net localgroup — Local Group Manager#

What it is#

net localgroup is a built-in Windows command for managing local security groups on the SAM database of the current machine. Use it to list all local groups, inspect group membership, add or remove users and domain accounts from groups, and create or delete custom groups. Common built-in groups include Administrators, Users, Remote Desktop Users, and Backup Operators. For domain groups, use net group /DOMAIN or Active Directory PowerShell (Get-ADGroup, Add-ADGroupMember). Requires Administrator privileges for write operations.

Availability#

net localgroup ships as part of C:\Windows\System32\net.exe on all Windows versions.

net localgroup /?

Output:

The syntax of this command is:

NET LOCALGROUP
[groupname [/COMMENT:"text"]] [/DOMAIN]
groupname {/ADD [/COMMENT:"text"] | /DELETE} [/DOMAIN]
groupname name [...] {/ADD | /DELETE} [/DOMAIN]

Syntax#

net localgroup [groupname] [/COMMENT:"text"] [/DOMAIN]
net localgroup groupname /ADD [/COMMENT:"text"]
net localgroup groupname /DELETE
net localgroup groupname member [...] /ADD
net localgroup groupname member [...] /DELETE

Output: (group list or operation result)

Essential options#

Listing local groups#

Running net localgroup with no arguments shows every local group. Running it with a group name lists the group’s members and description.

net localgroup

Output:

Aliases for \\MYHOST

-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Administrators
*Backup Operators
*Cryptographic Operators
*Device Owners
*Distributed COM Users
*Event Log Readers
*Guests
*Hyper-V Administrators
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Power Users
*Remote Desktop Users
*Remote Management Users
*Replicator
*System Managed Accounts Group
*Users
The command completed successfully.

Viewing group membership#

net localgroup Administrators

Output:

Alias name     Administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
alicedev
The command completed successfully.

Creating a group#

/ADD creates a new local security group. The group name is case-insensitive and limited to 256 characters. Add an optional /COMMENT to describe its purpose.

net localgroup DevTeam /ADD /COMMENT:"Development team members"

Output:

The command completed successfully.

Adding members to a group#

List one or more usernames (or DOMAIN\user for domain accounts) followed by /ADD to add them all in one command. Both local accounts and domain accounts can be added to local groups.

net localgroup DevTeam alicedev /ADD

Output:

The command completed successfully.

rem Add a domain account to a local group
net localgroup "Remote Desktop Users" CORP\bobdev /ADD

Output:

The command completed successfully.

rem Add multiple users at once
net localgroup DevTeam alicedev bobdev caroldev /ADD

Output:

The command completed successfully.

Removing members from a group#

/DELETE after a list of members removes them from the group without deleting the user accounts.

net localgroup DevTeam bobdev /DELETE

Output:

The command completed successfully.

Deleting a group#

/DELETE after the group name removes the entire group. Built-in groups (Administrators, Users, etc.) cannot be deleted.

net localgroup DevTeam /DELETE

Output:

The command completed successfully.

Managing built-in administrative groups#

The most common use of net localgroup in deployment scripts is adding accounts to the Administrators or Remote Desktop Users groups.

rem Promote a local user to administrator
net localgroup Administrators alicedev /ADD

Output:

The command completed successfully.

rem Grant RDP access to a domain account
net localgroup "Remote Desktop Users" CORP\alicedev /ADD

Output:

The command completed successfully.

Common pitfalls#

1. Group names with spaces need double quotes — net localgroup "Remote Desktop Users" ... not Remote Desktop Users.
2. /DELETE on a group does not remove its members’ accounts — only the group entry is removed; user accounts are unaffected.
3. Built-in groups cannot be deleted — attempting net localgroup Administrators /DELETE returns error 2236 (“This group cannot be deleted”).
4. Domain accounts use DOMAIN\user format — net localgroup Administrators CORP\alicedev /ADD; just alicedev without the domain prefix refers to the local SAM account.
5. Adding a user who is already a member returns an error — catch exit code 1378 in scripts to distinguish “already a member” from real failures.

Real-world recipes#

Add a service account to Administrators during deployment#

@echo off
net localgroup Administrators svcdeployer /ADD >NUL 2>&1
if %ERRORLEVEL% EQU 0 (
    echo svcdeployer added to Administrators.
) else if %ERRORLEVEL% EQU 1378 (
    echo svcdeployer is already a member.
) else (
    echo ERROR: %ERRORLEVEL%
)

Output:

svcdeployer added to Administrators.

Audit all local group memberships#

@echo off
for /f "tokens=*" %G in ('net localgroup ^| findstr /R "^\*"') do (
    set GROUP=%G
    set GROUP=!GROUP:*=!
    echo === !GROUP! ===
    net localgroup "!GROUP!" 2>NUL
)

Output:

=== Administrators ===
Alias name     Administrators
Members
Administrator
alicedev
...

Grant RDP access to a list of domain users#

@echo off
for /f %U in (C:\Scripts\rdp_users.txt) do (
    net localgroup "Remote Desktop Users" CORP\%U /ADD
    echo Added RDP access for CORP\%U
)

Output:

The command completed successfully.
Added RDP access for CORP\alicedev
The command completed successfully.
Added RDP access for CORP\bobdev

Built-in local groups reference#

Every Windows install ships with a set of built-in local groups. They are identified by well-known aliases (specific RIDs in the BUILTIN domain SID S-1-5-32) and cannot be deleted. Knowing what each one grants is essential to securing a machine — and to passing a CIS or STIG audit.

Reach for the least-privileged group that covers a need. Administrators grants everything; Backup Operators is enough if the goal is “back up files this user can’t normally read”; Remote Management Users is sufficient for WinRM access without local admin rights.

Backup Operators — the bypass group#

Members of Backup Operators can read any file (regardless of DACL) and write any file when restoring — they hold SeBackupPrivilege and SeRestorePrivilege. This is a high-risk membership: practically equivalent to admin for any file-based attacker.

net localgroup "Backup Operators" backupsvc /ADD

Output:

The command completed successfully.

Event Log Readers — SIEM/forwarder accounts#

For Windows Event Forwarding (WEF) collectors and SIEM agents, add the service account to Event Log Readers instead of Administrators:

net localgroup "Event Log Readers" "NETWORK SERVICE" /ADD

Output:

The command completed successfully.

Remote Management Users — WinRM without admin#

To allow non-admin PowerShell remoting, add to Remote Management Users and configure the WinRM session ACL via Set-PSSessionConfiguration -ShowSecurityDescriptorUI.

net localgroup "Remote Management Users" alicedev /ADD

Output:

The command completed successfully.

PowerShell equivalents — the LocalAccounts module#

The Microsoft.PowerShell.LocalAccounts module (built in to Windows 10/Server 2016+) provides cmdlets that supersede net localgroup for scripted workflows. They emit objects (not text), accept pipelines, and use stable property names across Windows locales.

Get-LocalGroup — list and inspect groups#

Get-LocalGroup

Output:

Name                                Description
----                                -----------
Administrators                      Administrators have complete and unrestricted access to the computer/domain
Backup Operators                    Backup Operators can override security restrictions for the sole purpose of backing up or restoring files
Cryptographic Operators             Members are authorized to perform cryptographic operations.
Device Owners                       Members of this group can change system-wide settings.
Event Log Readers                   Members of this group can read event logs from local machine
Guests                              Guests have the same access as members of the Users group by default, except for the Guest account...
Hyper-V Administrators              Members of this group have complete and unrestricted access to all features of Hyper-V.
IIS_IUSRS                           Built-in group used by Internet Information Services.
Network Configuration Operators     Members in this group can have some administrative privileges to manage configuration of networking features
Performance Log Users               Members of this group may schedule logging of performance counters, enable trace providers...
Performance Monitor Users           Members of this group can access performance counter data locally and remotely
Power Users                         Power Users are included for backwards compatibility and possess limited administrative powers
Remote Desktop Users                Members in this group are granted the right to logon remotely
Remote Management Users             Members of this group can access WMI resources over management protocols (such as WS-Management via the WinRM service)
Replicator                          Supports file replication in a domain
System Managed Accounts Group       Members of this group are managed by the system.
Users                               Users are prevented from making accidental or intentional system-wide changes...

Get-LocalGroup -Name Administrators | Format-List *

Output:

Description     : Administrators have complete and unrestricted access to the computer/domain
Name            : Administrators
SID             : S-1-5-32-544
PrincipalSource : Local
ObjectClass     : Group

Get-LocalGroupMember — list members#

Get-LocalGroupMember -Group Administrators

Output:

ObjectClass Name                              PrincipalSource
----------- ----                              ---------------
User        MYHOST\Administrator              Local
User        MYHOST\alicedev                   Local
Group       CORP\Domain Admins                ActiveDirectory

The PrincipalSource column distinguishes local SAM accounts from AD principals — useful in audits.

New-LocalGroup — create a group#

New-LocalGroup -Name DevTeam -Description "Development team members"

Output:

Name     Description
----     -----------
DevTeam  Development team members

Add-LocalGroupMember — add members#

# Add a local user
Add-LocalGroupMember -Group DevTeam -Member alicedev

# Add a domain user
Add-LocalGroupMember -Group "Remote Desktop Users" -Member "CORP\bobdev"

# Add multiple at once
Add-LocalGroupMember -Group DevTeam -Member 'alicedev','bobdev','caroldev'

# Add an entire AD group as a member of a local group (common pattern)
Add-LocalGroupMember -Group "Remote Desktop Users" -Member "CORP\Domain Developers"

Output: (silent on success)

Remove-LocalGroupMember#

Remove-LocalGroupMember -Group DevTeam -Member bobdev

Output: (silent on success)

Set-LocalGroup and Remove-LocalGroup#

Set-LocalGroup -Name DevTeam -Description "Updated description"
Remove-LocalGroup -Name DevTeam

Output: (silent on success)

Comparison with Active Directory cmdlets#

For domain groups, use the ActiveDirectory PowerShell module (RSAT-AD-PowerShell). The cmdlets are richer — they handle nested groups, attributes, scopes (global/universal/domain local), and bulk operations on thousands of objects.

Get-ADGroup — inspect a domain group#

Get-ADGroup -Identity "Domain Admins" -Properties Members, MemberOf, ManagedBy, Description

Output:

Description       : Designated administrators of the domain
DistinguishedName : CN=Domain Admins,CN=Users,DC=contoso,DC=local
GroupCategory     : Security
GroupScope        : Global
ManagedBy         :
Members           : {CN=Administrator,CN=Users,DC=contoso,DC=local,
                    CN=Alice Dev,OU=Users,OU=NewYork,DC=contoso,DC=local}
MemberOf          : {CN=Administrators,CN=Builtin,DC=contoso,DC=local,
                    CN=Denied RODC Password Replication Group,CN=Users,DC=contoso,DC=local}
Name              : Domain Admins
SamAccountName    : Domain Admins
SID               : S-1-5-21-1234567890-987654321-111111111-512

Get-ADGroupMember — list members (with recursion)#

# Direct members only
Get-ADGroupMember -Identity "Developers"

# Recursive — flatten nested groups
Get-ADGroupMember -Identity "Developers" -Recursive | Select Name, ObjectClass

Output:

Name              ObjectClass
----              -----------
Alice Dev         user
Bob Dev           user
Carol Dev         user
Senior Developers group     (only direct)
Alice Dev         user      (recursive — flattened)
Bob Dev           user
Carol Dev         user
Dan Dev           user      (from Senior Developers)

Find every group a user belongs to#

# Direct local groups for a local user
Get-LocalGroup | Where-Object {
    (Get-LocalGroupMember $_ -ErrorAction SilentlyContinue).Name -contains "$env:COMPUTERNAME\alicedev"
}

# Domain — every group, including nested
Get-ADPrincipalGroupMembership -Identity alicedev | Select Name

Output:

Name
----
Developers
Senior Developers
Domain Users
NewYork Users

Add an AD group to a local group (the canonical pattern)#

The cleanest pattern for enterprise environments: never put individual users in local groups; create or use an AD group and nest it inside the local group. Membership changes are then made centrally in AD.

Add-LocalGroupMember -Group "Administrators" -Member "CORP\Workstation Admins"
Add-LocalGroupMember -Group "Remote Desktop Users" -Member "CORP\RDP Users"

Output: (silent on success)

A Get-LocalGroupMember Administrators now shows the domain group as a single entry; expanding it on the DC side reveals individual users.

Nested groups, group scope, and AGDLP#

Active Directory groups have scopes that determine where they can be granted permissions and which member types are allowed. The classic strategy is AGDLP: Accounts → Global → Domain Local → Permission. Local groups on member servers fit at the Domain Local / machine local end of that chain.

Practical pattern:

1. Put the user (Alice Dev) in a Global group (Developers).
2. Put the Global group inside a Domain Local or Local group (Workstation Admins).
3. Grant the Domain Local / Local group permissions on resources (Administrators ACL on workstations).

This avoids needing to change ACLs every time membership changes — you just add/remove from the Global group.

net group vs net localgroup#

There are two net subcommands for group management; they target different domains and scopes. Easy to confuse.

net group is only available locally on a domain controller. On member servers and workstations, net group /DOMAIN is what you’d use — though Get-ADGroup is universally preferred.

rem On a domain controller — list domain global groups
net group

Output: (only works on a DC)

Group Accounts for \\DC01

-------------------------------------------------------------------------------
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Schema Admins
The command completed successfully.

Audit logging — Events 4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734#

Group-management actions generate detailed Security events. Forwarding these to a SIEM is essential — adding an account to Administrators outside of a change window is a strong signal of compromise or misuse.

# Last 30 days of additions to local groups
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4732; StartTime=(Get-Date).AddDays(-30)} |
    Select-Object TimeCreated,
        @{Name='Group';Expression={$_.Properties[2].Value}},
        @{Name='MemberSid';Expression={$_.Properties[1].Value}},
        @{Name='AddedBy';Expression={$_.Properties[6].Value}}

Output:

TimeCreated         Group           MemberSid                                    AddedBy
-----------         -----           ---------                                    -------
5/25/2026 9:10 AM   Administrators  S-1-5-21-1004336348-1177238915-682003330-1001 Administrator
5/24/2026 2:45 PM   Remote Desktop Users S-1-5-21-1004336348-1177238915-682003330-1002 alicedev

Enable the relevant audit subcategories:

auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable
auditpol /set /subcategory:"Distribution Group Management" /success:enable /failure:enable

Output:

The command was successfully executed.
The command was successfully executed.

SID-based and orphaned references#

When a user is deleted (locally or in AD), any group ACEs and group membership entries that referenced their SID become orphaned — they display as raw SIDs (*S-1-5-21-...) instead of resolving to a name. net localgroup shows them in member lists; Get-LocalGroupMember returns them with empty Name. Clean up routinely:

# Find orphaned members in every local group
Get-LocalGroup | ForEach-Object {
    $grp = $_
    Get-LocalGroupMember $grp -ErrorAction SilentlyContinue | Where-Object {
        $_.Name -match '^S-1-' -or -not $_.Name
    } | ForEach-Object {
        [pscustomobject]@{ Group = $grp.Name; OrphanedSid = $_.SID }
    }
}

Output:

Group           OrphanedSid
-----           -----------
Administrators  S-1-5-21-1234567890-987654321-111111111-1099
Users           S-1-5-21-1234567890-987654321-111111111-1100

Remove orphaned references:

Remove-LocalGroupMember -Group Administrators -Member "S-1-5-21-1234567890-987654321-111111111-1099"

Output: (silent on success)

Restricted Groups GPO#

For multi-machine consistency, never manage local group memberships individually with net localgroup. Instead, use the Group Policy Restricted Groups feature (Computer Configuration → Policies → Windows Settings → Security Settings → Restricted Groups) or the newer User Rights Assignment settings. The policy enforces exact membership — if anyone deviates manually, the next refresh undoes the change.

Inspect what Restricted Groups GPOs are pushing with gpresult:

gpresult /h C:\Audit\rsop.html /f

Output:

INFO: Creating report in C:\Audit\rsop.html ...

Open the report and search for “Restricted Groups” to see which groups are managed and who is permitted.

Common pitfalls (extended)#

In addition to the basics above, watch for these:

6. Adding Domain Admins to local Administrators is automatic — by default, Domain Admins is a member of every domain-joined machine’s local Administrators group. Don’t add it manually (creates a duplicate entry); to remove it, edit the local group on each machine or push via Restricted Groups GPO.
7. net localgroup exit code 1378 = “already a member” — distinct from a real failure. Always check exit codes in scripts.
8. Nesting depth matters for token size — Kerberos tickets carry SIDs for every group membership including transitive. Users in 100+ nested groups may exceed the MaxTokenSize and fail authentication with confusing errors.
9. Local groups cannot be nested into other local groups — only domain groups can nest. Add-LocalGroupMember -Group DevTeam -Member "MYHOST\OtherLocalGroup" fails.
10. Group names are case-insensitive but display case is preserved — net localgroup ADMINISTRATORS works but Get-LocalGroup shows Administrators. PowerShell -eq is case-insensitive by default; use -ceq for case-sensitive match.
11. Power Users is deprecated — Windows still ships it for backward compatibility but it grants no special rights on Windows 10/11. Old applications relying on Power Users rights will not work; recompile with proper UAC manifest or grant explicit ACLs.
12. Authenticated Users is not a group you can add to — it’s a built-in security identifier that automatically includes everyone with a valid logon token. net localgroup Administrators "Authenticated Users" /ADD makes everyone an admin — never do this.
13. Everyone is broader than Authenticated Users — includes anonymous sessions. Microsoft security baselines forbid granting Everyone any sensitive permission.
14. Removing yourself from Administrators locks you out — there is no “are you sure?” prompt. Test on a non-prod box first.
15. The built-in Administrators group cannot be renamed — rename the built-in Administrator account (RID 500) freely, but the group keeps its alias.

Real-world recipes (extended)#

Onboard: nest AD group inside local group on every workstation#

The cleanest workstation-fleet pattern. Push via Restricted Groups GPO; if doing it imperatively for a one-off, here’s the pattern:

$hosts = Get-Content C:\Audit\workstation_list.txt
Invoke-Command -ComputerName $hosts -Credential (Get-Credential CORP\domainadmin) -ScriptBlock {
    Add-LocalGroupMember -Group "Administrators" -Member "CORP\Workstation Admins" -ErrorAction SilentlyContinue
    Add-LocalGroupMember -Group "Remote Desktop Users" -Member "CORP\RDP Users" -ErrorAction SilentlyContinue
}

Output: (silent on success; failures surface as PowerShell errors)

Audit: who is in Administrators across the fleet?#

$hosts = Get-Content C:\Audit\hosts.txt
$results = foreach ($h in $hosts) {
    try {
        $members = Invoke-Command -ComputerName $h -ScriptBlock {
            Get-LocalGroupMember -Group Administrators
        } -ErrorAction Stop
        foreach ($m in $members) {
            [pscustomobject]@{ Host = $h; Member = $m.Name; Source = $m.PrincipalSource }
        }
    } catch {
        [pscustomobject]@{ Host = $h; Member = "ERROR: $_"; Source = "" }
    }
}
$results | Export-Csv C:\Audit\admin_membership.csv -NoTypeInformation

Output:

(creates CSV with one row per (Host, Member) pair — review for anomalies)

Restore the default Administrators membership#

After cleanup, restore the canonical minimum:

$grp = 'Administrators'

# Strip all current members except built-in Administrator
Get-LocalGroupMember -Group $grp | Where-Object Name -notmatch 'Administrator$' |
    ForEach-Object { Remove-LocalGroupMember -Group $grp -Member $_ }

# Add domain admins back if domain-joined
if ((Get-WmiObject Win32_ComputerSystem).PartOfDomain) {
    Add-LocalGroupMember -Group $grp -Member "$env:USERDOMAIN\Domain Admins"
}

Output: (silent on success)

Detect changes to sensitive groups in real time#

Wire up an Event 4732 subscription to alert when anyone is added to a high-privilege group:

$query = @"
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
      *[System[EventID=4732 or EventID=4728]]
      and *[EventData[Data[@Name='TargetUserName']='Administrators' or
                      Data[@Name='TargetUserName']='Backup Operators' or
                      Data[@Name='TargetUserName']='Domain Admins']]
    </Select>
  </Query>
</QueryList>
"@

Register-WmiEvent -Query "SELECT * FROM Win32_NTLogEvent WHERE LogFile='Security' AND EventCode=4732" `
    -SourceIdentifier "AdminGroupChange" `
    -Action {
        $event = $args[1].SourceEventArgs.NewEvent
        Send-MailMessage -To 'secops@example.com' -From 'alerts@example.com' `
            -Subject "Admin group change on $env:COMPUTERNAME" `
            -Body $event.Message -SmtpServer 'smtp.example.com'
    }

Output: (silent — runs as a background job; fires when matching event occurs)

Bulk add WinRM access for a list of users#

Get-Content C:\Scripts\winrm_users.txt | ForEach-Object {
    Add-LocalGroupMember -Group "Remote Management Users" -Member "CORP\$_" -ErrorAction SilentlyContinue
    Write-Host "Granted WinRM access: CORP\$_"
}

Output:

Granted WinRM access: CORP\alicedev
Granted WinRM access: CORP\bobdev
Granted WinRM access: CORP\caroldev

Migrate a user from contractor to employee — re-group#

$user = 'alicedev'
$dom  = $env:USERDOMAIN

# Remove from contractor groups
'Contractors','Limited Access','Read-Only Users' | ForEach-Object {
    Remove-LocalGroupMember -Group $_ -Member "$dom\$user" -ErrorAction SilentlyContinue
}

# Add to employee groups
'Employees','Remote Desktop Users','Remote Management Users' | ForEach-Object {
    Add-LocalGroupMember -Group $_ -Member "$dom\$user" -ErrorAction SilentlyContinue
}

Write-Host "$user migrated to employee groups"

Output:

alicedev migrated to employee groups

One-liner: list every local group with member count#

Get-LocalGroup | Select-Object Name,
    @{Name='Members';Expression={(Get-LocalGroupMember $_).Count}} |
    Sort-Object Members -Descending | Format-Table -AutoSize

Output:

Name                                Members
----                                -------
Administrators                            3
Users                                     5
Remote Desktop Users                      2
Hyper-V Administrators                    1
Event Log Readers                         1
...

Quick check: am I in a specific group right now?#

# Check the current process token (not just SAM membership — reflects loopback/UAC filtering)
([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole('Administrators')

Output:

True

rem cmd-equivalent for current shell elevation
whoami /groups | findstr /C:"Administrators" /C:"S-1-5-32-544"

Output:

BUILTIN\Administrators                                       Alias            S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner

Sources#

References consulted while writing this article. Links open in a new tab.

• Microsoft Learn — net localgroup command reference — Authoritative flag list and parameter semantics used to build the Essential options table.
• SS64 — net localgroup — Cross-version comparison and historical syntax notes.

See also#

• net user — Local User Account Manager — manage the accounts that go into groups
• icacls — ACL Editor — grant access to groups on files
• runas — Run as Different User — switch to an account in a privileged group
• takeown — Take File Ownership — assign Administrators group as owner
• gpresult & gpupdate — inspect Restricted Groups and User Rights Assignment GPOs
• whoami — show the current logon’s group memberships
• permissions — chmod, chown, umask, ACLs — Linux group semantics for comparison