List all members of a group from the command line in OS X

macos command-line user-accounts

149,357

Solution 1

You can use:

dscacheutil -q group -a name admin

or:

dscacheutil -q group -a name staff

etc.

Solution 2

There's no standard command that lists all members of a group in OS X, so here's a shell function which does that:

members () { dscl . -list /Users | while read user; do printf "$user "; dsmemberutil checkmembership -U "$user" -G "$*"; done | grep "is a member" | cut -d " " -f 1; };

Copy the above command-line to the Terminal, and then type members mygroup (where mygroup is the name of an existing group).

Some explanation for those who are interested:

There are five different ways (that I know of) that a user can be member of a group in OS X. The command dscl . -read /Groups/mygroup GroupMembership isn't guaranteed to output all, or even any, of mygroup's members, because membership also comes from users' primary group ID, membership by user's UUID, inheritance of membership from one group to another, and memberships that are calculated by the system, such as the group everyone.

So rather than trying to keep track of all those, it seems like a better idea to simply check the membership of every user on the system (using dsmemberutil), and that's what the shell function and the script below do.

This members script is equivalent to the shell function, but has nicer handling of invalid input:

#!/bin/bash

# members -- list all members of a group
#
# SYNOPSIS
#   members groupname
#
# http://superuser.com/questions/279891/list-all-members-of-a-group-mac-os-x
#  by Arne
# Expected to work on Mac OS 10.5 and newer, tested on 10.6 and 10.7.
# It could be rewritten to work on 10.4 by using "dseditgroup -o checkmember"
# instead of "dsmemberutil checkmembership".
# By using dseditgroup, the script could also be extended to handle
# other Directory Service nodes than the default local node.
#

the_group="$1"
# Input check and usage
  if [[ $# != 1 || $1 == -* || $1 =~ [[:space:]] ]]; then
    echo "Usage: ${0##*/} groupname" >&2
    echo "Lists all members of the group." >&2
    exit 64
  elif (dsmemberutil checkmembership -U root -G "$the_group" 2>&1 \
    | grep "group .* cannot be found") >&2; then
    exit 1
  fi

# Check every user
exec dscl . -list /Users \
  | while read each_username
  do
    printf "$each_username "
    dsmemberutil checkmembership -U "$each_username" -G "$the_group"
  done \
    | grep "is a member" | cut -d " " -f 1

# eof

Supplementary info:

The five ways of being a group member are:

The user's PrimaryGroupID
Listed in the group's GroupMembership
UUID listed in the group's GroupMembers
Inherited membership of group X by being a member of group Y which is listed in group X's NestedGroups
Membership calculated by the system

These can be explored with commands like dscl . -read /Groups/somegroup

Example of 4: Membership of the Print Operator group __lpoperator_ is inherited by members of the Print Administrator group __lpadmin_, and membership of that group is inherited by the members of the admin group.

Example of 5:

$ dscl . -read /Groups/netaccounts Comment
Comment:
 Group membership calculated by system
 Accounts from a remote directory server
$

Solution 3

Note: This was my initial answer, written before I realized this answer still gives an incomplete result. (For example, it finds no members of the everyone group!) So I wrote a better answer, which includes a script that lists all members of a group in OS X.

mygroup's GroupMembership property can be printed with dscl like this:

dscl . -read /Groups/mygroup GroupMembership

But this isn't guaranteed to output all (or even any) of the group's members. What's missing are the users who are member of the group only by having it as their primary group ID.

A common example of this in OS X are regular login accounts, which have staff (group 20) as their primary group, but are not listed in the GroupMembership property of the staff group.

Those users can be found by searching for the numeric primary group ID (gid) like this example for the staff group (gid 20):

dscl . -list /Users PrimaryGroupID | grep " 20$"

and the numeric gid (PrimaryGroupID) of mygroup is found by:

dscl . -read /Groups/mygroup PrimaryGroupID

Solution 4

To get all the groups that a user is in, you could use the following:

id -nG <username>

Example Output:

staff com.apple.sharepoint.group.1 everyone localaccounts _appserverusr admin _appserveradm _lpadmin _appstore _lpoperator _developer com.apple.access_ftp com.apple.access_screensharing com.apple.access_ssh

Utilising the command above, it is possible to get all users that belong to a group:

OSX:

group=staff;
for i in $(dscl . list /users);
do [[ $(id -nG $i | grep $group) ]] && echo $i;
done

Unix:

group=sudo;
# This only outputs lines that match a username (from the start of line to a colon must not be a hash indicating a comment) 
for i in $(grep -oE "^[^#:]+" /etc/passwd);
do [[ $(id -nG $i | grep $group) ]] && echo $i;
done

Solution 5

dscl . -read /Groups/[groupname] | grep GroupMembership

BE AWARE: The command above does not always display a complete list of ALL group members. E.g. for the group "staff" you only get "root" as a group member which is incomplete. To check it use one of the following commands as a default user (NOT "root"): id -Gn OR groups

As a result you will see all groups your default logged user is a member of. One of them should be "staff". Thus, besides "root" there are more members of the group "staff", which are not listed by the command dscl . -read /Groups/[groupname] | grep GroupMembership. The same goes for the command dscacheutil -q group -a name staff which also suggests you that only "root" is a member of the group "staff", which is obviously incomplete.

The only reliable method to get really ALL members of a group in the terminal on OSX is already provided here by Arne Stenström. This is using his shell function resp. his shell script. Both works great!

View more solutions

149,357

Meltemi

Updated on September 18, 2022

Comments

Meltemi over 1 year
I'’ve tried Googling but not getting anywhere. How can I list all the members of a group called mygroup from the command line in OS X?
```
dscl . list /groups
```
Will get me all the groups. But how can I see each group’s members?
Stefan Schmidt about 12 years

This is the kind of peculiarities that I have in mind when I tell people that while OS X is mostly beautiful on the surface it's got some nasty stuff hidden underneath the covers.
Slipp D. Thompson over 11 years

+1: This works solidly. Merci.
TryTryAgain over 9 years

This is my favorite method. Easy peasy, and accurate. Thanks!
Giacomo1968 over 8 years

This is a great answer since 90% of the usage cases can be solved with this and not with the more elaborate scripts that have been posted as answers.
Neil Monroe over 8 years

Just add this as an alias in your shell startup file and you can make it a one-word command plus the group name.
Golden Thumb over 8 years

When I tried "dscacheutil -q group" I got 2 paragraphs for group "admin". The two have same name, gid, but different users list. Any idea? Thx!
wisbucky almost 8 years

Not necessarily complete. dscacheutil -q group -a name admin only gave me 1 result, whereas the Accepted Answer's shell script gave me 2 results.
wisbucky almost 8 years

This is a nice tip to get list of groups that a user belongs to. But it is the opposite of what the OP was asking, which is list of users that belong to a group.
Jens Timmerman over 7 years

this is not accurate. it doesn't always lists all members, see arne's answer below
Jens Timmerman over 7 years

This is the info I needed to figure out how to remove myself from the admin group. Turns out removing by username is not enought, you also need to remove the UUID, see github.com/drduh/macOS-Security-and-Privacy-Guide/issues/…
Isaac almost 7 years

@wisbucky this is precisely what I was after. I got here looking for "list all groups of a user". I will suggest an edit to clarify this
historystamp almost 5 years

dscacheutil -q group -a name admin; Only list one of five admin ids. Where as Jay Browns method below list 5. macos 10.10.5 exact code: group=admin; for i in $(dscl . list /users); do [[ $(id -nG $i | grep $group) ]] && echo $i; done;rc=0
Ivan Ferrer about 4 years

digit on terminal: groups
AlexandreG over 3 years

indeed with localaccounts group, using dscacheutils you cannot see using any users while yours displays all of them (more than 50!). Thanks!
Motti Shneor about 2 years

This method fails for several groups in MacOS 10.15, 11.x and 12.x - e.g. the group 'everyone' that yields empty list. However testing membership for any specific user - the answer is "yes". I wonder why...
Motti Shneor about 2 years

Thank you for illuminating answer. However - are there complementary APIs that allow to do this programmatically (without starting sub-processes or shells) ?? I'm trying all kinds of thing with OpenDirectory framework and API - and can't get it right for some membership types - e.g. 'everyone' whose "Group membership calculated by system". Any hint will be greatly appreciated.
Motti Shneor about 2 years

This is all clear and nice, where it to actually work... but do try your technique with the group 'everyone' and lo and behold --- nothing.