list and how to capture that list in a FOR loop to use it in your scripts.
What are Local Groups?
Every Windows machine has its own local Security Account Manager (SAM) database, which stores its own set of users and groups. These are different from Active Directory domain groups. Local groups are used to control access to resources on that specific machine.
Common built-in local groups include:
AdministratorsUsersGuestsPower UsersRemote Desktop Users
You can also create your own custom local groups.
The Core Command: NET LOCALGROUP
The NET.EXE utility is the classic command-line tool for managing local users and groups. When you run the LOCALGROUP context with no arguments, it performs its default action: listing all local groups on the system.
Syntax: NET LOCALGROUP
Basic Example: Displaying All Local Groups
Running this command in a command prompt will produce a simple, multi-column list of all the group names.
C:\> NET LOCALGROUP
The output is formatted for readability, with an asterisk (*) in front of each group name.
Aliases for \\MY-PC
-------------------------------------------------------------------------------
*Administrators
*Backup Operators
*Guests
*Hyper-V Administrators
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Power Users
*Remote Desktop Users
*Remote Management Users
*Users
The command completed successfully.
Parsing the Output to Get a Clean List
The default output includes headers and asterisks, which are not ideal for scripting. To get a clean list of just the group names, you need to parse this output with a FOR /F loop.
This script iterates through the output of NET LOCALGROUP and prints a clean, one-per-line list of the group names.
@ECHO OFF
ECHO --- Listing all local groups on this machine ---
ECHO.
REM 'skip=4' ignores the header lines.
REM 'delims=*' uses the asterisk as a delimiter, which effectively removes it.
REM The second FOR loop is a trick to trim any trailing spaces.
FOR /F "skip=4 delims=*" %%G IN ('NET LOCALGROUP') DO (
FOR /F "tokens=*" %%N IN ("%%G") DO (
IF NOT "%%N"=="" IF NOT "%%N"=="The command completed successfully." (
ECHO Group: "%%N"
)
)
)
Common Pitfalls and How to Solve Them
-
Parsing the Footer: The
NET LOCALGROUPcommand includes a footer line:The command completed successfully.. A simpleFOR /Floop will try to process this as a group name.- Solution: As shown in the script above, you must add an
IFstatement inside your loop to explicitly ignore this final line.
- Solution: As shown in the script above, you must add an
-
Group Names with Spaces: The command
NET LOCALGROUPcan produce group names with spaces (e.g., "Remote Desktop Users").- Solution: The parsing script above handles this correctly. The
delims=*removes the leading asterisk, and the secondFOR /F "tokens=*" %%N IN ("%%G")correctly captures the entire group name, including spaces, while trimming any trailing whitespace.
- Solution: The parsing script above handles this correctly. The
-
Administrator Rights: Listing local groups is a read-only operation and can typically be performed by a standard user. However, for maximum reliability and to ensure you see all groups, it's a good practice to run the script as an Administrator.
Practical Example: A "Find Group" Script
This script checks if a specific local group exists on the system. It is a common pre-flight check before a script attempts to create a group or add a user to it.
@ECHO OFF
SETLOCAL
SET "GroupToFind=Administrators"
ECHO --- Searching for local group: "%GroupToFind%" ---
ECHO.
SET "Found=0"
REM Pipe the output of NET LOCALGROUP to FINDSTR for a simple check.
REM The /I makes it case-insensitive.
REM The /X makes it match the entire line exactly.
NET LOCALGROUP | FINDSTR /I /X /C:"*%GroupToFind%" > NUL
IF %ERRORLEVEL% EQU 0 (
ECHO [SUCCESS] The group "%GroupToFind%" exists on this machine.
) ELSE (
ECHO [FAILURE] The group "%GroupToFind%" was not found.
)
ENDLOCAL
How it works: This is a much simpler way to check for a specific group. NET LOCALGROUP outputs *Administrators. The FINDSTR command looks for a line that exactly (/X) matches *Administrators. This is faster and simpler than a full FOR loop if you only need to check for existence.
Conclusion
The NET LOCALGROUP command is the standard, built-in tool for listing all local groups on a Windows machine.
- The basic command is simply
NET LOCALGROUP. - For scripting, you must use a
FOR /Floop to parse the output, being careful to skip the header and ignore the footer. - For a simple existence check, piping the output to
FINDSTRis a more direct and efficient method.
By using these techniques, you can write scripts that are aware of the local security groups on a system, allowing you to automate user and permission management tasks.