0X000008AC

Fix 0X000008AC: NERR_GroupNotFound on Windows

Windows Errors Intermediate 👁 0 views 📅 Jun 8, 2026

This error means Windows can't find a local or domain group you're trying to use. The fix is usually in group creation or permission sync.

Cause #1: The group was deleted or never created

What's actually happening here is that your system — or a script, or Group Policy — is trying to reference a local or domain group that doesn't exist on that machine. The most common scenario: you're joining a machine to a domain, and the domain group Domain Admins hasn't been added to the local Administrators group yet. Or an application install script expects a group like AppUsers that got removed during a cleanup.

The error 0X000008AC maps to NERR_GroupNotFound in the NetAPI error table. When you call NetLocalGroupAddMembers or NetGroupAddUser under the hood, Windows checks if the target group exists first. If it doesn't, you get this exact code.

How to fix it

  1. Open an elevated Command Prompt (Run as Administrator).
  2. Check if the group exists:
    net localgroup "GroupName"
    Replace GroupName with whatever you're trying to use. If you get The specified local group does not exist, that's your problem.
  3. Create the missing group:
    net localgroup "GroupName" /add
  4. If it's a domain group, run this from a domain-joined machine with Domain Admin privileges:
    net group "GroupName" /add /domain
  5. Then retry whatever operation threw the error.

The reason step 3 works: you're literally creating the group that the system expects to find. No group, no membership — error every time.

Cause #2: Domain trust or LDAP lookup failure

This one's trickier. You're on a domain-joined machine, the group does exist in Active Directory, but Windows can't resolve it. This happens when:

  • The machine lost its domain trust relationship (classic This trust relationship between this workstation and the primary domain failed scenario).
  • The Domain Controller is unreachable — VPN down, DNS misconfigured, or firewall blocking LDAP (port 389).
  • You're offline and the group is in a different domain that requires a network lookup.

I've seen this exact error in Windows Server 2019 during a cross-forest migration where a script tried to add a group from the old domain to a local group, but the trust was broken.

How to fix it

  1. Test domain connectivity:
    nltest /dsgetdc:yourdomain.com
    If this fails, your machine can't contact a Domain Controller.
  2. Verify DNS resolves the domain:
    nslookup yourdomain.com
    Look for a valid DC IP address. If you get Non-existent domain, your DNS is pointing to the wrong server.
  3. If trust is broken, rejoin the domain:
    Reset-ComputerMachinePassword -Server "DC01" -Credential (Get-Credential)
    Then reboot.
  4. If you're offline (laptop on a plane, for example), the group won't resolve. You'll need to add the group locally or wait until you reconnect.

This fix works because the error isn't about the group existing — it's about the system's inability to see it. Fix the connectivity, and the group suddenly becomes visible.

Cause #3: Wrong group type or scope mismatch

Here's a subtle one that trips up sysadmins regularly. You're trying to add a domain global group to a local group, but the domain group is actually a universal group, or vice versa. Or you're passing a group name that includes a domain prefix that doesn't match.

The Windows API underlying this error (NetLocalGroupAddMembers) expects the group name in a specific format. If you pass MYDOMAIN\Domain Admins but the group is stored as Domain Admins (without the domain), the lookup can fail if the security provider can't resolve the full DN.

How to fix it

  1. Check the exact group name in Active Directory Users and Computers (dsa.msc). Look at the Pre-Windows 2000 name — that's what Windows uses internally.
  2. Match the scope: local groups can only contain domain global groups and user accounts, not universal groups (unless they're from the same forest). Use Active Directory Users and Computers to confirm the group type.
  3. Try adding the group using its Security Identifier (SID) instead of the name:
    net localgroup Administrators /add S-1-5-21-123456789-1234567890-1234567890-1234
    If that works, your group name format was the problem.
  4. If you're using a script or Group Policy, make sure you're not accidentally adding extra spaces or quotes around the group name.

The reason using a SID works: SIDs are immutable and machine-readable. Names can have encoding issues, domain prefixes, or translation failures. SIDs bypass all that.

Quick-reference summary

Cause Most likely when Fix
Group doesn't exist After cleanup, fresh install, or broken script Create the group with net localgroup /add
Domain trust/connectivity lost Offline, VPN down, trust broken, DNS wrong Fix DNS, rejoin domain, or reconnect
Wrong group scope or name format Cross-domain or script-driven setup Verify group type, use SID, or fix name

Was this solution helpful?

0X000008AC NERR_GroupNotFound Windows group not found local group missing domain group missing network error 0X000008AC group management error Windows Server group error fix group not found group name could not be found