Command line tool to manage builtin,local, and domain local groups. 


See warranty.


Current Version

Version 1.03.0 - April 26, 2010

Modification(s) from previous version

Security Requirements

Permissions vary on switches. To view members, usually no special permission is required. Modification permissions will vary whether modifying AD groups or groups on members. Within AD, since this tool uses legacy NET API calls, Account Operator or Administrator access is needed. For groups on member machines, normally you need account operator or administrator though you can delegate rights to some groups using subinacl.


C++. Compiled with CodeGear C++ Builder 2009

Source Code Availability



Create/Enumerate/Delete/set the comments of local groups locally or remotely in a domain or on a specific machine. Even add/remove members of the groups. This tool works in a slightly different way in that it pulls the SIDS of the security principals and adds those to the specific group. The reason I did this is so that you could add a group from the first domain into the machine of a second domain and then move that machine into the first and have that group membership be valid.

To put it more specifically, say you have a machine in Domain A and you want to put it into Domain B and gosh darn it you have the ability to do that through delegation or something. Well when the machine moves from Domain A to Domain B, Domain A Domain Admins are gone from the administrators group and Domain B domain admins are added. But wait, you aren't a Domain B Domain Admin!!! Unless you have a local ID on that box which is an administrator ID you are locked out from making any more changes. Not anymore, now you can pre-add the group you need say "OUAdmins of the Bob OU" from Domain B to the administrators group of the machine. The SID you added will be unknown until such a time that the machine is added to the new domain at which point it will work.

Note that the tool is not aware of OU's yet so you can't create a group in a specific OU or see what OU a group exists in. 

As if V01.02.00, the ability to specify the actual string SID of the members you want to manipulate (not the SID of the group you are manipulating) to add/remove is available with the -sid option. As is the ability to clear all members from a group with the -cleargroup option.


You do not have to supply the email address. I would like you to fill that in though so that I have an idea on how popular a tool really is. If I see 1000 downloads with 900 different email addresses I know it is more widespread than one that has 1000 downloads and 200 different email addresses because the same person needed to keep downloading it for some reason.

Email Address: Optional
Sponsored Link:

Version History

As seen in


    Download and type LG /?

See current usage screens