Windows

Output local group membership on Windows Server

Command line skills for Windows Servers are essential to deliver information without wasting time. Here's how an old tool and a new tool can help.

What do you do when you need to know the list of local administrators on every Windows Server in a hurry? It can be a tricky task if approached in a poor manner. Generating an output of Active Directory-based group membership is easy with many command-line tools such as CSVDE and LDIFDE. Local accounts, however, are a different beast. Further, determining the membership of a local security group is important, as Group Policy configurations may not be applied as expected for a number of reasons.

To help with this challenge, we'll lean on an old tool: the net command. The net command is sacred stuff to me, and I have trouble parting with the quick one-liners that have made me look good over the years. For the example to enumerate what usernames are a local administrator on a Windows Server, run the following command:

Net localgroup "Administrators"

The output will enumerate each username or group that composes the local administrators group; this will include members that are pushed down from Active Directory Group Policy.

Another way to do this is with Windows PowerShell. Like many other commands that are converted from DOS-based commands to PowerShell, there are more keystrokes. The equivalent commands to run as a PowerShell script could be run as in the following example:

$LocalGroup =[ADSI]"WinNT://Localhost/Administrators"

$UserNames = @($LocalGroup.psbase.Invoke("Members"))

$UserNames | foreach {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)}
Note: These scripts were adopted from examples at the PowerShell Code Repository.

The next time you need this information quickly for local groups, it will be a quick and easy script that you can easily export to a text file for archival and audit purposes.

Stay on top of the latest Windows Server 2003 and Windows Server 2008 tips and tricks with our free Windows Server newsletter, delivered each Wednesday.

Automatically sign up today!

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

3 comments
deskhero
deskhero

Great Tip Rick ! The net command also works on XP so probably all w32+ systems

mcsebrad
mcsebrad

If you use sysexporter you don't have to do any cmdline and it will easily create a text or html file from any Window - whether it be from AD users and computers or Windows Search results. It's free.

dan.sandel
dan.sandel

This output does not distinguish between local and domain accounts so it would be impossible to determine if Rusty Shackleford was local or domain. Adding 'Adspath' instead of 'Name' would help out but even that output gets a little hairy but at least allows the ability to distinguish between the two types of accounts.

Editor's Picks