'How to get members of a Windows (security) group?
Short Version
What is the Windows function to list all members of a Windows (security) group?
Long Version
The gotcha is that we can't just skip directly to Active Directory, because it's entirely possible that the group is not an group in Active Directory, because not all groups will be in Active Directory, because some groups can be local to the machine, and some machines may not even be joined to a domain.
For example:
STACKOVERFLOW\ITOps: a group in the STACKOVERFLOW domain[email protected]: a group in the stackoverflow.com domainHOTH\docker-users: a group on the local machine
Reminder that STACKOVERFLOW and stackoverflow.com happen to be two names for the same domain.
This will then remind you that STACKOVERFLOW\ITOps and [email protected] are two names for the same group.
- The first is the Windows name.
- The second is the matching name in Active Directory.
You can convince yourself of this by calling LookupAccountSid, which returns:
- Name: "ITOps"
- Domain: "STACKOVERFLOW"
And you can see it in when running whoami /groups:
| Group Name | Type | SID |
|------------------------------------------------------|------------------|------------------------------------------------|
| HOTH\PoleDancers | Alias | S-1-5-21-508675309-3072756349-3142140079-1006 |
| HOTH\docker-users | Alias | S-1-5-21-508675309-3072756349-3142140079-1014 |
| STACKOVERFLOW\Stackoverflow Users | Group | S-1-5-21-1701128619-854245398-2146844275-1132 |
| STACKOVERFLOW\Project Managers | Group | S-1-5-21-1701128619-854245398-2146844275-3626 |
| STACKOVERFLOW\MSFT Developers | Group | S-1-5-21-1701128619-854245398-2146844275-3608 |
| STACKOVERFLOW\Stackoverflow Admins | Group | S-1-5-21-1701128619-854245398-2146844275-1136 |
| STACKOVERFLOW\Audit | Group | S-1-5-21-1701128619-854245398-2146844275-3627 |
| STACKOVERFLOW\Domain Admins | Group | S-1-5-21-1701128619-854245398-2146844275-512 |
| STACKOVERFLOW\Enterprise Admins | Group | S-1-5-21-1701128619-854245398-2146844275-519 |
| STACKOVERFLOW\DnsAdmins | Alias | S-1-5-21-1701128619-854245398-2146844275-1107 |
| STACKOVERFLOW\Denied RODC Password Replication Group | Alias | S-1-5-21-1701128619-854245398-2146844275-572 |
| STACKOVERFLOW\DHCP Administrators | Alias | S-1-5-21-1701128619-854245398-2146844275-1004 |
| BUILTIN\Performance Log Users | Alias | S-1-5-32-559 |
| BUILTIN\Performance Monitor Users | Alias | S-1-5-32-558 |
| BUILTIN\Users | Alias | S-1-5-32-545 |
| BUILTIN\Administrators | Alias | S-1-5-32-544 |
| NT AUTHORITY\REMOTE INTERACTIVE LOGON | Well-known group | S-1-5-14 |
| NT AUTHORITY\INTERACTIVE | Well-known group | S-1-5-4 |
| NT AUTHORITY\Authenticated Users | Well-known group | S-1-5-11 |
| NT AUTHORITY\This Organization | Well-known group | S-1-5-15 |
| Everyone | Well-known group | S-1-1-0 |
| LOCAL | Well-known group | S-1-2-0 |
| Authentication authority asserted identity | Well-known group | S-1-18-1 |
| Mandatory Label\Medium Mandatory Level | Label | S-1-16-8192 |
So: given a group, i need the members.
- the group could be local
- the group could be on the domain
- i don't know if the group is local or part of a domain
- i don't care if the group is local or part of a domain
I need Windows to tell me the members.
And remember:
- a local group
- can contain local users
- can contain local groups
- can contain domain users
- can contain domain groups
So, by definition, trying to query Active Directory is simply wrong.
Short version
Given a group security identifier (SID) how do i get the members of that group?
I know it's possible, because Windows does it right there in netplwiz:
Showing a mix of local and domain users at the same time.
Bonus Reading
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|