Managing Windows Local Groups with Net LocalGroup

scottalanmiller

Before PowerShell, net localgroup was the standard mechanism for managing local users on Windows and still remains a simple, effective tool for doing so from the command line. If you ever need to work on extremely old machines without PowerShell, it is also the only way to do so. It is part of the net family of command line Windows utilities.

It is very important to remember that net user is for managing the local users on the machine where you are running the command. It is not for managing things like Active Directory users.

Using net user is simple, fast, and straightforward. We will learn best for straightforward examples.

List Local Groups

net localgroup

Get Details of Specific Local Group

net localgroup administrators

Add Local User to a Local Group

net localgroup administrators sally /add

Add an Active Directory Domain User to a Local Group

net localgroup administrators mydomain\sally /add

Create a New Local Group

net localgroup mynewgroup /add

Delete a Local Group

net localgroup mynewgroup /delete

The net localgroup command makes local group management exceptionally quick and easy, no matter how you are accessing a system and is a great example of where command line management is often much simpler and faster than a GUI.

Part of a series on Windows Systems Administration by Scott Alan Miller

Obsolesce

@scottalanmiller said in Managing Windows Local Groups with Net LocalGroup:

If you ever need to work on extremely old machines without PowerShell, it is also the only way to do so.

I truly hope it's almost nobody still having to deal with user management and AD from Windows XP and earlier desktops.

But if you love using net commands, they work well in PowerShell scripts.

scottalanmiller

@Obsolesce said in Managing Windows Local Groups with Net LocalGroup:

@scottalanmiller said in Managing Windows Local Groups with Net LocalGroup:

If you ever need to work on extremely old machines without PowerShell, it is also the only way to do so.

I truly hope it's almost nobody still having to deal with user management and AD from Windows XP and earlier desktops.

It's a lot later before PowerShell tools for this existed, that's actually decently recent. It was only a "few" releases of PowerShell ago where these tools did not exist.

I just tested a fully up to date Windows 7 system and the PS tools do not exist there yet. You can add them, but they are not part of the standard PS tool sets on Windows Vista and 7, and possibly later, that's just what I have on hand to test. If you are in the support space and supporting ad hoc companies, or work in the MSP space, or work with one of customers, it's actually the norm to have PowerShell lack the expecting tooling for many tasks still today. Even on well maintained, fully updated systems.

Obsolesce

@scottalanmiller said in Managing Windows Local Groups with Net LocalGroup:

@Obsolesce said in Managing Windows Local Groups with Net LocalGroup:

@scottalanmiller said in Managing Windows Local Groups with Net LocalGroup:

If you ever need to work on extremely old machines without PowerShell, it is also the only way to do so.

I truly hope it's almost nobody still having to deal with user management and AD from Windows XP and earlier desktops.

It's a lot later before PowerShell tools for this existed, that's actually decently recent. It was only a "few" releases of PowerShell ago where these tools did not exist.

I just tested a fully up to date Windows 7 system and the PS tools do not exist there yet. You can add them, but they are not part of the standard PS tool sets on Windows Vista and 7, and possibly later, that's just what I have on hand to test. If you are in the support space and supporting ad hoc companies, or work in the MSP space, or work with one of customers, it's actually the norm to have PowerShell lack the expecting tooling for many tasks still today. Even on well maintained, fully updated systems.

net user doesn't work in that version of PowerShell? Could have sworn i used it in PowerShell way back...

scottalanmiller

@Obsolesce said in Managing Windows Local Groups with Net LocalGroup:

net user doesn't work in that version of PowerShell? Could have sworn i used it in PowerShell way back...

net user works in everything, PS, CMD, anything, because it's not part of any of them. It's a separate command line that goes way, way back. It's the alternatives to net user that don't exist until much later.

Obsolesce

I ran into a language issue the other day when writing a PowerShell script that uses net localgroup and thought it could be useful to others:

Depending on the language your Windows device is set to, the local Administrators group will be different, so the typical net localgroup administrators domain\user /add command will fail.

Implementing the following will grab the actual name of the group by it's SID first, then use that result.
Note that this is written to work in PowerShell, not CMD.exe.

# Gets the name of the local Administrators group in appropriate language
    $localAdminGroupName = (Get-WmiObject win32_group -filter "LocalAccount = $TRUE And SID = 'S-1-5-32-544'" | Select-Object -Expand name)
    Write-Output "Local Administrators group detected as: [$localAdminGroupName]"
# Sets the users as a local admin using appropriate local Administrators group name
    net localgroup $localAdminGroupName domain\user /add
# Gets local Administrators group members
    net localgroup $localAdminGroupName