Link to home
Start Free TrialLog in
Avatar of Thomas N
Thomas NFlag for United States of America

asked on

I need to remove user group from local admin on workstations

One of our techs accidentally added domain users to the local admin group on there image. Now we have 1000's of machines with domain users in the local admin group. Can someone tell me how to automate a way to remove them? Is there a GPO or VB Script I can use? Thanks
ASKER CERTIFIED SOLUTION
Avatar of johnb6767
johnb6767
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Thomas N

ASKER

Thanks Johnb6767. So I would just put that in a notepad, rename the file to .vbs and add it to the machine startup script in group policies?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
It is Batch, not DOS. Im sorry, I dont do VB Scripting......
Copy the following to notepad, and save it as RemoveAdmin.bat (or whatever.bat).
Test it on a machine. Can even do it as the logged in user, since they have the rights to do it now. If the ghroup is not found it exits.
 

@echo off
net localgroup administrators | find /i "Domain Users"
if not %errorlevel%==0 goto end
net localgroup Administrators "Domain Users" /delete
REM remove the following shutdown command if you dont want it to reboot.... If done in a Machine
REM Startup script, it is way before login, so it is not needed....
shutdown -f -r -t 20
 
:end
exit

Open in new window

ok i will give it a shot and let you know how it goes. Thanks
Yes, that will work too.  However, the first WILL work as a .VBS if you want to add it as a GP login script.  This way it is more central and transparent to the users.  

Either way, John has hooked you up.

I have something similar in my login GP and it works fine.

HTH
Yes, you can use Restricted Groups functionality in GPO to remove the unwanted users/groups from the group. You can also do the other way to guarantee that a domain group is member of a local group.

Create a GPO and browse down to 'Computer Configuration\Windows Settings\Security Settings\Restricted Groups'
Right-click and choose 'Add Group'
Enter Administrators and click Ok
In the 'Members of this group' section, click Add
Add 'Administrator' and 'DomainName\Domain Admins'

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
MightySW: I want to use it as a GP startup script since we have so many machines to hit. Do I just need to copy that one line "net localgroup Administrators "Domain Users" /delete" to a notepad, save it as a .vbs, then add it in GPO?
henjoh09: I want to remove a user group not add a user group. Is there someway to do it with the way your discussing? It seems easier your way.
Yes, that is exactly what you do.

Also, save it under the netlogon share so you can keep track of where it is and that others have total access to it.  

Verify that it works on your workstation by adding a bogus group and then running the script on your local machine.

The disadvantage to doing it this way is that you have no idea what machines you have hit.  If you come in and turn all machines off over a weekend or something, then you are pretty much guaranteed to get that local group out of there when any user logs in.  It will take some time but you will eventually get them all.

HTH
Tom, you are adding a group to be 'restricted'  you are not adding a group for permissions.
ah ok. That makes sense, sorry missed that. I will give it a try in our test OU and get back to you guys. Thanks for your help so far.
With the restricted groups method, you'll remove all other groups than those that shall be kept when using 'members of this group'.

You have two methods of restricted groups feature
* 'Member of this group' = replace all members of the group.
* 'This group is a member of' = append/add the group as member to the specified groups.

Also see the blog-link I posted for more details.
I cant use the restricted users because I have machines out there that we give individual users added as admins on there machines. From what I read about it restricted groups removes everyone but the group I put in there.

I tried running the script that johnb6767 created as a .bat startup script through GPO. It worked but I think it worked too well, it removed everyone from the administrator group except for administrator. What could I have possible done wrong? When I ran the script on the local machine it work perfectly.
How many groups are present on the local machines?
nevermind, i logged in as a local admin and added back myself, relogged in and all the accounts came back. I then tested it out again by rebooting and it removed the domain users flawlessly. I am continuing to test
Yes, it should just remove that one group as John suggested in the bat file to look for existing groups.
That is exactly what Henjoh posted.
Glad it worked out..... Have a great day!