NetUserGetLocalGroups function (lmaccess.h)

The NetUserGetLocalGroups function retrieves a list of local groups to which a specified user belongs.


  [in]  LPCWSTR servername,
  [in]  LPCWSTR username,
  [in]  DWORD   level,
  [in]  DWORD   flags,
  [out] LPBYTE  *bufptr,
  [in]  DWORD   prefmaxlen,
  [out] LPDWORD entriesread,
  [out] LPDWORD totalentries


[in] servername

A pointer to a constant string that specifies the DNS or NetBIOS name of the remote server on which the function is to execute. If this parameter is NULL, the local computer is used.

[in] username

A pointer to a constant string that specifies the name of the user for which to return local group membership information. If the string is of the form DomainName\UserName the user name is expected to be found on that domain. If the string is of the form UserName, the user name is expected to be found on the server specified by the servername parameter. For more information, see the Remarks section.

[in] level

The information level of the data. This parameter can be the following value.

Value Meaning
Return the names of the local groups to which the user belongs. The bufptr parameter points to an array of LOCALGROUP_USERS_INFO_0 structures.

[in] flags

A bitmask of flags that affect the operation. Currently, only the value defined is LG_INCLUDE_INDIRECT. If this bit is set, the function also returns the names of the local groups in which the user is indirectly a member (that is, the user has membership in a global group that is itself a member of one or more local groups).

[out] bufptr

A pointer to the buffer that receives the data. The format of this data depends on the value of the level parameter. This buffer is allocated by the system and must be freed using the NetApiBufferFree function. Note that you must free the buffer even if the function fails with ERROR_MORE_DATA.

[in] prefmaxlen

The preferred maximum length, in bytes, of the returned data. If MAX_PREFERRED_LENGTH is specified in this parameter, the function allocates the amount of memory required for the data. If another value is specified in this parameter, it can restrict the number of bytes that the function returns. If the buffer size is insufficient to hold all entries, the function returns ERROR_MORE_DATA. For more information, see Network Management Function Buffers and Network Management Function Buffer Lengths.

[out] entriesread

A pointer to a value that receives the count of elements actually enumerated.

[out] totalentries

A pointer to a value that receives the total number of entries that could have been enumerated.

Return value

If the function succeeds, the return value is NERR_Success.

If the function fails, the return value can be one of the following error codes.

Return code Description
The user does not have access rights to the requested information. This error is also returned if the servername parameter has a trailing blank.
The system call level is not correct. This error is returned if the level parameter was not specified as 0.
A parameter is incorrect. This error is returned if the flags parameter contains a value other than LG_INCLUDE_INDIRECT.
More entries are available. Specify a large enough buffer to receive all entries.
Insufficient memory was available to complete the operation.
The domain controller could not be found.
The user could not be found. This error is returned if the username could not be found.
The RPC server is unavailable. This error is returned if the servername parameter could not be found.


If you are programming for Active Directory, you may be able to call certain Active Directory Service Interface (ADSI) methods to achieve the same functionality you can achieve by calling the network management user functions. For more information, see IADsUser and IADsComputer.

If you call this function on a domain controller that is running Active Directory, access is allowed or denied based on the access control list (ACL) for the securable object. The default ACL permits all authenticated users and members of the "Pre-Windows 2000 compatible access" group to view the information. If you call this function on a member server or workstation, all authenticated users can view the information. For information about anonymous access and restricting anonymous access on these platforms, see Security Requirements for the Network Management Functions. For more information on ACLs, ACEs, and access tokens, see Access Control Model.

The security descriptor of the Domain object is used to perform the access check for this function. The caller must have Read Property permission on the Domain object.

To retrieve a list of global groups to which a specified user belongs, you can call the NetUserGetGroups function.

User account names are limited to 20 characters and group names are limited to 256 characters. In addition, account names cannot be terminated by a period and they cannot include commas or any of the following printable characters: ", /, , [, ], :, |, <, >, +, =, ;, ?, *. Names also cannot include characters in the range 1-31, which are nonprintable.


The following code sample demonstrates how to retrieve a list of the local groups to which a user belongs with a call to the NetUserGetLocalGroups function. The sample calls NetUserGetLocalGroups, specifying information level 0 (LOCALGROUP_USERS_INFO_0). The sample loops through the entries and prints the name of each local group in which the user has membership. If all available entries are not enumerated, it also prints the number of entries actually enumerated and the total number of entries available. Finally, the code sample frees the memory allocated for the information buffer.

#ifndef UNICODE
#define UNICODE
#pragma comment(lib, "netapi32.lib")

#include <stdio.h>
#include <assert.h>
#include <windows.h> 
#include <lm.h>

int wmain(int argc, wchar_t *argv[])
   DWORD dwLevel = 0;
   DWORD dwEntriesRead = 0;
   DWORD dwTotalEntries = 0;
   NET_API_STATUS nStatus;

   if (argc != 3)
      fwprintf(stderr, L"Usage: %s \\\\ServerName UserName\n", argv[0]);
   // Call the NetUserGetLocalGroups function 
   //  specifying information level 0.
   //  The LG_INCLUDE_INDIRECT flag specifies that the 
   //   function should also return the names of the local 
   //   groups in which the user is indirectly a member.
   nStatus = NetUserGetLocalGroups(argv[1],
                                   (LPBYTE *) &pBuf,
   // If the call succeeds,
   if (nStatus == NERR_Success)
      DWORD i;
      DWORD dwTotalCount = 0;

      if ((pTmpBuf = pBuf) != NULL)
         fprintf(stderr, "\nLocal group(s):\n");
         // Loop through the entries and 
         //  print the names of the local groups 
         //  to which the user belongs. 
         for (i = 0; i < dwEntriesRead; i++)
            assert(pTmpBuf != NULL);

            if (pTmpBuf == NULL)
               fprintf(stderr, "An access violation has occurred\n");

            wprintf(L"\t-- %s\n", pTmpBuf->lgrui0_name);

         // If all available entries were
         //  not enumerated, print the number actually 
         //  enumerated and the total number available.
      if (dwEntriesRead < dwTotalEntries)
         fprintf(stderr, "\nTotal entries: %d", dwTotalEntries);
      // Otherwise, just print the total.
      printf("\nEntries enumerated: %d\n", dwTotalCount);
      fprintf(stderr, "A system error has occurred: %d\n", nStatus);
   // Free the allocated memory.
   if (pBuf != NULL)

   return 0;


Requirement Value
Minimum supported client Windows 2000 Professional [desktop apps only]
Minimum supported server Windows 2000 Server [desktop apps only]
Target Platform Windows
Header lmaccess.h (include Lm.h)
Library Netapi32.lib
DLL Netapi32.dll

See also



Network Management Functions

Network Management Overview

User Functions