snipz

cheat sheet

net localgroup

Create, delete, and modify local security groups on a Windows machine — add or remove members, list group memberships, and manage built-in groups from the command prompt.

#net-localgroup#windows#cli#scripting#sysadminupdated 05-26-2026

net localgroup — Local Group Manager

What it is

net localgroup is a built-in Windows command for managing local security groups on the SAM database of the current machine. Use it to list all local groups, inspect group membership, add or remove users and domain accounts from groups, and create or delete custom groups. Common built-in groups include Administrators, Users, Remote Desktop Users, and Backup Operators. For domain groups, use net group /DOMAIN or Active Directory PowerShell (Get-ADGroup, Add-ADGroupMember). Requires Administrator privileges for write operations.

Availability

net localgroup ships as part of C:\Windows\System32\net.exe on all Windows versions.

cmd
net localgroup /?

Output:

less
The syntax of this command is:

NET LOCALGROUP
[groupname [/COMMENT:"text"]] [/DOMAIN]
groupname {/ADD [/COMMENT:"text"] | /DELETE} [/DOMAIN]
groupname name [...] {/ADD | /DELETE} [/DOMAIN]

Syntax

cmd
net localgroup [groupname] [/COMMENT:"text"] [/DOMAIN]
net localgroup groupname /ADD [/COMMENT:"text"]
net localgroup groupname /DELETE
net localgroup groupname member [...] /ADD
net localgroup groupname member [...] /DELETE

Output: (group list or operation result)

Essential options

SwitchMeaning
(no args)List all local groups
groupnameShow members of the group
groupname /ADDCreate a new local group
groupname /DELETEDelete the group
groupname member /ADDAdd a user or domain account to the group
groupname member /DELETERemove a member from the group
/COMMENT:"text"Set a description on the group
/DOMAINOperate against the domain controller

Listing local groups

Running net localgroup with no arguments shows every local group. Running it with a group name lists the group's members and description.

cmd
net localgroup

Output:

markdown
Aliases for \\MYHOST

-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Administrators
*Backup Operators
*Cryptographic Operators
*Device Owners
*Distributed COM Users
*Event Log Readers
*Guests
*Hyper-V Administrators
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Power Users
*Remote Desktop Users
*Remote Management Users
*Replicator
*System Managed Accounts Group
*Users
The command completed successfully.

Viewing group membership

cmd
net localgroup Administrators

Output:

bash
Alias name     Administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
alicedev
The command completed successfully.

Creating a group

/ADD creates a new local security group. The group name is case-insensitive and limited to 256 characters. Add an optional /COMMENT to describe its purpose.

cmd
net localgroup DevTeam /ADD /COMMENT:"Development team members"

Output:

bash
The command completed successfully.

Adding members to a group

List one or more usernames (or DOMAIN\user for domain accounts) followed by /ADD to add them all in one command. Both local accounts and domain accounts can be added to local groups.

cmd
net localgroup DevTeam alicedev /ADD

Output:

bash
The command completed successfully.
cmd
rem Add a domain account to a local group
net localgroup "Remote Desktop Users" CORP\bobdev /ADD

Output:

bash
The command completed successfully.
cmd
rem Add multiple users at once
net localgroup DevTeam alicedev bobdev caroldev /ADD

Output:

bash
The command completed successfully.

Removing members from a group

/DELETE after a list of members removes them from the group without deleting the user accounts.

cmd
net localgroup DevTeam bobdev /DELETE

Output:

bash
The command completed successfully.

Deleting a group

/DELETE after the group name removes the entire group. Built-in groups (Administrators, Users, etc.) cannot be deleted.

cmd
net localgroup DevTeam /DELETE

Output:

bash
The command completed successfully.

Managing built-in administrative groups

The most common use of net localgroup in deployment scripts is adding accounts to the Administrators or Remote Desktop Users groups.

cmd
rem Promote a local user to administrator
net localgroup Administrators alicedev /ADD

Output:

bash
The command completed successfully.
cmd
rem Grant RDP access to a domain account
net localgroup "Remote Desktop Users" CORP\alicedev /ADD

Output:

bash
The command completed successfully.

Common pitfalls

  1. Group names with spaces need double quotesnet localgroup "Remote Desktop Users" ... not Remote Desktop Users.
  2. /DELETE on a group does not remove its members' accounts — only the group entry is removed; user accounts are unaffected.
  3. Built-in groups cannot be deleted — attempting net localgroup Administrators /DELETE returns error 2236 ("This group cannot be deleted").
  4. Domain accounts use DOMAIN\user formatnet localgroup Administrators CORP\alicedev /ADD; just alicedev without the domain prefix refers to the local SAM account.
  5. Adding a user who is already a member returns an error — catch exit code 1378 in scripts to distinguish "already a member" from real failures.

Real-world recipes

Add a service account to Administrators during deployment

cmd
@echo off
net localgroup Administrators svcdeployer /ADD >NUL 2>&1
if %ERRORLEVEL% EQU 0 (
    echo svcdeployer added to Administrators.
) else if %ERRORLEVEL% EQU 1378 (
    echo svcdeployer is already a member.
) else (
    echo ERROR: %ERRORLEVEL%
)

Output:

css
svcdeployer added to Administrators.

Audit all local group memberships

cmd
@echo off
for /f "tokens=*" %G in ('net localgroup ^| findstr /R "^\*"') do (
    set GROUP=%G
    set GROUP=!GROUP:*=!
    echo === !GROUP! ===
    net localgroup "!GROUP!" 2>NUL
)

Output:

ini
=== Administrators ===
Alias name     Administrators
Members
Administrator
alicedev
...

Grant RDP access to a list of domain users

cmd
@echo off
for /f %U in (C:\Scripts\rdp_users.txt) do (
    net localgroup "Remote Desktop Users" CORP\%U /ADD
    echo Added RDP access for CORP\%U
)

Output:

bash
The command completed successfully.
Added RDP access for CORP\alicedev
The command completed successfully.
Added RDP access for CORP\bobdev

Built-in local groups reference

Every Windows install ships with a set of built-in local groups. They are identified by well-known aliases (specific RIDs in the BUILTIN domain SID S-1-5-32) and cannot be deleted. Knowing what each one grants is essential to securing a machine — and to passing a CIS or STIG audit.

GroupSIDDefault rights
AdministratorsS-1-5-32-544Full system control; cannot be limited by ACL
UsersS-1-5-32-545Standard user — run programs, can't install drivers
GuestsS-1-5-32-546Most restricted; profile is wiped at logoff
Power UsersS-1-5-32-547Legacy; deprecated, kept for backward compatibility
Backup OperatorsS-1-5-32-551Read all files (bypass DACL) for backup
ReplicatorS-1-5-32-552File replication service
Remote Desktop UsersS-1-5-32-555Permitted to log on via RDP
Network Configuration OperatorsS-1-5-32-556Manage TCP/IP settings, DHCP, DNS
Performance Monitor UsersS-1-5-32-558Read perfmon counters
Performance Log UsersS-1-5-32-559Manage data collector sets
Distributed COM UsersS-1-5-32-562Initiate/activate DCOM objects
IIS_IUSRSS-1-5-32-568IIS worker process identities
Cryptographic OperatorsS-1-5-32-569Cryptographic operations under FIPS
Event Log ReadersS-1-5-32-573Read the Security event log
Hyper-V AdministratorsS-1-5-32-578Full Hyper-V management
Remote Management UsersS-1-5-32-580Use WinRM/PowerShell remoting

Reach for the least-privileged group that covers a need. Administrators grants everything; Backup Operators is enough if the goal is "back up files this user can't normally read"; Remote Management Users is sufficient for WinRM access without local admin rights.

Backup Operators — the bypass group

Members of Backup Operators can read any file (regardless of DACL) and write any file when restoring — they hold SeBackupPrivilege and SeRestorePrivilege. This is a high-risk membership: practically equivalent to admin for any file-based attacker.

cmd
net localgroup "Backup Operators" backupsvc /ADD

Output:

bash
The command completed successfully.

Event Log Readers — SIEM/forwarder accounts

For Windows Event Forwarding (WEF) collectors and SIEM agents, add the service account to Event Log Readers instead of Administrators:

cmd
net localgroup "Event Log Readers" "NETWORK SERVICE" /ADD

Output:

bash
The command completed successfully.

Remote Management Users — WinRM without admin

To allow non-admin PowerShell remoting, add to Remote Management Users and configure the WinRM session ACL via Set-PSSessionConfiguration -ShowSecurityDescriptorUI.

cmd
net localgroup "Remote Management Users" alicedev /ADD

Output:

bash
The command completed successfully.

PowerShell equivalents — the LocalAccounts module

The Microsoft.PowerShell.LocalAccounts module (built in to Windows 10/Server 2016+) provides cmdlets that supersede net localgroup for scripted workflows. They emit objects (not text), accept pipelines, and use stable property names across Windows locales.

Get-LocalGroup — list and inspect groups

powershell
Get-LocalGroup

Output:

csharp
Name                                Description
----                                -----------
Administrators                      Administrators have complete and unrestricted access to the computer/domain
Backup Operators                    Backup Operators can override security restrictions for the sole purpose of backing up or restoring files
Cryptographic Operators             Members are authorized to perform cryptographic operations.
Device Owners                       Members of this group can change system-wide settings.
Event Log Readers                   Members of this group can read event logs from local machine
Guests                              Guests have the same access as members of the Users group by default, except for the Guest account...
Hyper-V Administrators              Members of this group have complete and unrestricted access to all features of Hyper-V.
IIS_IUSRS                           Built-in group used by Internet Information Services.
Network Configuration Operators     Members in this group can have some administrative privileges to manage configuration of networking features
Performance Log Users               Members of this group may schedule logging of performance counters, enable trace providers...
Performance Monitor Users           Members of this group can access performance counter data locally and remotely
Power Users                         Power Users are included for backwards compatibility and possess limited administrative powers
Remote Desktop Users                Members in this group are granted the right to logon remotely
Remote Management Users             Members of this group can access WMI resources over management protocols (such as WS-Management via the WinRM service)
Replicator                          Supports file replication in a domain
System Managed Accounts Group       Members of this group are managed by the system.
Users                               Users are prevented from making accidental or intentional system-wide changes...
powershell
Get-LocalGroup -Name Administrators | Format-List *

Output:

yaml
Description     : Administrators have complete and unrestricted access to the computer/domain
Name            : Administrators
SID             : S-1-5-32-544
PrincipalSource : Local
ObjectClass     : Group

Get-LocalGroupMember — list members

powershell
Get-LocalGroupMember -Group Administrators

Output:

sql
ObjectClass Name                              PrincipalSource
----------- ----                              ---------------
User        MYHOST\Administrator              Local
User        MYHOST\alicedev                   Local
Group       CORP\Domain Admins                ActiveDirectory

The PrincipalSource column distinguishes local SAM accounts from AD principals — useful in audits.

New-LocalGroup — create a group

powershell
New-LocalGroup -Name DevTeam -Description "Development team members"

Output:

diff
Name     Description
----     -----------
DevTeam  Development team members

Add-LocalGroupMember — add members

powershell
# Add a local user
Add-LocalGroupMember -Group DevTeam -Member alicedev

# Add a domain user
Add-LocalGroupMember -Group "Remote Desktop Users" -Member "CORP\bobdev"

# Add multiple at once
Add-LocalGroupMember -Group DevTeam -Member 'alicedev','bobdev','caroldev'

# Add an entire AD group as a member of a local group (common pattern)
Add-LocalGroupMember -Group "Remote Desktop Users" -Member "CORP\Domain Developers"

Output: (silent on success)

Remove-LocalGroupMember

powershell
Remove-LocalGroupMember -Group DevTeam -Member bobdev

Output: (silent on success)

Set-LocalGroup and Remove-LocalGroup

powershell
Set-LocalGroup -Name DevTeam -Description "Updated description"
Remove-LocalGroup -Name DevTeam

Output: (silent on success)

Comparison with Active Directory cmdlets

For domain groups, use the ActiveDirectory PowerShell module (RSAT-AD-PowerShell). The cmdlets are richer — they handle nested groups, attributes, scopes (global/universal/domain local), and bulk operations on thousands of objects.

TaskLocal (LocalAccounts / net localgroup)Active Directory
ListGet-LocalGroupGet-ADGroup -Filter *
InspectGet-LocalGroup nameGet-ADGroup name -Properties *
CreateNew-LocalGroupNew-ADGroup -Name X -GroupScope Global
ModifySet-LocalGroupSet-ADGroup
DeleteRemove-LocalGroupRemove-ADGroup
List membersGet-LocalGroupMemberGet-ADGroupMember
Add memberAdd-LocalGroupMemberAdd-ADGroupMember
Remove memberRemove-LocalGroupMemberRemove-ADGroupMember
Nested membershipnot allowedGet-ADGroupMember -Recursive
Find user's groups(no direct cmdlet)Get-ADPrincipalGroupMembership
Group scope/type(N/A)GroupScope: DomainLocal / Global / Universal

Get-ADGroup — inspect a domain group

powershell
Get-ADGroup -Identity "Domain Admins" -Properties Members, MemberOf, ManagedBy, Description

Output:

ini
Description       : Designated administrators of the domain
DistinguishedName : CN=Domain Admins,CN=Users,DC=contoso,DC=local
GroupCategory     : Security
GroupScope        : Global
ManagedBy         :
Members           : {CN=Administrator,CN=Users,DC=contoso,DC=local,
                    CN=Alice Dev,OU=Users,OU=NewYork,DC=contoso,DC=local}
MemberOf          : {CN=Administrators,CN=Builtin,DC=contoso,DC=local,
                    CN=Denied RODC Password Replication Group,CN=Users,DC=contoso,DC=local}
Name              : Domain Admins
SamAccountName    : Domain Admins
SID               : S-1-5-21-1234567890-987654321-111111111-512

Get-ADGroupMember — list members (with recursion)

powershell
# Direct members only
Get-ADGroupMember -Identity "Developers"

# Recursive — flatten nested groups
Get-ADGroupMember -Identity "Developers" -Recursive | Select Name, ObjectClass

Output:

sql
Name              ObjectClass
----              -----------
Alice Dev         user
Bob Dev           user
Carol Dev         user
Senior Developers group     (only direct)
Alice Dev         user      (recursive — flattened)
Bob Dev           user
Carol Dev         user
Dan Dev           user      (from Senior Developers)

Find every group a user belongs to

powershell
# Direct local groups for a local user
Get-LocalGroup | Where-Object {
    (Get-LocalGroupMember $_ -ErrorAction SilentlyContinue).Name -contains "$env:COMPUTERNAME\alicedev"
}

# Domain — every group, including nested
Get-ADPrincipalGroupMembership -Identity alicedev | Select Name

Output:

markdown
Name
----
Developers
Senior Developers
Domain Users
NewYork Users

Add an AD group to a local group (the canonical pattern)

The cleanest pattern for enterprise environments: never put individual users in local groups; create or use an AD group and nest it inside the local group. Membership changes are then made centrally in AD.

powershell
Add-LocalGroupMember -Group "Administrators" -Member "CORP\Workstation Admins"
Add-LocalGroupMember -Group "Remote Desktop Users" -Member "CORP\RDP Users"

Output: (silent on success)

A Get-LocalGroupMember Administrators now shows the domain group as a single entry; expanding it on the DC side reveals individual users.

Nested groups, group scope, and AGDLP

Active Directory groups have scopes that determine where they can be granted permissions and which member types are allowed. The classic strategy is AGDLP: Accounts → Global → Domain Local → Permission. Local groups on member servers fit at the Domain Local / machine local end of that chain.

ScopeMembers allowedWhere it can be granted permissions
Domain LocalAnything from the forestOnly within the local domain
GlobalUsers + Global groups from same domainAny domain in the forest
UniversalAnything from forestAny domain in the forest
Local (machine)AnythingOnly on the local machine

Practical pattern:

  1. Put the user (Alice Dev) in a Global group (Developers).
  2. Put the Global group inside a Domain Local or Local group (Workstation Admins).
  3. Grant the Domain Local / Local group permissions on resources (Administrators ACL on workstations).

This avoids needing to change ACLs every time membership changes — you just add/remove from the Global group.

net group vs net localgroup

There are two net subcommands for group management; they target different domains and scopes. Easy to confuse.

CommandScopeUsed for
net localgroupLocal SAMLocal groups on the current machine
net groupDomain (DC only)Global groups on a domain controller
net group /DOMAINDomain (from any client)Global groups via primary DC

net group is only available locally on a domain controller. On member servers and workstations, net group /DOMAIN is what you'd use — though Get-ADGroup is universally preferred.

cmd
rem On a domain controller — list domain global groups
net group

Output: (only works on a DC)

markdown
Group Accounts for \\DC01

-------------------------------------------------------------------------------
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Schema Admins
The command completed successfully.

Audit logging — Events 4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734

Group-management actions generate detailed Security events. Forwarding these to a SIEM is essential — adding an account to Administrators outside of a change window is a strong signal of compromise or misuse.

Event IDMeaning
4727A security-enabled global group was created
4728A member was added to a security-enabled global group
4729A member was removed from a security-enabled global group
4730A security-enabled global group was deleted
4731A security-enabled local group was created
4732A member was added to a security-enabled local group
4733A member was removed from a security-enabled local group
4734A security-enabled local group was deleted
4735A security-enabled local group was changed
powershell
# Last 30 days of additions to local groups
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4732; StartTime=(Get-Date).AddDays(-30)} |
    Select-Object TimeCreated,
        @{Name='Group';Expression={$_.Properties[2].Value}},
        @{Name='MemberSid';Expression={$_.Properties[1].Value}},
        @{Name='AddedBy';Expression={$_.Properties[6].Value}}

Output:

sql
TimeCreated         Group           MemberSid                                    AddedBy
-----------         -----           ---------                                    -------
5/25/2026 9:10 AM   Administrators  S-1-5-21-1004336348-1177238915-682003330-1001 Administrator
5/24/2026 2:45 PM   Remote Desktop Users S-1-5-21-1004336348-1177238915-682003330-1002 alicedev

Enable the relevant audit subcategories:

cmd
auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable
auditpol /set /subcategory:"Distribution Group Management" /success:enable /failure:enable

Output:

bash
The command was successfully executed.
The command was successfully executed.

SID-based and orphaned references

When a user is deleted (locally or in AD), any group ACEs and group membership entries that referenced their SID become orphaned — they display as raw SIDs (*S-1-5-21-...) instead of resolving to a name. net localgroup shows them in member lists; Get-LocalGroupMember returns them with empty Name. Clean up routinely:

powershell
# Find orphaned members in every local group
Get-LocalGroup | ForEach-Object {
    $grp = $_
    Get-LocalGroupMember $grp -ErrorAction SilentlyContinue | Where-Object {
        $_.Name -match '^S-1-' -or -not $_.Name
    } | ForEach-Object {
        [pscustomobject]@{ Group = $grp.Name; OrphanedSid = $_.SID }
    }
}

Output:

sql
Group           OrphanedSid
-----           -----------
Administrators  S-1-5-21-1234567890-987654321-111111111-1099
Users           S-1-5-21-1234567890-987654321-111111111-1100

Remove orphaned references:

powershell
Remove-LocalGroupMember -Group Administrators -Member "S-1-5-21-1234567890-987654321-111111111-1099"

Output: (silent on success)

Restricted Groups GPO

For multi-machine consistency, never manage local group memberships individually with net localgroup. Instead, use the Group Policy Restricted Groups feature (Computer Configuration → Policies → Windows Settings → Security Settings → Restricted Groups) or the newer User Rights Assignment settings. The policy enforces exact membership — if anyone deviates manually, the next refresh undoes the change.

Inspect what Restricted Groups GPOs are pushing with gpresult:

cmd
gpresult /h C:\Audit\rsop.html /f

Output:

makefile
INFO: Creating report in C:\Audit\rsop.html ...

Open the report and search for "Restricted Groups" to see which groups are managed and who is permitted.

Common pitfalls (extended)

In addition to the basics above, watch for these:

  1. Adding Domain Admins to local Administrators is automatic — by default, Domain Admins is a member of every domain-joined machine's local Administrators group. Don't add it manually (creates a duplicate entry); to remove it, edit the local group on each machine or push via Restricted Groups GPO.
  2. net localgroup exit code 1378 = "already a member" — distinct from a real failure. Always check exit codes in scripts.
  3. Nesting depth matters for token size — Kerberos tickets carry SIDs for every group membership including transitive. Users in 100+ nested groups may exceed the MaxTokenSize and fail authentication with confusing errors.
  4. Local groups cannot be nested into other local groups — only domain groups can nest. Add-LocalGroupMember -Group DevTeam -Member "MYHOST\OtherLocalGroup" fails.
  5. Group names are case-insensitive but display case is preservednet localgroup ADMINISTRATORS works but Get-LocalGroup shows Administrators. PowerShell -eq is case-insensitive by default; use -ceq for case-sensitive match.
  6. Power Users is deprecated — Windows still ships it for backward compatibility but it grants no special rights on Windows 10/11. Old applications relying on Power Users rights will not work; recompile with proper UAC manifest or grant explicit ACLs.
  7. Authenticated Users is not a group you can add to — it's a built-in security identifier that automatically includes everyone with a valid logon token. net localgroup Administrators "Authenticated Users" /ADD makes everyone an admin — never do this.
  8. Everyone is broader than Authenticated Users — includes anonymous sessions. Microsoft security baselines forbid granting Everyone any sensitive permission.
  9. Removing yourself from Administrators locks you out — there is no "are you sure?" prompt. Test on a non-prod box first.
  10. The built-in Administrators group cannot be renamed — rename the built-in Administrator account (RID 500) freely, but the group keeps its alias.

Real-world recipes (extended)

Onboard: nest AD group inside local group on every workstation

The cleanest workstation-fleet pattern. Push via Restricted Groups GPO; if doing it imperatively for a one-off, here's the pattern:

powershell
$hosts = Get-Content C:\Audit\workstation_list.txt
Invoke-Command -ComputerName $hosts -Credential (Get-Credential CORP\domainadmin) -ScriptBlock {
    Add-LocalGroupMember -Group "Administrators" -Member "CORP\Workstation Admins" -ErrorAction SilentlyContinue
    Add-LocalGroupMember -Group "Remote Desktop Users" -Member "CORP\RDP Users" -ErrorAction SilentlyContinue
}

Output: (silent on success; failures surface as PowerShell errors)

Audit: who is in Administrators across the fleet?

powershell
$hosts = Get-Content C:\Audit\hosts.txt
$results = foreach ($h in $hosts) {
    try {
        $members = Invoke-Command -ComputerName $h -ScriptBlock {
            Get-LocalGroupMember -Group Administrators
        } -ErrorAction Stop
        foreach ($m in $members) {
            [pscustomobject]@{ Host = $h; Member = $m.Name; Source = $m.PrincipalSource }
        }
    } catch {
        [pscustomobject]@{ Host = $h; Member = "ERROR: $_"; Source = "" }
    }
}
$results | Export-Csv C:\Audit\admin_membership.csv -NoTypeInformation

Output:

sql
(creates CSV with one row per (Host, Member) pair — review for anomalies)

Restore the default Administrators membership

After cleanup, restore the canonical minimum:

powershell
$grp = 'Administrators'

# Strip all current members except built-in Administrator
Get-LocalGroupMember -Group $grp | Where-Object Name -notmatch 'Administrator$' |
    ForEach-Object { Remove-LocalGroupMember -Group $grp -Member $_ }

# Add domain admins back if domain-joined
if ((Get-WmiObject Win32_ComputerSystem).PartOfDomain) {
    Add-LocalGroupMember -Group $grp -Member "$env:USERDOMAIN\Domain Admins"
}

Output: (silent on success)

Detect changes to sensitive groups in real time

Wire up an Event 4732 subscription to alert when anyone is added to a high-privilege group:

powershell
$query = @"
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
      *[System[EventID=4732 or EventID=4728]]
      and *[EventData[Data[@Name='TargetUserName']='Administrators' or
                      Data[@Name='TargetUserName']='Backup Operators' or
                      Data[@Name='TargetUserName']='Domain Admins']]
    </Select>
  </Query>
</QueryList>
"@

Register-WmiEvent -Query "SELECT * FROM Win32_NTLogEvent WHERE LogFile='Security' AND EventCode=4732" `
    -SourceIdentifier "AdminGroupChange" `
    -Action {
        $event = $args[1].SourceEventArgs.NewEvent
        Send-MailMessage -To 'secops@example.com' -From 'alerts@example.com' `
            -Subject "Admin group change on $env:COMPUTERNAME" `
            -Body $event.Message -SmtpServer 'smtp.example.com'
    }

Output: (silent — runs as a background job; fires when matching event occurs)

Bulk add WinRM access for a list of users

powershell
Get-Content C:\Scripts\winrm_users.txt | ForEach-Object {
    Add-LocalGroupMember -Group "Remote Management Users" -Member "CORP\$_" -ErrorAction SilentlyContinue
    Write-Host "Granted WinRM access: CORP\$_"
}

Output:

yaml
Granted WinRM access: CORP\alicedev
Granted WinRM access: CORP\bobdev
Granted WinRM access: CORP\caroldev

Migrate a user from contractor to employee — re-group

powershell
$user = 'alicedev'
$dom  = $env:USERDOMAIN

# Remove from contractor groups
'Contractors','Limited Access','Read-Only Users' | ForEach-Object {
    Remove-LocalGroupMember -Group $_ -Member "$dom\$user" -ErrorAction SilentlyContinue
}

# Add to employee groups
'Employees','Remote Desktop Users','Remote Management Users' | ForEach-Object {
    Add-LocalGroupMember -Group $_ -Member "$dom\$user" -ErrorAction SilentlyContinue
}

Write-Host "$user migrated to employee groups"

Output:

bash
alicedev migrated to employee groups

One-liner: list every local group with member count

powershell
Get-LocalGroup | Select-Object Name,
    @{Name='Members';Expression={(Get-LocalGroupMember $_).Count}} |
    Sort-Object Members -Descending | Format-Table -AutoSize

Output:

python-repl
Name                                Members
----                                -------
Administrators                            3
Users                                     5
Remote Desktop Users                      2
Hyper-V Administrators                    1
Event Log Readers                         1
...

Quick check: am I in a specific group right now?

powershell
# Check the current process token (not just SAM membership — reflects loopback/UAC filtering)
([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole('Administrators')

Output:

graphql
True
cmd
rem cmd-equivalent for current shell elevation
whoami /groups | findstr /C:"Administrators" /C:"S-1-5-32-544"

Output:

vbnet
BUILTIN\Administrators                                       Alias            S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner

Sources

References consulted while writing this article. Links open in a new tab.

  • Microsoft Learn — net localgroup command reference — Authoritative flag list and parameter semantics used to build the Essential options table.
  • SS64 — net localgroup — Cross-version comparison and historical syntax notes.

See also