List members of groups in Mac OS X

Mac OS X, unlike Windows, does not provide an easy to use GUI so that you can easily see what groups that user accounts are members of. Fortunately, there is a dscl utilty which can read the group memberships.
The following command will show group memberships, provided the user account does not have the group set as its “primary” group (explained later):

dscl . -read /Groups/mygroup GroupMembership

Administrator account should be members of the following groups:

  • admin
  • _lpadmin
  • _appserveradm
  • _appserverusr

Regular accounts are only members of the “staff” group which has a primary group ID of 20. Unfortunately, the dscl utility does not show the members of the staff group that have the primary group ID set as that group.
So for example, the following command will not output the regular user accounts on the system which have their primary group ID set as 20 (staff):
dscl . -read /Groups/staff GroupMembership
One way to get the group members of staff is to run this command:

dscl . -list /Users PrimaryGroupID | grep ' 20$'

Another way to handle this is to paste the following shell function into Terminal, and them run “members groupname”:

members () { dscl . -list /Users | while read user; do printf "$user "; dsmemberutil checkmembership -U "$user" -G "$*"; done | grep "is a member" | cut -d " " -f 1; }; 


1 Comment

1 Trackback / Pingback

  1. » Apple:Understanding the 'staff' user group

Leave a Reply

Your email address will not be published.