How to Remove a User from a Local Group in a Batch Script

Revoking a user's permissions is a fundamental security and administrative task. When a user no longer requires access to a specific resource, you should remove them from the local group that grants those permissions. This is the proper way to enforce the principle of least privilege and is essential for offboarding users or changing their roles.

This guide will teach you how to use the standard, built-in NET LOCALGROUP command to remove a user from a local group on a Windows machine. You will learn the correct syntax for both local and domain users and the critical importance of running the script with administrator privileges.

danger

CRITICAL NOTE: Removing a user from a group revokes any permissions they had through that group. This is a high-privilege operation that modifies the local security database. You must run this script with full administrator privileges.

The Core Command: `NET LOCALGROUP`

The NET.EXE utility is the primary tool for managing local users and groups from the command line. The LOCALGROUP context is used to create, modify, and manage group memberships.

Syntax for Removal: NET LOCALGROUP "GroupName" "UserName" /DELETE

"GroupName": (Required) The name of the local group you want to modify (e.g., Administrators).
"UserName": (Required) The name of the user account you want to remove.
/DELETE: The switch that performs the removal operation.

Basic Example: Removing a User from a Group

Let's remove a local user named jdoe from the local "Power Users" group.

@ECHO OFF
REM This script MUST be run as an Administrator.

SET "GroupName=Power Users"
SET "UserName=jdoe"

ECHO --- Removing a local user from a local group ---
ECHO Removing user '%UserName%' from the '%GroupName%' group...
ECHO.

NET LOCALGROUP "%GroupName%" "%UserName%" /DELETE

IF %ERRORLEVEL% EQU 0 (
    ECHO [SUCCESS] The user was removed successfully.
) ELSE (
    ECHO [FAILURE] An error occurred. Check if the user/group exists and if you are running as Admin.
)

Removing a Domain User from a Local Group

This is a very common scenario. You might need to remove a domain account's administrative rights from a local server. To do this, you specify the user in the DOMAIN\User format.

This script removes the domain user CORP\sjenkins from the local "Administrators" group on the machine where the script is run.

@ECHO OFF
REM Run as Administrator.
SET "DomainUser=CORP\sjenkins"
SET "LocalGroup=Administrators"

ECHO Removing domain user '%DomainUser%' from the local '%LocalGroup%' group...
NET LOCALGROUP "%LocalGroup%" "%DomainUser%" /DELETE

Key `NET LOCALGROUP` Parameters Explained

GroupName: The name of the group. If the group name has spaces, it must be in quotes.
UserName: The name of the user. For a domain user, use the DOMAIN\User format.
/DELETE: Removes a user from the group.
/ADD: Adds a user to the group.
If you run NET LOCALGROUP GroupName with no other switches, it will list the current members of the group.

Common Pitfalls and How to Solve Them

"System error 5 has occurred. Access is denied.": This is the number one cause of failure. It means your script does not have the necessary permissions. Solution: You must run the script from an elevated command prompt ("Run as administrator").
"The user is not a member of the group.": This error occurs if you try to remove a user who isn't in the group.
- Solution: In a cleanup script, this is not a critical failure; it means the desired state (the user not being in the group) is already true. You can safely suppress this error message by redirecting standard error to NUL if you don't want to see it.
```
REM This command will work silently if the user is not in the group.
NET LOCALGROUP "GroupName" "UserName" /DELETE 2>NUL
```
"The specified user account does not exist.": This means there is a typo in the username. Solution: Double-check the spelling. You can get a list of all local users by running NET USER.

Practical Example: A "Revoke RDP Access" Script

This script is a common tool for server administrators. It takes a username as an argument and removes that user from the local "Remote Desktop Users" group, revoking their ability to log in via RDP.

RevokeRDP.bat
@ECHO OFF
SETLOCAL
REM This script must be run as an Administrator.

SET "TargetUser=%~1"
IF "%TargetUser%"=="" (
    ECHO [ERROR] Please provide a username as an argument.
    ECHO Usage: %~n0 "DOMAIN\UserName"
    GOTO :End
)

SET "RDP_Group=Remote Desktop Users"

ECHO --- Revoking RDP Access ---
ECHO Removing '%TargetUser%' from the '%RDP_Group%' group...
ECHO.

NET LOCALGROUP "%RDP_Group%" "%TargetUser%" /DELETE

IF %ERRORLEVEL% EQU 0 (
    ECHO [SUCCESS] User's Remote Desktop access has been revoked.
) ELSE (
    ECHO [FAILURE] The command failed.
    ECHO Please check the username and ensure you are running as an Administrator.
)

:End
PAUSE
ENDLOCAL

Conclusion

The NET LOCALGROUP command is the standard, built-in tool for managing local group memberships from a batch script.

For a successful and secure script:

Always run your script as an Administrator.
Use the syntax NET LOCALGROUP "GroupName" "UserName" /DELETE.
For domain users, use the DOMAIN\User format.
For robust cleanup scripts, be prepared to handle the "user is not a member" error, either by checking first or by suppressing the error message with 2>NUL.

The Core Command: NET LOCALGROUP​

Basic Example: Removing a User from a Group​

Removing a Domain User from a Local Group​

Key NET LOCALGROUP Parameters Explained​

Common Pitfalls and How to Solve Them​

Practical Example: A "Revoke RDP Access" Script​

Conclusion​

Table of Contents