0X000008BC

Fix 0X000008BC: User Already in Group Error

Windows Errors Beginner 👁 0 views 📅 Jun 8, 2026

This error means Windows already sees the user in that group. The fix is removing them first, then re-adding, or using the right tool.

The 30-Second Fix: Remove Then Re-Add

You ran net localgroup Administrators UserName /add and got 0X000008BC, also known as NERR_UserInGroup (error code 2220). What's happening here is the user account is already a member of the target group—Windows just can't tell you that in a helpful way. The simplest fix is to remove the user from the group first, then add them back.

  1. Open a Command Prompt as Administrator (right-click Start > Command Prompt (Admin) or Windows Terminal (Admin)).
  2. Remove the user: net localgroup Administrators UserName /delete
  3. Re-add the user: net localgroup Administrators UserName /add
  4. Check membership: net localgroup Administrators

This forces Windows to rebuild the membership entry from scratch. The reason step 2 works is that net localgroup stores membership in the SAM registry hive. When it tries to add a user that already has a pointer, it throws the duplicate error. Deleting clears that pointer, and the add creates a fresh one.

If the user wasn't actually in the group before your attempt, the delete command will say "The user could not be found." That's fine—just run the add command after.

The 5-Minute Fix: Check Nested Groups and Domain Membership

If the 30-second fix didn't work (or you get the error even after deleting), the problem is likely hidden membership. The user might belong to the group through a nested group, or through a domain group that's been added to a local group.

Check for Nested Group Membership

On a domain-joined machine, local groups can contain domain groups. If Domain Users is a member of Administrators, and your user is in Domain Users, Windows sees your user as an indirect member. The net localgroup command can't add a user that's already indirectly a member—it's a design limitation.

net localgroup Administrators

Look for entries like DOMAIN\Domain Users or DOMAIN\SomeGroup. If you see a domain group that contains the user, you have two options:

  • Option A: Remove the domain group from the local group: net localgroup Administrators DOMAIN\SomeGroup /delete
  • Option B: Don't add the user directly. Instead, modify the domain group membership using Active Directory Users and Computers (ADUC) on a domain controller.

Use the Correct Tool for Domain Users

If you're trying to add a domain user to a domain group (not a local group), you should be using Active Directory Users and Computers (dsa.msc) or PowerShell with the Active Directory module, not net localgroup. That command is strictly for local SAM groups. Trying to add a domain user to a domain group with net localgroup will give you 0X000008BC because the user is already in that group in AD, but the command is confused about which group you mean.

# PowerShell with AD module — add domain user to domain group
Add-ADGroupMember -Identity "Domain Admins" -Members "UserName"

The 15+ Minute Fix: Force the SAM Registry Key

This is for the rare case where the SAM database has a corrupted membership entry. You've tried remove/re-add, checked nesting, and the user still can't be added. What's actually happening here is the SAM hive has a dangling reference—the user's SID is recorded as being in the group, but the membership link is broken. The net localgroup tools can't fix this because they operate on the logical layer.

Disclaimer: Messing with the SAM registry hive can break user authentication. Back up the SAM hive first. Only do this if you're comfortable with registry editing and you've exhausted all other options.

  1. Open regedit.exe as Administrator.
  2. Navigate to: HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Groups\Names\[GroupName]
  3. Under that key, you'll see subkeys for each member. Look for the user's SID (not username). If it's there, delete the key.
  4. Close regedit and reboot.
  5. Run net localgroup GroupName UserName /add again.

The reason step 3 works is that the SAM database stores memberships as a binary blob under the group's key. Deleting the user's SID subkey clears the broken reference, and the add command recreates it cleanly. This is a nuclear option—I've only needed it twice in 15 years of Windows admin work.

When to Give Up and Use PowerShell

If none of the above works, the issue could be a permissions problem on the SAM hive itself, or a corrupt user profile. In that case, use the Local Users and Groups MMC snap-in (lusrmgr.msc) or PowerShell:

# Add local user to local group via PowerShell
Add-LocalGroupMember -Group "Administrators" -Member "UserName"

If even PowerShell fails with "Member already exists," then the user profile is likely corrupted. Create a new local user account and migrate data. That's a separate topic, but the error 0X000008BC is your clue that the SAM database is holding onto a ghost membership.

Bottom line: 90% of the time, the 30-second fix works. For domain environments, check nested groups. For corruption, you know the nuclear option.

Was this solution helpful?

0X000008BC NERR_UserInGroup user already belongs to this group Windows group membership error add user to group failed net localgroup error Active Directory group membership Windows Server group error user already in group 2220 error code 2220