List all members of a group (Mac OS X)
There's no standard command that lists all members of a group in OS X, so here's a shell function which does that:
members () { dscl . -list /Users | while read user; do printf "$user "; dsmemberutil checkmembership -U "$user" -G "$*"; done | grep "is a member" | cut -d " " -f 1; };
Copy the above command-line to the Terminal, and then type members mygroup (where mygroup is the name of an existing group).
Some explanation for those who are interested:
There are five different ways (that I know of) that a user can be member of a group in OS X. The command dscl . -read /Groups/mygroup GroupMembership isn't guaranteed to output all, or even any, of mygroup's members, because membership also comes from users' primary group ID, membership by user's UUID, inheritance of membership from one group to another, and memberships that are calculated by the system, such as the group everyone.
So rather than trying to keep track of all those, it seems like a better idea to simply check the membership of every user on the system (using dsmemberutil), and that's what the shell function and the script below do.
This members script is equivalent to the shell function, but has nicer handling of invalid input:
#!/bin/bash
# members -- list all members of a group
#
# SYNOPSIS
# members groupname
#
# http://superuser.com/questions/279891/list-all-members-of-a-group-mac-os-x
# by Arne
# Expected to work on Mac OS 10.5 and newer, tested on 10.6 and 10.7.
# It could be rewritten to work on 10.4 by using "dseditgroup -o checkmember"
# instead of "dsmemberutil checkmembership".
# By using dseditgroup, the script could also be extended to handle
# other Directory Service nodes than the default local node.
#
the_group="$1"
# Input check and usage
if [[ $# != 1 || $1 == -* || $1 =~ [[:space:]] ]]; then
echo "Usage: ${0##*/} groupname" >&2
echo "Lists all members of the group." >&2
exit 64
elif (dsmemberutil checkmembership -U root -G "$the_group" 2>&1 \
| grep "group .* cannot be found") >&2; then
exit 1
fi
# Check every user
exec dscl . -list /Users \
| while read each_username
do
printf "$each_username "
dsmemberutil checkmembership -U "$each_username" -G "$the_group"
done \
| grep "is a member" | cut -d " " -f 1
# eof
Supplementary info:
The five ways of being a group member are:
- The user's PrimaryGroupID
- Listed in the group's GroupMembership
- UUID listed in the group's GroupMembers
- Inherited membership of group X by being a member of group Y which is listed in group X's NestedGroups
- Membership calculated by the system
These can be explored with commands like dscl . -read /Groups/somegroup
Example of 4: Membership of the Print Operator group __lpoperator_ is inherited by members of the Print Administrator group __lpadmin_, and membership of that group is inherited by the members of the admin group.
Example of 5:
$ dscl . -read /Groups/netaccounts Comment
Comment:
Group membership calculated by system
Accounts from a remote directory server
$
SEE ALSO
id(1), dscl(1), dsmemberutil(1), dseditgroup(8), DirectoryServiceAttributes(7), uuid(3)
You can use:
dscacheutil -q group -a name admin
or:
dscacheutil -q group -a name staff
etc.
Note: This was my initial answer, written before I realized this answer still gives an incomplete result. (For example, it finds no members of the everyone group!) So I wrote a better answer, which includes a script that lists all members of a group in OS X.
mygroup's GroupMembership property can be printed with dscl like this:
dscl . -read /Groups/mygroup GroupMembership
But this isn't guaranteed to output all (or even any) of the group's members. What's missing are the users who are member of the group only by having it as their primary group ID.
A common example of this in OS X are regular login accounts, which have staff (group 20) as their primary group, but are not listed in the GroupMembership property of the staff group.
Those users can be found by searching for the numeric primary group ID (gid) like this example for the staff group (gid 20):
dscl . -list /Users PrimaryGroupID | grep " 20$"
and the numeric gid (PrimaryGroupID) of mygroup is found by:
dscl . -read /Groups/mygroup PrimaryGroupID