List of user groups command line

On Windows OS we can find the list of local user groups created on a system from Contorl Panel -> User Accounts. This information can be obtained from command line also using net command. Syntax is shown below.

Example: Running this command shows the following local groups on my system.

How to list the users in a local group?

Use the below command to know the list of members of a group from command line.

For example to get the list of all remote desktop users on a system we can run the below command.

How to find the list of all groups a user is member of?
You can run the below command to list the groups a user is member of. This command prints the details of the given user account. You can find the group membership information in the last two line of this command output.

Useful references, however “net use username” should be changed to “net user username”

Thank you Kennedy. Corrected the command.

Please get me a command which will display all local users as: LOGIN, FULL NAME, DESCRIPTION, GROUP etc..

I’d just like to express my frustration with this API. As you can see in these examples, thet net API localgroups functionality will happily list all members of a group. However the net user code completely ignores system accounts, as does most of the rest of what Windows makes available. Internally they are organized as a subclass of Win32_Account but not Win32_UserAccount. So it’s possible to retrieve a bunch of useless information from the Windows API. This happens with LookupAccountSid as well. If you give it an SID like S-1-5-20, it will give you an answer. But the answer it gives you can’t be used as input for anything else, which is obnoxious.

You can query if users exist by doing

SET /P query_user=What user do i look for?
::Take out /domain if you want to look on the local computer
Net User %query_user% /domain
if NOT %errorlevel% == 0 goto s_error_1
if %errorlevel% == 0 goto s_success_1

“net user /domain username” lists only the groups to which the username is a direct member. It can’t show nested groups. I was doing a quick check to see if a username was a member of a group:

net user /domain username | find “Group Name”

That fails since the user is not directly a member of “Group Name”. In reality, they are a member, as they’re a member of a nested group.

Any idea of a command line that will expand groups to look for a particular member? I’ve used the “dsquery” and “dsget” commands, but they are only present if the AD tools are installed.

Very useful thanks, didn’t worked for me the first time.

The command is not case sensitive.

For example “NET USER /DOMAIN MYDOMAIN/MyUser” Didn’t worked.

But “NET USER /DOMAIN MyUser” works fine!
So not necessary to put explicitly the domain.

By the way it means also you can’t query another domain than the main one you are logged on to ?

Is there any option where we can get the multiple user’s output in excel for local computer and remote computer
net user userName

How To Fix Group Policy: Error Windows could not determine if the user and computer accounts are in the same forest

If you have an issue where the User Policy doesn’t get updated and gives you an error about the user and computer accounts being in the same forest, then you’re in luck. The solution is actually rather simple, although an odd one that you usually wouldn’t run into. The full error message probably looks like this:

PS C:\WINDOWS\system32> gpupdate
Updating policy…

Computer Policy update has completed successfully.
User Policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows could not determine if the user and computer accounts are in the same forest. Ensure the user domain name matches the name of a trusted domain that resides in the same forest as the computer account.

How To Fix Group Policy: Error Windows could not determine if the user and computer accounts are in the same forest

To fix this error, you just need to start a Windows Service and you’ll probably want to set it to automatic to prevent the issue from coming back in the future.

• Click on Start
• Type in Services and select the one with the gear icon
• Scroll down and look for Netlogon, if the status is not Running, then that’s why you’re getting this issue
• Double-Click on Netlogon and change the Startup Type to Automatic and click the Start button
• Once the service is running, click the OK button
• Now try running gpupdate again

What is a Windows user group, and what does it do?

Security is essential in any digital environment, so to make it easier for users to manage permissions and other user accounts, Windows offers a useful feature called user groups. Although it may seem a bit intimidating at first, this feature is not that hard to understand and use, and it might just save you a lot of time and energy when managing multiple accounts. Let’s get into some more detail and see what user groups are and how you can use them to your advantage on any computer with Windows:

What is a user group in Windows?

To understand what a user group from Windows is, you must first know what a user account is. The (very) short definition is this: a user account is a collection of settings used by Windows to understand your preferences. It’s also used to control the files and folders you access, the tasks you are allowed to perform, the devices and resources you are allowed to use, and so on. User accounts are also the only way of authenticating and receiving the authorization to use your Windows device. This brief definition should be a good start for understanding what user groups are in Windows. However, if you want more information about user accounts, what they are, and what are they useful for, first read about what a user account or a username is in Windows.

List of user accounts in Windows 10

To expand on this knowledge, in Windows operating systems, a user group is a collection of multiple user accounts that share the same access rights to the computer and/or network resources and have common security rights. This is why you will often hear IT professionals refer to user groups as security groups. User groups can be categorized into three different types:

• Local groups – are the user groups that exist on your Windows computer or device. They are defined locally and can be managed from the Local Users And Groups (lusrmgr.msc) tool. These are the user groups that home users work with and the ones that we’re going to talk about in this article.
• Security groups – have security descriptors associated with them. Security groups are used in Windows domains with Active Directory.
• Distribution groups – are useful for distributing emails for users that belong to domains with Active Directory.

List of user accounts shown by lusrmgr.msc

The Security groups and the Distribution groups are user groups that are used in business environments and company networks. For instance, you can encounter security user groups at your workplace, especially if you’re working in a big company that has multiple departments with lots of computers, both mobile and workstations. System administrators utilize groups to limit user access to features of the operating system, which they shouldn’t modify or set different levels of access for the applications that are available on the company’s network.

Although the correct term for the user groups that we’ll be covering in this article is local user groups, we’ll use the simpler form of user groups to make the information shared below easier to understand.

Why does Windows have user groups?

Let’s say that, for example, you want to give your relatives the option to use your computer when they drop by for the holidays. You may want to create an account for your 7-year-old cousin, so he can play some games, one for your aunt, and one for your uncle. However, you don’t want to give them administrative rights, so that they don’t change essential settings in your operating system or gain access to your sensitive personal information.

To handle the situation in an elegant fashion, you can group all their accounts in a user group and grant them the same security privileges without having to set each account’s rights individually.

User groups are an essential security feature that is aimed primarily at simplifying the management of large numbers of users. Read how to create a new user on Windows 10 and how to add a user to a group for further information.

Windows 10 Local Users and Groups

The strength of user groups resides in the fact that they offer a centralized way of managing multiple user permissions without the need to configure each account separately. When a user group receives access to a particular resource, all the user accounts that are part of that group receive access to the resource in question. Note that although you can and must use a user account to log in to a Windows computer or device, you cannot use a user group to log in.

What types of user groups are found in Windows?

There are many types of user groups that exist, by default, on all Windows computers. Here are the most important and useful default user groups in Windows:

• Administrators: the users from this group have full control of the Windows computer and everything on it, including other user accounts.
• Backup Operators: user accounts from this group can back up and restore files on the Windows computer, regardless of those files’ permissions.
• Guests: users from this group have temporary profiles set when they log on, which are automatically deleted when they log out.
• Power Users: can do almost everything administrators can, including creating other user accounts or even deleting them. However, they cannot change the settings for the Administrators group. This is also the answer to a question we were asked by some people: which type of user group provides backward compatibility with Windows XP?
• Users: are the standard user accounts. They are the users who can do all the typical things people do on their computers, like browsing the internet, using the apps installed, accessing the files on the computer, or printing. However, standard users cannot do things like creating other user accounts, they cannot install applications on the computer, and they cannot install a printer on the computer.

Third-party software and services can also create user groups used for various services. The most common example is virtualization software. For example, some VMWare products such as VMware Converter create user groups like __vmware__ and ___vmware_conv_sa___, as well as ___VMware_Conv_SA___ accounts, which are used to run virtual machines and standalone server jobs.

__vmware__ user group in Windows 10

There are other types of user groups found by default in Windows operating systems. If you want to know more about all of them, read How to manage local users and groups in Windows 10 using lusrmgr.msc.

Who can manage user groups?

By default, the only users who are allowed to make changes to user groups are the ones who belong to the Administrators or the Power Users groups. In the image below, you can see that the only members of the Administrators group are the users Administrator and Digital Citizen.

Administrators group in Windows 10

If you try to make changes to a user group while logged in with a user account that’s not part of the Administrators or Power Users group, you will get the following error: “Access is denied.”

Standard users aren’t allowed to make user group changes

How to see the Windows user groups that exist on your computer

You can manage existing users and user groups only from an administrator account. In other words, if you want to view and modify user groups, you must log in with a user account that is part of the Administrators user group.

Once logged in with the right account, open the Computer Management tool, and use the Local Users and Groups snap-in to see the list of Groups. However, take notice of the fact that this snap-in is available only in some Windows editions: Windows 7 Professional, Ultimate and Enterprise, Windows 8.1 Pro and Enterprise, and Windows 10 Pro and Enterprise.

List of user groups in Windows 10

You can also get a list of all the local groups on your computer by running the net localgroup command in PowerShell or Command Prompt.

The net localgroup command shows all the defined local user groups

How to see which Windows user groups your user account belongs to

The easiest way to learn which user groups your user account belongs to is through the use of the whoami /groups command. Open Command Prompt or PowerShell, type whoami /groups, and press Enter.

The whoami /groups command shows the list of groups a user belongs to

This tool shows the list of the groups your user account is registered to. To determine what user groups a user account is part of, you must run whoami /groups while logged in with that specific user account.

Do you have any other questions about Windows user groups?

User groups are a powerful feature that can be very useful when you have computers used by two or more people. It saves you a lot of time and effort when managing multiple user accounts and provides a centralized way of doing it. Have you worked with user groups in Windows? How useful did you find them? We would like to hear more in the comments section below.

User Management in Windows NT

Windows NT is an operating system that manages sessions: this means that when the system starts, it is necessary to log in with a username and password. When Windows NT is installed, the administrator account is created by default, as well an account labeled guest. It is possible (and recommended) to modify user permissions (which actions they have a right to perform) as well as to add users with the user manager.

Managing Users

The user manager is the standard utility provided with Windows NT, that, as its name suggests it, manages users. It is available in the Start menu (Programs/Administration tools).

To create a new account, click on New User in the users menu. This brings up a dialog box for entering information on the new user:

• User: Login name for the user.
• Full name: Optional information on the user.
• Description: Optional field.
• The password: those fields are optional, but it is still recommended to fill them in, as well as to check the box labeled «user must change password » for security reasons.

User Naming Conventions

User naming conventions are how an administrator decides to identify users. The following should be kept in mind:

• Usernames must be unique (within a domain, or on a local computer).
• User names may contain any uppercase or lowercase character except for the following: / \ [ ] : . | = , + * ?
• Avoid creating similar usernames.

User Accounts and Security

There are two kinds of accounts in NT. Built-in accounts are accounts that you create. After installation, Windows NT is set up with built-in accounts (the default accounts administrator and guest). This provides only minimal security.

The different accounts are:

• Accounts you create: user accounts for logging into a network and accessing network resources. These accounts contain information on the user, in particular their name and password.
• Guest: This lets occasional users login and access the local computer. By default, it is deactivated.
• Administrator: Used for managing global configuration of computers and domains. This account can carry out any task.

To benefit from the Administrator account’s permissions, you have to:

• Deactivate the guest account.
• Change the name of the administrator account in order to reduce the risk of intrusion by the user account.

Location of User Accounts

Domain user accounts are created in the User Manager. When an account is created, it is automatically recorded in the SAM of the Principal Domain Controller (PDC), which then synchronizes it with the rest of the domain. This may take several minutes. As soon as an account is created in the SAM of the PDC, the user can log onto a domain from any domain workstation.

Local user accounts are created on a member server or a Windows NT Workstation computer, with the User Manager. The account is only created in the SAM of the local computer. For this reason, the user can login only to that particular computer.

Planning New User Accounts

The account creation process can be simplified by planning and organizing information on people who need a user account.

The home folder is the private folder in which a user can store their files. It is used as the default file for running commands like Save. It may be stored on the local user computer or on a network server.

The following points should be taken into account for creating them:

• Storing home folders on a server: this way, it is much easier to ensure the backing up and restoration of data belonging to different users. Otherwise, data should be backed up regularly on the various network computers where the home folders are stored.
• Disk space on domain controllers: Windows NT does not have utilities for managing disk space (Windows 2000 does). Because of this, if you’re not careful to keep home folders from becoming filled with large files, they may quickly use up the server’s storage space.
• A computer without a hard drive: the user’s home folder must be on the network server.
• Home folders located on local computers: this way network performance will increase, as there will be less traffic over the network and the server isn’t constantly handling requests.

Defining Workstation and Account Options

The workstations from which a user logs in to the network can also be configured. You can either allow them to login from any workstation, or specify one or more workstations. Using a unique station for a user is one option for a high-security network. Indeed, a user who logs in to a workstation that is not their own will login locally and will therefore have access to all of the machine’s local resources. What’s more, specifying one or more workstations from which the user can log in allows the Network Administrator to monitor the user.

Also, it is possible to set an expiration date for a user account. This option may be useful for giving an account to a temporary employee. The account’s expiration date would be set to whenever their contract runs out.

Dial-up Permissions

If the RAS (Remote Access Service) is installed, dial-up permissions can be configured. This service lets a user with the appropriate permissions remotely access network resources by dialing over a telephone line (or X.25). It helps users who need to access the network from home or elsewhere. There are several configurable call permissions:

• No Call Back: The user pays for communications fees. The server will not call the user back.
• Set By Caller: This option lets a user be called back by the server at a number they specify. In this case, the business handles the communication fees.
• Preset to: Allows callback control by the administrator. They decide which number a given user must call the server from. This option can be used not only to reduce costs, but also to increase security, because the user must be located at a specific phone number.

Removing and Changing User Account Names

When an account is no longer needed, it may be deleted or renamed so that another user can use it. Note that deleting an account also deletes the SID (Security IDentification).

Managing the User Work Environment

When a user logs in for the first time from a Windows NT client, a default user profile is created for that user. This profile sets elements such as their work environment and network and printer connections. This profile can be personalized in order to restrict certain desktop elements or tools shown on the station.

These profiles contain user-definable settings for a work environment on a computer running Windows NT. These settings are automatically saved in the Profiles folder (C:\Winnt\Profiles).

For users who are logging from clients not running Windows NT, a session opening script may be used to configure the user’s network and printer connections or to set the work environment or hardware settings. It is actually a command file (.bat or .cmd) or an executable file that automatically runs when the user logs in to the network.

It is also possible to use roaming user profiles, meaning a profile which gives a user the same work environment no matter what workstation they are connected with to the network. These profiles are recorded on the server.

There are two options for roaming profiles:

• Mandatory roaming profile: Can be applied to one or several users and cannot be modified by these users. Only the administrator decides what features are given to the users (tools, configuration etc.) Even if the user changes the configuration, these modifications will not be saved after the user disconnects.
• Personal roaming profile: Can only be applied to a single user and can also be modified by that user. Each time the user disconnects, changes to settings are kept saved.

Once the user account is created and the user logged in for the first time, a user profile is automatically created in the Profiles folder.

The user or administrator can edit any settings that are needed to make sure that changes remain after logging out.

The administrator must then create a folder, such as \\servernt\Profiles\user_name.
In the Configuration Panel, double-click on the System icon, then click on the User Profiles tab. Click on the desired profile, and press the Copy to button.

In the corresponding field, enter the UNC path that leads to the folder. Under Permitted to use, click on Change. Choose user.
Note: In the folder where the various profiles are stored, rename the ntuser.dat user file to ntuser.man to make that profile mandatory.

In Domain User Manager double-click on the account for the user in question and click Profiles. In the User Profile Path area, type the UNC path which leads to the network profile folder.

Defining a User Environment

The User Environment Profile dialog box can be used to enter user profile pathways, a logon script, and the home directory.

Several options can be configured, in particular for indicating which paths lead to which elements:

• User Profile Path: Indicates the path to the user profile folder. For personal user profiles, type \\computer_name\share\%username% . For mandatory profile, replace %username% with profile_name
• Login Script Name: It is possible to use a path leading to the user’s local computer, or a UNC path leading to a shared folder on a network server.
• Home Directory: To specify a network path, select Connect and the drive letter. Then enter the UNC path. Before specifying a network slot, a folder must be created on the server and must be shared over the network. Note: Use the variable %username% whenever a home folder or personal user profile is created. It will automatically be replaced by the user account.

Group management

Windows NT also allows users to be managed by group, meaning it can define sets of users with the same type of permissions by sorting them into categories.

A group is a collection of user accounts. A user added to a group is granted all permissions and rights of that group. User groups make administration simpler, as they allow permissions to be granted to several users at once.

There are two different types of groups:

• Local groups: Give users permission to access a network resource. They also serve to give users rights to perform system tasks (like changing the time, backing up and recovering files, etc.).
• Global groups: Are used to organize domain user accounts. They are also used in multiple-domain networks, when users from one domain need to be able to access resources from another domain.

When Windows NT is started for the first time, six groups are created by default:

• Administrators.
• Backup Operators.
• Replicators.
• Power Users.
• Users.
• Guests.

These default groups can be deleted, and personalized user groups may be added, with special permissions depending on which operations they are to perform on the system. To add a group, click on New Local Group in the user menu.

Next, add users to groups by clicking on a user and then on Add. This brings up the following dialog box:

This allows you to simply select which groups a user should be part of.

Implementing Built-in Groups

Built-in groups are groups that have default determined user rights. User rights determine which system tasks a user or member of a built-in group can run.

These are the three built-in groups in Windows NT:

• Built-in local groups: Give users rights that allow them to run system tasks like backing up and restoring data, changing the time, and administrating system resources.
• Built-in global groups: Provide administrators a simple way to control all of the domain’s users.
• System groups: organize automatically users by system use. Administrators do not add users to them. Users can be members of them by default, or become members through their network activity.

These are the built-in local groups:

• Users: Can run tasks for which they have access rights, and can access resources for which they have obtained permission.
• Administrators: Can run all administrative tasks on the local computer.
• Guests: Can run any task for which they have access rights, and can access resources for which they have obtained permission. Its members cannot permanently modify their local environment.
• Backup Operators: Can use the Windows NT backup program to back up and restore computers running Windows NT ².
• Replicators: Used by the Directory Replicator service. This group is not used for administration.

The following groups are only defined on domain controllers:

• Account Operators: Can create, delete, and modify users, local groups, and global groups. They cannot modify Administrators and Server Operators.
• Server Operators: Can share disk resources, back-up and restore data on servers.
• Print Operators: Can configure and manage network printers.

When Windows NT Server is installed as a Domain Controller, three global groups are created in the SAM. By default, these groups have no inherent rights. They acquire rights when they are added to local groups or when user rights or permissions are granted to them.

• Domain Users is automatically added to the local Users group. By default, an Administrator account is a member of this group.
• Domain Administrator is automatically added to the local Users group. These members can run administrative tasks on the local computer. By default, an Administrator account is a member of this group.
• Domain Guests is automatically added to the local Users group. By default, a Guest account is a member of this group.

Finally, built-in system groups reside on all computers running Windows NT. Users become members of them by default as the network operates. Member status may not be modified.

• Everyone: includes all local and remote users with access to the computer. It also contains all accounts other than those created by the Domain Administrator.
• Creator/Owner: includes the user who created or has taken ownership of a resource. This group can be used to manage file and folder access only on NTFS volumes.
• Network: includes any user who is connected to a shared resource on your computer from another computer on the network.
• Interactive: includes automatically any user connected to the computer locally. Interactive members can access resources on the computer to which they are connected.