How to List All Users in a Specific Local Group in Batch Script
Local groups, like "Administrators," "Remote Desktop Users," or "Power Users," are the fundamental way Windows manages permissions on a standalone machine. For IT auditors and security engineers, being able to "List" every member of a specific group is a critical task. It allows you to quickly identify who has "God Mode" (Administrative) access to a machine or who can log in remotely. Using the net localgroup command, you can generate an instant roster of any group's membership via a Batch script.
This guide explains how to extract and filter these results.
Why List Local Group Membership?
- Security Auditing: Identifying if a standard user has been accidentally (or maliciously) added to the "Administrators" group.
- Inventory Reporting: Generating a manifest of all users who have the right to access a specific workstation via Remote Desktop.
- Troubleshooting Access: Verifying that a service account has been correctly added to the "Users" or "Guests" group for a specific application.
The net localgroup command queries the groups on the specific computer you are sitting at. To list members of a domain-wide "Security Group," you must use the net group command instead.
Method 1: Using Net Localgroup (Quick Lookup)
The basic command displays a header, a list of members, and a footer.
@echo off
setlocal
set /p "GRP_NAME=Enter local group name (e.g., Administrators): "
if "%GRP_NAME%"=="" (
echo [ERROR] No group name entered.
pause
exit /b 1
)
echo [PROCESS] Retrieving members for group: "%GRP_NAME%"
echo.
net localgroup "%GRP_NAME%" 2>nul
if %errorlevel% neq 0 (
echo [ERROR] Group "%GRP_NAME%" was not found.
echo [TIP] Use 'net localgroup' (no arguments^) to list all available groups.
)
pause
Method 2: Extracting Just the Usernames
To use the list in an automated script (e.g., "Remove everyone but the authorized admin"), you need to skip the headers and footer lines.
@echo off
setlocal EnableDelayedExpansion
set "TARGET_GRP=Administrators"
echo [PROCESS] Members of "%TARGET_GRP%":
echo.
:: Skip the first 6 lines of header and filter out the footer
set "COUNT=0"
for /f "skip=6 tokens=*" %%a in ('net localgroup "%TARGET_GRP%" 2^>nul') do (
:: Stop when we hit the footer line
echo %%a | findstr /c:"The command completed successfully" >nul
if !errorlevel! neq 0 (
echo %%a
set /a "COUNT+=1"
)
)
echo.
echo [INFO] Total members: !COUNT!
pause
Creating a Group Membership Auditor
This professional script checks any specified group and creates a clean, timestamped report.
@echo off
setlocal EnableDelayedExpansion
echo ============================================================
echo Local Privilege Membership Auditor
echo ============================================================
set /p "GRP=Group to audit (default: Administrators): "
if "!GRP!"=="" set "GRP=Administrators"
:: Verify the group exists
net localgroup "!GRP!" >nul 2>&1
if !errorlevel! neq 0 (
echo [ERROR] Group "!GRP!" does not exist on this machine.
echo [TIP] Available groups:
net localgroup 2>nul
pause
exit /b 1
)
set "REPORT_DIR=%~dp0GroupAudits"
if not exist "!REPORT_DIR!" mkdir "!REPORT_DIR!"
set "REPORT=!REPORT_DIR!\%GRP%_Audit_%COMPUTERNAME%_%date:~-4%%date:~-10,2%%date:~-7,2%.txt"
echo [PROCESS] Auditing the local "!GRP!" group...
:: Generate report header
(
echo === LOCAL GROUP MEMBERSHIP AUDIT ===
echo Computer: %COMPUTERNAME%
echo Group: !GRP!
echo Generated: %DATE% %TIME%
echo.
echo === MEMBERS ===
) > "!REPORT!"
:: Extract members (skip header, exclude footer)
set "COUNT=0"
for /f "skip=6 tokens=*" %%a in ('net localgroup "!GRP!" 2^>nul') do (
echo %%a | findstr /c:"The command completed successfully" >nul
if !errorlevel! neq 0 (
echo %%a >> "!REPORT!"
set /a "COUNT+=1"
)
)
:: Summary
(
echo.
echo === SUMMARY ===
echo Total members: !COUNT!
) >> "!REPORT!"
echo.
if !COUNT! equ 0 (
echo [INFO] Group "!GRP!" has no members.
) else (
echo [INFO] Found !COUNT! member(s^) in "!GRP!":
echo.
:: Display to console as well
for /f "skip=6 tokens=*" %%a in ('net localgroup "!GRP!" 2^>nul') do (
echo %%a | findstr /c:"The command completed successfully" >nul
if !errorlevel! neq 0 echo %%a
)
)
echo.
echo [SUCCESS] Report saved to: !REPORT!
echo ============================================================
pause
Common Pitfalls and How to Avoid Them
Administrative Rights
While standard users can often list members of groups, you must run your Batch script (and CMD) as an Administrator to ensure you see all members, including protected system accounts or domain-linked groups.
Foreign Security Principals
If the machine is part of a domain, some members of local groups will be "Domain Groups" (e.g., CONTOSO\Domain Admins).
Advise your users that these entries are normal. The net localgroup tool is smart enough to show both local accounts (e.g., Admin_Local) and domain accounts (e.g., DOMAIN\User) in the same list.
Best Practices for Group Management
- Monitor the Administrators Group: Unauthorized addition to this group is the #1 sign of a compromise. Run your list script daily and compare it to a "Known Good" whitelist.
- Combine with 'Net User': Once you have a name from the group list, pass it to
net user <name>to see their full name and job title. - Audit the SID: Sometimes a group member will appear as an "Unknown SID" (e.g.,
S-1-5-...). This means the account was deleted but not removed from the group. Use a script to identify and prune these "Ghost" entries.
If your script returns System error 1378 has occurred. The specified group does not exist., check the spelling. Group names like "Remote Desktop Users" must be enclosed in "Quotes" because they contain spaces.
Conclusion
Listing users in a specific local group via Batch script is a fundamental prerequisite for maintaining a secure and well-audited Windows environment. By leveraging the net localgroup utility to programmatically extract membership rosters, you can ensure that your system's most powerful privileges are only held by authorized personnel. This professional approach to system monitoring transforms raw group data into clear, actionable reports, allowing you to maintain strict control over administrative access and Remote Desktop rights across your entire workstation and server fleet.