Determining and setting group membership from a command prompt

On a Microsoft Windows system, you can determine the username for an account from a command prompt window using the whoami command as shown below. 

C:\Users\enzo\Documents>whoami
slartibartfast\enzo

C:\Users\enzo\Documents>

In the example above, the account name is enzo and the system name is slartibartfast.

If you want to determine what groups the account belongs to, which would enable you to determine if the account is in the administrators group, you could add the /groups argument to the command as shown below. I added the /fo list option as well to format the output as a list; if that option isn't specified the output will be in table format.

C:\Users\enzo\Documents>whoami /groups /fo list

GROUP INFORMATION
-----------------

Group Name: Mandatory Label\Medium Mandatory Level
Type:       Label
SID:        S-1-16-8192
Attributes:

Group Name: Everyone
Type:       Well-known group
SID:        S-1-1-0
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\Local account and member of Administrators group
Type:       Well-known group
SID:        S-1-5-114
Attributes: Group used for deny only

Group Name: BUILTIN\Administrators
Type:       Alias
SID:        S-1-5-32-544
Attributes: Group used for deny only

Group Name: BUILTIN\Users
Type:       Alias
SID:        S-1-5-32-545
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\INTERACTIVE
Type:       Well-known group
SID:        S-1-5-4
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: CONSOLE LOGON
Type:       Well-known group
SID:        S-1-2-1
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\Authenticated Users
Type:       Well-known group
SID:        S-1-5-11
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\This Organization
Type:       Well-known group
SID:        S-1-5-15
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: MicrosoftAccount\enzo9876@outlook.com
Type:       User
SID:        S-1-11-96-3623454863-58364-18864-2661722203-1597581903-2106336538-3531095570-1495027200-2295259989-3556675553
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\Local account
Type:       Well-known group
SID:        S-1-5-113
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: LOCAL
Type:       Well-known group
SID:        S-1-2-0
Attributes: Mandatory group, Enabled by default, Enabled group

Group Name: NT AUTHORITY\Cloud Account Authentication
Type:       Well-known group
SID:        S-1-5-64-36
Attributes: Mandatory group, Enabled by default, Enabled group

C:\Users\enzo\Documents>

Since I see "Group Name: BUILTIN\Administrators", I know that the account under which I ran the command is in the administrators group for the system on which I ran the command.

If I wanted to see all of the user accounts on the system, I could use a Windows Management Instrumentation Command-line (WMIC) command. 

C:\Users\enzo\Documents>wmic useraccount get name,fullname
FullName  Name
          Administrator
          DefaultAccount
          enzo 
          Guest
Joe       Joe


C:\Users\enzo\Documents>

If I wanted to determine which of those accounts were in the local administrators group, I could use the net localgroup administrators command as shown below.

Learning Network Technology and Security
Learning Network Technology and Security 1x1 px 

C:\Users\enzo\Documents>net localgroup administrators
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
enzo 
The command completed successfully.


C:\Users\enzo\Documents>

In the output above, I can see that there are two accounts in the local administrators group: Administrator and enzo. If I want to add an existing account to another group, I can use a command in the form shown below where group_name is the relevant group name and UserLoginName is the user's login name.

net localgroup group_name UserLoginName /add

E.g., to add the Joe account to the administrator's group I could use the command shown below, which must be run from a command prompt with administrator privileges.

How to be an Independent security researcher Ethical Hacker
How to be an independent
security researcher / ethical hacker 1x1 px 

C:\WINDOWS\system32>net localgroup Administrators Joe /add
The command completed successfully.


C:\WINDOWS\system32>net localgroup administrators
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
enzo
Joe
The command completed successfully.


C:\WINDOWS\system32>

If I ran the net localgroup Administrators Joe /add command from a command prompt with just regular user account privileges, I would see an "Access is denied" message as shown below.

C:\Users\enzo\Documents>net localgroup Administrators Joe /add
System error 5 has occurred.

Access is denied.


C:\Users\enzo\Documents>

Related articles:

  1. Obtaining a command prompt in Windows 10
  2. Obtaining a Command Prompt on a Windows 8 System
  3. Determining the accounts in the administrators group form a command prompt