Skip to content
shellmap

groupsList the groups a user belongs to across all 5 shells

Equivalents in every shell

Bashunix
groups

With no args, prints the CURRENT user's groups (effective + supplementary). `groups alice` prints alice's groups. The first group listed is the primary group (login group, from `/etc/passwd` field 4); the rest are supplementary (from `/etc/group` lines that mention the user). `id -Gn` is the equivalent and slightly more script-friendly (newline-separated with `-Gn -z` is hard; use `-G` for numeric GIDs).

Zshunix
groups

Identical Unix binary on Linux and macOS. macOS has an additional concept — the user can be in a "membership group" via Directory Services (Open Directory / Active Directory) — `dscl . -read /Users/alice GroupMembership` shows that side. For full effective group membership on macOS, `id -Gn alice` is the canonical answer.

Fishunix
groups

Same external. Fish exposes the current user's primary GID as `(id -g)` and supplementary GIDs as `(id -G | string split " ")`. Common script: `if contains docker (groups); ...; end` — tests whether the current user is in `docker` group (no sudo needed to run docker).

PowerShellwindows
whoami /groups

Prints all groups the current Windows token includes — both AD groups and well-known SIDs (BUILTIN\Administrators, NT AUTHORITY\Authenticated Users, etc). Columns: GroupName, Type, SID, Attributes. Filter for just the names: `whoami /groups /fo csv | ConvertFrom-Csv | Select-Object -ExpandProperty "Group Name"`. For pure-.NET access: `[Security.Principal.WindowsIdentity]::GetCurrent().Groups`.

cmd.exewindows
whoami /groups

Same Windows builtin as pwsh — `whoami /groups` works identically. For a terser list: `whoami /groups /fo list | findstr /B "Group Name"`. To check membership in one specific group from a batch file: `net user %USERNAME% /domain` (domain) or `net localgroup Administrators` (local) — clunkier than the pwsh `[Security.Principal.WindowsPrincipal]::IsInRole()` test.

Worked examples

List groups for the current user

Bash
groups
Zsh
groups
Fish
groups
PowerShell
whoami /groups /fo csv | ConvertFrom-Csv
cmd.exe
whoami /groups

Test whether the user is in the `docker` group

Bash
groups | grep -q "\bdocker\b" && echo yes
Fish
contains docker (groups); and echo yes
PowerShell
(whoami /groups) -match "\\docker"
cmd.exe
whoami /groups | findstr /C:"docker"

List groups for another user

Bash
groups alice
Zsh
id -Gn alice
Fish
id -Gn alice
PowerShell
Get-LocalUser alice | Get-Member -MemberType *
cmd.exe
net user alice

Gotchas

  • On Unix, `groups` shows the user's STATIC group membership (from `/etc/group`). But a running PROCESS may have a DIFFERENT effective group set — kernel-side credential changes via `setgroups(2)`, container namespaces, or PAM modules can add/remove groups at session start. To see what THIS shell's process actually has, `id -G` (current process credential) is authoritative; `groups alice` is "what alice WOULD have at next login".
  • Newly added group membership doesn't apply to existing sessions. After `usermod -aG docker alice`, `alice`'s currently-open shells still don't have `docker` in their group set — the kernel snapshotted the credentials at login. Fix: log out and back in, or `newgrp docker` (starts a new sub-shell with the added group), or for ssh-managed sessions `ssh -t alice@host` for a fresh login.
  • On Windows, `whoami /groups` includes special "deny-only" group SIDs when running with split tokens (UAC-elevated cmd vs non-elevated). The `BUILTIN\Administrators` group shows up as "Deny Only" in your non-elevated shell — meaning you ARE in that group, but the token-side deny-flag stops policy from honouring it until you elevate. Don't treat "in group" as "has access" on Windows without checking the deny flag.
  • macOS group system has TWO databases: `/etc/group` (Unix-traditional) and Directory Services. `groups alice` reads `/etc/group`; `dscl . -read /Users/alice GroupMembership` reads DS. Apps installed via package managers (Homebrew formulas that create their own group, e.g. `docker`, `dba`) might end up in only one — `id -Gn alice` reads both via the membership API, so prefer that on macOS.
  • In Linux containers, `groups` often shows just one group (the primary) because the container image's `/etc/group` doesn't list your user in any supplementary groups. Mounting the host's `/etc/group` doesn't fix it — the file is read at login, and most container entrypoints don't do PAM login. The clean fix: build the container with the right user / group setup, or use `--user $(id -u):$(id -g) --group-add $(id -g docker)` on docker run.

WSL & PowerShell Core notes

pwshNo native cross-platform pwsh cmdlet for "my groups" — Windows pwsh has `Get-LocalUser` / `Get-LocalGroupMember`, Linux / macOS pwsh has nothing equivalent (groups are a Unix-specific kernel concept on those OSes). For portable code, shell out: `& id -Gn` on Unix pwsh; `whoami /groups` on Windows pwsh. A unified wrapper: `$IsWindows ? (whoami /groups) : (id -Gn)` works since pwsh 6+.
WSLWSL has its own `/etc/group` separate from Windows' group concept. `groups` inside WSL shows the WSL user's Linux groups (typically `<user> adm dialout cdrom sudo dip plugdev` on Ubuntu). It does NOT reflect Windows AD group membership. For Windows-side groups from inside WSL, `whoami.exe /groups` works directly. If your tooling cares about cross-side group equivalence (e.g., grant docker socket access to the WSL user but use Windows AD for identity), you need to map them manually — they're separate systems.

Related commands