Search

Newsletter

Get our latest updates. Sign up with your email.

Popular Posts

Using Network Functions in Visual C#.NET (Part II - Group Functions)

1 views
Using Network Functions in Visual CNET Part II - Group Functions

Getting Started with P/Invoke for Local Group Management

Working with local groups on a Windows machine from a C# application is straightforward once you understand the plumbing that sits behind the Windows API. The API calls that deal with groups live in the Netapi32.dll library, and you access them from .NET by using Platform Invocation Services (P/Invoke). In this section we’ll walk through the prerequisites, the basic declarations you’ll need, and how the various functions interrelate.

The first step is to bring in the System.Runtime.InteropServices namespace. This namespace contains the DllImport attribute and the StructLayout attribute that allow you to describe the unmanaged functions and data structures your code will call.

Next, you’ll need to declare the NetLocalGroupAdd, NetLocalGroupDel, NetLocalGroupGetInfo, NetLocalGroupSetInfo, NetLocalGroupEnum, and NetLocalGroupGetMembers functions. Each declaration specifies the exact signature that matches the unmanaged version, including parameter types and the calling convention. For example, the NetLocalGroupAdd function looks like this in C#:

Prompt
[DllImport("Netapi32.dll", CharSet = CharSet.Unicode, SetLastError = true)]</p> <p>static extern uint NetLocalGroupAdd(</p> <p> string serverName,</p> <p> uint level,</p> <p> ref LOCALGROUP_INFO_1 buf,</p> <p> out uint parm_err</p> <p>);</p>

The serverName parameter can be null or an empty string to target the local computer; otherwise, you supply the UNC name of a remote machine. The level parameter tells the API which structure you’re passing – for group creation you’ll typically use level 1 or 0. The buf parameter is a reference to a LOCALGROUP_INFO_1 structure that contains the group name and a short comment. The parm_err out parameter reports the index of any parameter that caused the call to fail.

Because these structures are defined in C, you need to recreate them in C#. The LOCALGROUP_INFO_0 structure is the simplest – it only holds the group name – while LOCALGROUP_INFO_1 adds a description field. Declaring the structures is similar to the function declarations, but you use the StructLayout attribute to specify sequential layout and the MarshalAs attribute for string marshaling.

Prompt
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]</p> <p>struct LOCALGROUP_INFO_0</p> <p>{</p> <p> [MarshalAs(UnmanagedType.LPWStr)]</p> <p> public string lgrpi0_name;</p> <p>}</p> <p>struct LOCALGROUP_INFO_1</p> <p>{</p> <p> public string lgrpi1_name;</p> <p> public string lgrpi1_comment;</p> <p>}</p>

With these pieces in place you can start writing helper methods that wrap the raw API calls. A common pattern is to create a GroupManager class that exposes high‑level methods like CreateGroup, DeleteGroup, GetGroupInfo, SetGroupInfo, EnumerateGroups, and GetGroupMembers. The wrapper hides the details of marshaling, error checking, and memory management.

Keep in mind that the API returns uint error codes that map to the standard Win32 error numbers. To translate them into something more useful, call Marshal.GetLastWin32Error() after a failure and convert the result into a Win32Exception. This practice provides clear diagnostics and avoids silent failures.

Another important detail is that many of these calls allocate memory that you must free yourself. Functions such as NetLocalGroupEnum return a pointer to a buffer that the caller must free with NetApiBufferFree. In C# you typically use a SafeHandle wrapper or call the free function directly after marshaling the data into managed structures.

When targeting remote machines, the API accepts a server name in UNC form (e.g. \\RemotePC) in the first parameter. The rest of the call remains identical. Remote operations require the calling user to have appropriate privileges on the target machine, so your application may need to run under an account that holds the SE_RESTORE_NAME privilege or be a member of the local administrators group on the remote computer.

By establishing this foundation – correct imports, structures, error handling, and memory cleanup – you’re ready to tackle each group‑manipulation function in turn. The following sections dive into the specific operations you’ll perform most often: creating groups, deleting them, querying and updating details, listing all groups, and inspecting membership.

Adding a Local Group from C#.NET

Creating a new local group is one of the simplest group operations. The NetLocalGroupAdd API expects a structure that carries the group name and, optionally, a comment. Because the comment is rarely needed, most code examples use LOCALGROUP_INFO_0, which contains only the group name. The wrapper method below demonstrates the typical pattern: build the structure, call the API, and interpret the result.

Prompt
public static bool CreateGroup(string server, string groupName, string comment = null)</p> <p>{</p> <p> LOCALGROUP_INFO_1 info = new LOCALGROUP_INFO_1</p> <p> {</p> <p> lgrpi1_name = groupName,</p> <p> lgrpi1_comment = comment ?? string.Empty</p> <p> };</p> <p> uint parmErr;</p> <p> uint result = NetLocalGroupAdd(server, 1, ref info, out parmErr);</p> <p> if (result != 0)</p> <p> {</p> <p> throw new Win32Exception((int)result);</p> <p> }</p> <p> return true;</p> <p>}</p>

The server argument can be null or string.Empty for the local computer, or a UNC name for a remote machine. The level parameter is set to 1 to match the LOCALGROUP_INFO_1 structure. If you prefer the simpler structure you could use level 0 and LOCALGROUP_INFO_0

After the call, the API returns 0 on success. Any non‑zero value indicates failure, and parm_err points to the specific parameter that caused the error. Common problems include attempting to create a group that already exists (error code 183), insufficient permissions (error code 1314), or supplying a server name that cannot be resolved.

In practice, you might wrap the call in a try‑catch block and present a friendly message to the user. For example:

Prompt
try</p> <p>{</p> <p> CreateGroup(null, "MarketingTeam", "Users that handle marketing");</p> <p> MessageBox.Show("Group created successfully.");</p> <p>}</p> <p>catch (Win32Exception ex)</p> <p>{</p> <p> MessageBox.Show($"Failed to create group: {ex.Message}");</p> <p>}</p>

Because the group name must be unique on the local computer, you can optionally call NetLocalGroupGetInfo with level 0 to verify that the name is not already in use before attempting creation. This pre‑check can reduce the likelihood of encountering error 183.

When creating a group on a remote computer, you must ensure that the executing user has administrative rights on that machine. If the user is not an administrator, the API will return error 1314 (“A required privilege is not held by the client”). In that case, either run the application under a domain account with the necessary rights or prompt the user to provide credentials via the Windows Credential Manager.

After the group is created, you can immediately add users to it by calling NetLocalGroupAddMembers, which takes an array of user names and a level that specifies the type of the names (e.g. local or domain). This makes it easy to automate the entire setup of a new team: create the group, add members, and assign necessary permissions on shared resources.

Remember to keep the code that interacts with the API clean and well‑documented. Adding XML comments to your wrapper methods helps future developers understand the intent and the expected parameters. As your project grows, consider separating the P/Invoke layer into its own assembly or using an existing library that already exposes these functions, such as the System.DirectoryServices.AccountManagement namespace for domain environments.

Removing a Local Group from C#.NET

Deleting a group is the inverse of creating one and is handled by the NetLocalGroupDel API. The function requires the name of the group to delete and a pointer to a buffer that will receive the group name if the call fails. The wrapper method below follows the same error‑handling pattern as the creation helper.

Prompt
public static bool DeleteGroup(string server, string groupName)</p> <p>{</p> <p> uint result = NetLocalGroupDel(server, groupName);</p> <p> if (result != 0)</p> <p> {</p> <p> }</p> <p> return true;</p> <p>}</p>

Because the API returns 0 on success, the method simply throws an exception on failure. Typical failure scenarios include attempting to delete a group that still has members (error 2224), the group does not exist (error 2225), or the caller lacks the required privileges (error 1314).

In real‑world scenarios you might first check whether the group has any members by calling NetLocalGroupGetMembers. If the group is not empty, you could prompt the user to confirm removal or automatically remove all members before deletion. The check looks like this:

Prompt
public static bool IsGroupEmpty(string server, string groupName)</p> <p>{</p> <p> // Call NetLocalGroupGetMembers with level 0 to get the count</p> <p> // ... (implementation omitted for brevity)</p> <p>}</p>

Removing groups on a remote machine follows the same process; just pass the remote computer’s UNC name in the server parameter. The caller’s credentials must include administrative rights on that machine. If you are running in a domain context, using a Service Account that is a member of the Domain Admins group can simplify the permission model.

After a group is deleted, any references to it in local security policies, shared folder permissions, or application settings become stale. A best practice is to run a cleanup routine that scans for orphaned references and removes them. This can be achieved by querying the Security Descriptor of each shared resource and checking whether the deleted group’s SID appears in the Access Control List.

When writing user interfaces that expose group deletion, always provide a warning dialog. A single accidental click can remove a critical group that many users rely on. Example text: “Deleting the group ‘MarketingTeam’ will remove it from the local computer and any remote machines where it exists. Are you sure you want to proceed?” This reduces the chance of inadvertent loss of data or permissions.

Finally, consider logging all group deletion actions. Storing a timestamp, the user who performed the action, and the target computer in an audit log helps with compliance and troubleshooting. If the deletion fails, log the error code and message so administrators can investigate.

Retrieving and Updating Group Information

The NetLocalGroupGetInfo function fetches detailed information about a group. It supports three levels of information: level 0 returns the group name only; level 1 adds a comment; level 2 provides a full SID and other data. For most applications, level 1 suffices. The wrapper below demonstrates how to retrieve the name and comment of a group.

Prompt
public static LOCALGROUP_INFO_1 GetGroupInfo(string server, string groupName)</p> <p>{</p> <p> IntPtr bufferPtr = IntPtr.Zero;</p> <p> uint result = NetLocalGroupGetInfo(server, groupName, 1, out bufferPtr);</p> <p> if (result != 0)</p> <p> {</p> <p> }</p> <p> LOCALGROUP_INFO_1 info = (LOCALGROUP_INFO_1)Marshal.PtrToStructure(bufferPtr, typeof(LOCALGROUP_INFO_1));</p> <p> NetApiBufferFree(bufferPtr);</p> <p> return info;</p> <p>}</p>

After you retrieve the information you can update it using NetLocalGroupSetInfo. The API accepts the same structure you passed to GetInfo, but the level parameter must match the structure. The wrapper looks like this:

Prompt
public static void UpdateGroupComment(string server, string groupName, string newComment)</p> <p>{</p> <p> LOCALGROUP_INFO_1 info = GetGroupInfo(server, groupName);</p> <p> info.lgrpi1_comment = newComment;</p> <p> uint result = NetLocalGroupSetInfo(server, groupName, 1, ref info, IntPtr.Zero);</p> <p> if (result != 0)</p> <p> {</p> <p> }</p> <p>}</p>

When updating the comment you must provide a non‑null structure and specify a valid pointer in the last parameter – passing IntPtr.Zero is acceptable because the API does not use that argument for level 1 updates. The parm_err out parameter can also report the index of a problematic field, which is helpful when you pass an unexpected value.

In many environments, the group comment is used to store metadata such as the department, purpose, or contact information. By keeping comments up‑to‑date, you make the local group database self‑documenting, which simplifies administration for new team members.

For more advanced scenarios you may want to retrieve the full SID of a group, which you can then use in ACL updates. The level 2 of NetLocalGroupGetInfo returns a LOCALGROUP_INFO_2 structure that includes the SID as a byte array. After marshaling, you can construct a SecurityIdentifier object and use it with FileSecurity or DirectorySecurity classes to assign permissions programmatically.

When designing UI components that edit group details, consider presenting the current values in read‑only fields and enabling editing only after a “Edit” button is pressed. This reduces accidental modifications and gives the user a chance to review the changes before committing. After the user clicks “Save,” call UpdateGroupComment and handle any exceptions to inform them of the result.

Finally, maintain a version history of group changes in a lightweight audit table or log file. Store the old comment, new comment, timestamp, and user identity. This history can be invaluable when diagnosing permission issues or tracing back configuration changes.

Listing All Local Groups on a Machine

Enumerating all groups present on a machine is essential for reporting, backup, or migration tasks. The NetLocalGroupEnum API provides a buffer containing a variable number of LOCALGROUP_INFO_1 structures. The wrapper below retrieves all groups and returns them as a list of LOCALGROUP_INFO_1 objects.

Prompt
public static List<LOCALGROUP_INFO_1> ListGroups(string server)</p> <p>{</p> <p> uint entriesRead;</p> <p> uint totalEntries;</p> <p> uint resumeHandle = 0;</p> <p> const uint level = 1;</p> <p> uint result = NetLocalGroupEnum(</p> <p> server,</p> <p> level,</p> <p> out bufferPtr,</p> <p> 0xFFFFFFFF,</p> <p> out entriesRead,</p> <p> out totalEntries,</p> <p> ref resumeHandle</p> <p> );</p> <p> if (result != 0 && result != 234) // 234 means more data</p> <p> {</p> <p> }</p> <p> var groups = new List<LOCALGROUP_INFO_1>(entriesRead);</p> <p> int structSize = Marshal.SizeOf(typeof(LOCALGROUP_INFO_1));</p> <p> for (int i = 0; i < entriesRead; i++)</p> <p> {</p> <p> IntPtr structPtr = new IntPtr(bufferPtr.ToInt64() + i * structSize);</p> <p> LOCALGROUP_INFO_1 info = (LOCALGROUP_INFO_1)Marshal.PtrToStructure(structPtr, typeof(LOCALGROUP_INFO_1));</p> <p> groups.Add(info);</p> <p> }</p> <p> return groups;</p> <p>}</p>

The NetLocalGroupEnum function supports pagination via the resumeHandle parameter. In many cases the single call will return all entries because the 0xFFFFFFFF buffer size tells the API to allocate enough memory. If the API returns error 234 (“More data”), you need to call it again with the new resumeHandle to retrieve the remaining groups.

After obtaining the list, you can present it in a DataGridView, ListView, or any other UI element. For example, you could bind the list to a BindingList<LOCALGROUP_INFO_1> so that any changes to the underlying collection automatically update the view. This approach is handy when building a dashboard that displays group statistics or a tree view that shows the hierarchy of local accounts.

When you need to export the group list, you can serialize the collection to JSON or XML. A typical JSON output might look like this:

Prompt
[</p> <p> { "name": "Administrators", "comment": "" },</p> <p> { "name": "Users", "comment": "" },</p> <p> { "name": "MarketingTeam", "comment": "Marketing staff" }</p> <p>]</p>

Exporting to CSV is also useful for spreadsheets or reporting tools. By including both the name and comment columns, you preserve the metadata that administrators rely on.

Tags

Suggest a Correction

Found an error or have a suggestion? Let us know and we'll review it.

Share this article

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!

Related Articles

Latest News