NET LOCALGROUP Command – Manage Local Groups in Windows CMD

The NET LOCALGROUP command is a Windows Command Prompt utility that displays, creates, and manages local security groups and their members. Use NET LOCALGROUP to list groups, NET LOCALGROUP groupname to view members, and NET LOCALGROUP groupname username /add to add users to groups—essential for granting Administrator rights, managing permissions, and organizing user access. Administrator privileges are required for modifications.

Whether you're a system administrator adding users to the Administrators group for elevated access, an IT professional creating custom groups for department-based permissions, or a developer scripting access provisioning, NET LOCALGROUP provides command-line control over local group membership. The command works with built-in groups (Administrators, Users, Power Users) and custom local groups.

This comprehensive guide covers NET LOCALGROUP syntax, adding and removing members, creating groups, practical examples for common scenarios, security considerations, troubleshooting tips, and frequently asked questions. By the end, you'll confidently manage local groups from the command line.

What Is the NET LOCALGROUP Command?

The NET LOCALGROUP command manages local security groups on a Windows computer. Local groups define collections of user accounts that share the same permissions. Adding a user to a group grants them the permissions assigned to that group. NET LOCALGROUP can list groups, display group members, add or remove members, and create or delete groups.

NET LOCALGROUP runs in Command Prompt (CMD) and requires Administrator privileges for adding members, removing members, creating groups, or deleting groups. It is available in all Windows versions from Windows NT through Windows 11 and Windows Server. The command is scriptable for bulk group management.

NET LOCALGROUP vs Other Group Tools

NET LOCALGROUP: Command-line; local groups; scriptable; built-in
Computer Management: GUI; Local Users and Groups; user-friendly
Local Users and Groups (lusrmgr.msc): GUI; same as Computer Management
PowerShell Get-LocalGroup/Add-LocalGroupMember: Modern; object-oriented; preferred for scripts

Syntax

NET LOCALGROUP [groupname [/comment:"text"]] [/domain]
NET LOCALGROUP groupname {/add [/comment:"text"] | /delete} [/domain]
NET LOCALGROUP groupname name [ ... ] {/add | /delete} [/domain]

Parameters

Parameter	Description
`groupname`	Name of the local group
`name`	Username(s) to add or remove; separate multiple with spaces
`/add`	Adds a member to the group or creates a new group
`/delete`	Removes a member or deletes the group
`/comment:"text"`	Description for the group (when creating)
`/domain`	Performs operation on the domain (when applicable)

Common Built-in Groups

Group	Purpose
Administrators	Full system access
Users	Standard user access
Power Users	Elevated access (legacy)
Guests	Limited guest access
Backup Operators	Backup and restore rights
Remote Desktop Users	RDP access

How to Use NET LOCALGROUP Command

List All Local Groups

Display all local groups:

NET LOCALGROUP

Output shows group names. No Administrator rights needed for listing.

View Group Members

Display members of a specific group:

NET LOCALGROUP Administrators

Shows all users in the Administrators group. Use for any group name.

Add User to Group

Add a single user to a group:

NET LOCALGROUP Administrators john /add

The user gains the permissions of that group. Requires Administrator.

Add Multiple Users

Add several users at once:

NET LOCALGROUP Backup Operators alice bob carol /add

Separate usernames with spaces.

Add Domain User to Local Group

Add a user from another domain:

NET LOCALGROUP Administrators DOMAIN\adminuser /add

Use DOMAIN\username format for domain accounts.

Remove User from Group

Remove a user from a group:

NET LOCALGROUP Administrators john /delete

The user loses that group's permissions.

Create a New Local Group

Create a custom group:

NET LOCALGROUP "Project Team" /add /comment:"Development project access"

Use quotes for group names with spaces.

Add Member to New Group

Create group and add members:

NET LOCALGROUP "Project Team" /add
NET LOCALGROUP "Project Team" alice bob /add

Delete a Group

Remove a local group (must be empty or members removed first):

NET LOCALGROUP "Project Team" /delete

Common Use Cases

Grant Administrator rights – Add user to Administrators group: NET LOCALGROUP Administrators username /add.
Provision new employee access – Create user with NET USER, then add to appropriate groups with NET LOCALGROUP.
Grant RDP access – Add user to Remote Desktop Users: NET LOCALGROUP "Remote Desktop Users" username /add.
Create department groups – Create custom groups for Sales, IT, HR and add members for permission management.
Revoke elevated access – Remove user from Administrators when no longer needed: NET LOCALGROUP Administrators username /delete.
Backup operator access – Add service account to Backup Operators for backup software.
Bulk group assignment – Use NET LOCALGROUP in scripts to add multiple users to groups.
Audit group membership – Use NET LOCALGROUP groupname to verify who has access.
Temporary project access – Add users to project-specific group, remove when project ends.
Domain user local admin – Add domain user to local Administrators for workstation admin.

Tips and Best Practices

Run as Administrator – Adding/removing members and creating/deleting groups requires elevated privileges.
Create user first – Use NET USER to create the account before adding to groups with NET LOCALGROUP.
Use principle of least privilege – Add users only to groups they need; avoid over-granting Administrators.
Document custom groups – Use /comment when creating groups: /comment:"Sales team read-only access".
Quote names with spaces – Use quotes: NET LOCALGROUP "Remote Desktop Users" john /add.
Verify before remove – List members with NET LOCALGROUP groupname before removing to avoid mistakes.
Domain format for domain users – Use DOMAIN\username when adding domain accounts to local groups.
Audit regularly – Periodically review Administrators and other sensitive group membership.
Test in non-production – Verify group changes in test environment before production.
Combine with WHOAMI – Use WHOAMI /groups to verify user's group membership after changes.

Troubleshooting Common Issues

"Access is denied"

Problem: NET LOCALGROUP fails with access denied.

Cause: Insufficient privileges; Administrator rights required for /add, /delete, and group creation.

Solution: Run Command Prompt as Administrator. Right-click cmd.exe → Run as administrator.

Prevention: Use an account with Administrator privileges for group management.

"The group name could not be found"

Problem: Group name not found when adding or listing.

Cause: Typo in group name, or group doesn't exist. Built-in groups have specific names (e.g., "Administrators" not "Admin").

Solution: Use NET LOCALGROUP to list valid group names. For built-in groups, use exact names: Administrators, Users, "Remote Desktop Users" (with quotes for spaces).

Prevention: Copy group names from NET LOCALGROUP output.

"The user name could not be found"

Problem: User not found when adding to group.

Cause: User doesn't exist locally, or wrong format for domain user.

Solution: Create user first with NET USER. For domain users, use DOMAIN\username format. Verify with NET USER for local users.

Prevention: Ensure user exists before adding to group; use correct format for domain accounts.

"System error 1379" – Local group already exists

Problem: Cannot create group; it already exists.

Cause: Group name is already in use.

Solution: Use existing group or choose a different name. List groups with NET LOCALGROUP to see existing names.

Prevention: Check for existing groups before creating.

Related Commands

NET USER – Create Users

NET USER creates and manages user accounts. Create users before adding them to groups.

Example:

NET USER john P@ssw0rd /add
NET LOCALGROUP Users john /add

When to use: Full user provisioning workflow.

WHOAMI – Verify Membership

WHOAMI /groups displays the current user's group memberships. Use to verify group changes.

Example:

WHOAMI /groups

When to use: Confirming user is in expected groups.

ICACLS – NTFS Permissions

ICACLS manages file and folder NTFS permissions. Use for granular file-level access beyond group membership.

Example:

ICACLS C:\Data /grant john:(R)

When to use: File and folder permission management.

TAKEOWN – Take Ownership

TAKEOWN takes ownership of files or folders. Often used with ICACLS for permission recovery.

Example:

TAKEOWN /F C:\Folder

When to use: Recovering access to files when permissions are broken.

Frequently Asked Questions

What does the NET LOCALGROUP command do?

NET LOCALGROUP displays, creates, and manages local security groups and their members. It can add users to groups (e.g., Administrators), remove users, create custom groups, and delete groups. Administrator rights are required for modifications.

How do I add a user to the Administrators group?

Use NET LOCALGROUP Administrators username /add. Run Command Prompt as Administrator. The user will have full administrative access after the next logon.

How do I list members of a group?

Use NET LOCALGROUP groupname. For example, NET LOCALGROUP Administrators lists all administrators. Works for any local group.

How do I remove a user from a group?

Use NET LOCALGROUP groupname username /delete. For example, NET LOCALGROUP Administrators john /delete removes john from Administrators.

How do I add a domain user to a local group?

Use NET LOCALGROUP groupname DOMAIN\username /add. Replace DOMAIN with the domain name and username with the account name.

How do I create a new local group?

Use NET LOCALGROUP "Group Name" /add. Add a comment with /comment:"Description". Then add members with NET LOCALGROUP "Group Name" user1 user2 /add.

Can I add multiple users at once?

Yes. Separate usernames with spaces: NET LOCALGROUP "Project Team" alice bob carol /add.

What is the difference between NET LOCALGROUP and NET GROUP?

NET LOCALGROUP manages local groups on the computer. NET GROUP manages global groups in a domain (on domain controllers). Use NET LOCALGROUP for workgroup or single-machine group management.

Why does NET LOCALGROUP say access is denied?

Adding or removing members and creating or deleting groups requires Administrator privileges. Run Command Prompt as Administrator.

How do I add someone for Remote Desktop access?

Use NET LOCALGROUP "Remote Desktop Users" username /add. The user can then connect via RDP (if RDP is enabled).

Can I delete the Administrators group?

No. Built-in groups like Administrators, Users, and Guests cannot be deleted. You can only add or remove members.

How do I verify a user's group membership?

Run WHOAMI /groups while logged in as that user, or use NET LOCALGROUP groupname to list members of a specific group.

Quick Reference Card

Command	Purpose	Example
`NET LOCALGROUP`	List all groups	View groups
`NET LOCALGROUP Administrators`	List group members	View admins
`NET LOCALGROUP Administrators user /add`	Add to group	Grant admin
`NET LOCALGROUP Administrators user /delete`	Remove from group	Revoke admin
`NET LOCALGROUP "Group" /add`	Create group	New group
`NET LOCALGROUP "Group" user1 user2 /add`	Add members	Bulk add
`NET LOCALGROUP "Group" /delete`	Delete group	Remove group

Try NET LOCALGROUP Command Now

Explore group management in our Windows Command Simulator. For user creation, see NET USER and WHOAMI. Browse the full Commands Reference for more Windows CMD utilities.

Summary

The NET LOCALGROUP command manages local security groups and their members from the command line. Use it to add users to Administrators, Remote Desktop Users, or custom groups; remove members; and create or delete groups. Always run as Administrator for modifications, create users with NET USER first, and use DOMAIN\username for domain accounts. Combine NET LOCALGROUP with NET USER for complete user and permission provisioning.