Link to home
Start Free TrialLog in
Avatar of bsharath
bsharathFlag for India

asked on

Remove all users from the Administrator group and add to Users group.

Hi,
Remove all users from the Administrator group and add to Users group.
Script that can remove the administrator group users and add them to Users Groups .

With a script run on a set of computers whose names are in a txt file.

Need a log that can show data as this

Machine name , Administrator group (Domain Admins,Sharath,Paul,French) Users group (Sharath,Paul,French)

So i kno all success and failures.

Regards
Sharath
Avatar of RobSampson
RobSampson
Flag of Australia image

Hi Sharath, see if this works, just test with one computer name in the file.

Change this line so that it includes members that you actually want to leave in the Administrators group:
            arrDefaultUsers = Array(strUserDomain & "/Domain Admins", strUserComputer & "/Administrator")

Regards,

Rob.
'Change_Local_Admin_Members_To_Power_Users.vbs
Set wshNetwork = WScript.CreateObject("WScript.Network")
Set objFSO = CreateObject("Scripting.FileSystemObject")
Const intForReading = 1
 
strFile = "computers.txt"
Set objFile = objFSO.OpenTextFile(strFile, intForReading, False)
 
strResultsFile = "results.txt"
 
strUserDomain = wshNetwork.UserDomain
 
' Get the group that we are controlling
strGroupToCheck = "Administrators"
strGroupToAddTo = "Users"
 
While Not objFile.AtEndOfStream
	'strUserComputer = wshNetwork.ComputerName
	strUserComputer = objFile.ReadLine
	
	If Ping(strComputer) = True Then
		Set objAdmins = GetObject("WinNT://" & strUserComputer & "/" & strGroupToCheck)
		Set objGroup1 = GetObject("WinNT://" & strUserComputer & "/" & strGroupToAddTo)
		
		' Define the user groups or accounts that are required to be left in the Administrators group
		arrDefaultUsers = Array(strUserDomain & "/Domain Admins", strUserComputer & "/Administrator")
		
		' Make sure the DefaultUsers exist in the group
		For intCount = LBound(arrDefaultUsers) To UBound(arrDefaultUsers)
			' Check for the accounts membership in strGroupToCheck
			Set objWinntUser = GetObject("WinNT://" & arrDefaultUsers(intCount))
			If Err.Number = 0 Then
				On Error GoTo 0
				If IsMemberOfGroup(strUserComputer, objWinntUser, strGroupToCheck) = False Then
					objAdmins.Add(objWinntUser.ADsPath)
					'MsgBox strUserDomain & "/" & strUserName & " was added to the " & strGroupToCheck & " group."
				'Else
					'MsgBox strUserDomain & "/" & strUserName & " is already a member of the " & strGroupToCheck & " group."
				End If
			Else
				MsgBox arrDefaultUsers(intCount) & " could not be found."
				Err.Clear
				On Error GoTo 0
			End If
		Next
		
		' Now check remaining users in the Administrators group
		For Each objMember In objAdmins.Members
			' Get the proper account name
			If InStr(objMember.ADsPath, strUserComputer) > 0 Then
				strAccountName = Replace(objMember.ADsPath, "WinNT://" & strUserDomain & "/", "")
			Else
				strAccountName = Replace(objMember.ADsPath, "WinNT://", "")
			End If
			
			' Check if they "should" be there or not
			boolValidMember = False
			For intCount = LBound(arrDefaultUsers) To UBound(arrDefaultUsers)
				If LCase(strAccountName) = LCase(arrDefaultUsers(intCount)) Then boolValidMember = True
			Next
		
			' If the account is not a required account, then move them to another group
			If boolValidMember = False Then
				objAdmins.Remove(objMember.AdsPath)
				objGroup1.Add(objMember.ADsPath)
			End If
		Next
		
		strAdminMembers = ""
		For Each objMember In objAdmins.Members
			If strAdminMembers = "" Then
				strAdminMembers = objMember.Name
			Else
				strAdminMembers = strAdminMembers & ", " & objMember.Name
			End If
		Next
		
		strGroup1Members = ""
		For Each objMember In objGroup1.Members
			If strGroup1Members = "" Then
				strGroup1Members = objMember.Name
			Else
				strGroup1Members = strGroup1Members & ", " & objMember.Name
			End If
		Next
	
		strResults = strResults & VbCrLf & "Computer: " & strUserComputer & VbCrLf & _
			"Admin members: " & strAdminMembers & VbCrLf & _
			"User members: " & strGroup1Members
	End If
Wend
objFile.Close
 
Set objResults = objFSO.CreateTextFile(strResultsFile, True)
objResults.Write strResults
objResults.Close
 
MsgBox "Done"
 
Function IsMemberOfGroup(strUserDomain, objUser, strGroup) 'the user is a member of a specified group
	IsMemberOfGroup = False
	Dim objGroup
	On Error Resume Next
	Set objGroup = GetObject("WinNT://" & strUserDomain & "/" & strGroup & ",group")
	If Err.Number Then
		IsMemberOfGroup = "Error"
	Else
		IsMemberOfGroup = objGroup.IsMember(objUser.ADsPath)
		'MsgBox objUser.ADsPath
	End If
End Function
 
Function Ping(strComputer)
	Dim objShell, boolCode
	Set objShell = CreateObject("WScript.Shell")
	boolCode = objShell.Run("Ping -n 1 -w 300 " & strComputer, 0, True)
	If boolCode = 0 Then
		Ping = True
	Else
		Ping = False
	End If
End Function

Open in new window

Avatar of bsharath

ASKER

Hi Rob thank U.... Out of network now...Shall check in some time....
Mailed you an info can you please have a look...
Hi, what you need to change is this:
strGroupToCheck = "Administrators"
strGroupToAddTo = "Users"

so that
strGroupToCheck     - is the local Administrators group that you are moving users out of.
strGroupToAddTo     - is the local group that you want to move non-admins to

You also need to change this:
arrDefaultUsers = Array(strUserDomain & "/Domain Admins", strUserComputer & "/Administrator")

so the users listed there are *kept* in the strGroupToCheck that you specified.  As an example, the above leaves
YOURDOMAIN\Domain Admins
LOCALPC\Administrator

in the group, but moves all others out.

The results.txt file should then tell you the members of both groups from that computer....

Regards,

Rob.
Rob i did not change anything in the script.

As i want all users from Administrator to be removed and add the user to users.

Sorry i guess i did not follow your last comment
Well I guess you don't really want to remove *all* people from the group, because that will remove Domain Admins too....I would leave at least Domain Admins and the local Administrator in there...

Regards,

Rob.
Yes i need to leave them in there,. Just want to move
Domain\users

What should i change in the script. All looks same as you mentioned here " ID: 23666779"
In that case it should work as is.  All you should need is one computer name in computers.txt that it reads, and make sure you have admin rights on that machine, and it should work....

Regards,

Rob.
Rob i get the done box but no results are populated...
Oh no! I had a variable name wrong! Sorry!

This line:
      If Ping(strComputer) = True Then

should have been
      If Ping(strUserComputer) = True Then


Regards,

Rob.
'Change_Local_Admin_Members_To_Power_Users.vbs
Set wshNetwork = WScript.CreateObject("WScript.Network")
Set objFSO = CreateObject("Scripting.FileSystemObject")
Const intForReading = 1
 
strFile = "computers.txt"
Set objFile = objFSO.OpenTextFile(strFile, intForReading, False)
 
strResultsFile = "results.txt"
 
strUserDomain = wshNetwork.UserDomain
 
' Get the group that we are controlling
strGroupToCheck = "Administrators"
strGroupToAddTo = "Users"
 
While Not objFile.AtEndOfStream
	'strUserComputer = wshNetwork.ComputerName
	strUserComputer = objFile.ReadLine
	
	If Ping(strUserComputer) = True Then
		Set objAdmins = GetObject("WinNT://" & strUserComputer & "/" & strGroupToCheck)
		Set objGroup1 = GetObject("WinNT://" & strUserComputer & "/" & strGroupToAddTo)
		
		' Define the user groups or accounts that are required to be left in the Administrators group
		arrDefaultUsers = Array(strUserDomain & "/Domain Admins", strUserComputer & "/Administrator")
		
		' Make sure the DefaultUsers exist in the group
		For intCount = LBound(arrDefaultUsers) To UBound(arrDefaultUsers)
			' Check for the accounts membership in strGroupToCheck
			Set objWinntUser = GetObject("WinNT://" & arrDefaultUsers(intCount))
			If Err.Number = 0 Then
				On Error GoTo 0
				If IsMemberOfGroup(strUserComputer, objWinntUser, strGroupToCheck) = False Then
					objAdmins.Add(objWinntUser.ADsPath)
					'MsgBox strUserDomain & "/" & strUserName & " was added to the " & strGroupToCheck & " group."
				'Else
					'MsgBox strUserDomain & "/" & strUserName & " is already a member of the " & strGroupToCheck & " group."
				End If
			Else
				MsgBox arrDefaultUsers(intCount) & " could not be found."
				Err.Clear
				On Error GoTo 0
			End If
		Next
		
		' Now check remaining users in the Administrators group
		For Each objMember In objAdmins.Members
			' Get the proper account name
			If InStr(objMember.ADsPath, strUserComputer) > 0 Then
				strAccountName = Replace(objMember.ADsPath, "WinNT://" & strUserDomain & "/", "")
			Else
				strAccountName = Replace(objMember.ADsPath, "WinNT://", "")
			End If
			
			' Check if they "should" be there or not
			boolValidMember = False
			For intCount = LBound(arrDefaultUsers) To UBound(arrDefaultUsers)
				If LCase(strAccountName) = LCase(arrDefaultUsers(intCount)) Then boolValidMember = True
			Next
		
			' If the account is not a required account, then move them to another group
			If boolValidMember = False Then
				objAdmins.Remove(objMember.AdsPath)
				objGroup1.Add(objMember.ADsPath)
			End If
		Next
		
		strAdminMembers = ""
		For Each objMember In objAdmins.Members
			If strAdminMembers = "" Then
				strAdminMembers = objMember.Name
			Else
				strAdminMembers = strAdminMembers & ", " & objMember.Name
			End If
		Next
		
		strGroup1Members = ""
		For Each objMember In objGroup1.Members
			If strGroup1Members = "" Then
				strGroup1Members = objMember.Name
			Else
				strGroup1Members = strGroup1Members & ", " & objMember.Name
			End If
		Next
	
		strResults = strResults & VbCrLf & "Computer: " & strUserComputer & VbCrLf & _
			"Admin members: " & strAdminMembers & VbCrLf & _
			"User members: " & strGroup1Members
	End If
Wend
objFile.Close
 
Set objResults = objFSO.CreateTextFile(strResultsFile, True)
objResults.Write strResults
objResults.Close
 
MsgBox "Done"
 
Function IsMemberOfGroup(strUserDomain, objUser, strGroup) 'the user is a member of a specified group
	IsMemberOfGroup = False
	Dim objGroup
	On Error Resume Next
	Set objGroup = GetObject("WinNT://" & strUserDomain & "/" & strGroup & ",group")
	If Err.Number Then
		IsMemberOfGroup = "Error"
	Else
		IsMemberOfGroup = objGroup.IsMember(objUser.ADsPath)
		'MsgBox objUser.ADsPath
	End If
End Function
 
Function Ping(strComputer)
	Dim objShell, boolCode
	Set objShell = CreateObject("WScript.Shell")
	boolCode = objShell.Run("Ping -n 1 -w 300 " & strComputer, 0, True)
	If boolCode = 0 Then
		Ping = True
	Else
		Ping = False
	End If
End Function

Open in new window

Rob i get this

---------------------------
Windows Script Host
---------------------------
Script:      C:\Remove users from admin and add to users.vbs
Line:      65
Char:      5
Error:      The specified account name is already a member of the local group.
Code:      80070562
Source:       (null)

---------------------------
OK  
---------------------------
Rob i get this

---------------------------
Windows Script Host
---------------------------
Script:      C:\Remove users from admin and add to users.vbs
Line:      65
Char:      5
Error:      The specified account name is already a member of the local group.
Code:      80070562
Source:       (null)

---------------------------
OK  
---------------------------
Any help Rob
Any help Rob
ASKER CERTIFIED SOLUTION
Avatar of RobSampson
RobSampson
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial