daxa78
asked on
Remove local administrator privileges on multiple computers.
Hello, here is the scenario.
We have recently gotten a new client but it seems like the IT-company that was there first allowed all the local users to set their user account as local administrator so that it was easier to install software on the computers.
This has become a problem and we where wondering if it was possible to automate the process of removing the users as local administrator by using GP or a script?
Thank you so much.
We have recently gotten a new client but it seems like the IT-company that was there first allowed all the local users to set their user account as local administrator so that it was easier to install software on the computers.
This has become a problem and we where wondering if it was possible to automate the process of removing the users as local administrator by using GP or a script?
Thank you so much.
I would think that a login script containing the net localgroup directive
would help here.
The syntax of this command is:
NET LOCALGROUP [groupname [/COMMENT:"text"]] [/DOMAIN]
groupname {/ADD [/COMMENT:"text"] | /DELETE} [/DOMAIN]
groupname name [...] {/ADD | /DELETE} [/DOMAIN]
As an example, what I've added in the past to "add" certain users and groups
to another group:
net localgroup administrators "mydomainname\Domain Admins" /ADD
:end
This should be just as easy to run to remove someone:
net localgroup administrators "mydomainname\Domain Users" /delete
:end
would help here.
The syntax of this command is:
NET LOCALGROUP [groupname [/COMMENT:"text"]] [/DOMAIN]
groupname {/ADD [/COMMENT:"text"] | /DELETE} [/DOMAIN]
groupname name [...] {/ADD | /DELETE} [/DOMAIN]
As an example, what I've added in the past to "add" certain users and groups
to another group:
net localgroup administrators "mydomainname\Domain Admins" /ADD
:end
This should be just as easy to run to remove someone:
net localgroup administrators "mydomainname\Domain Users" /delete
:end
if you user having admin power and if you dont need any other user account simply right click my computer click manages locate local user and groups and remove what ever u not need...
why would need a script or VB file....
why would need a script or VB file....
http://www.windowsecurity.com/articles/Securing-Local-Administrators-Group-Every-Desktop.html
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
Here is a script that I wrote to remove all users, except for the local administrator and domain admins, from the administrators group
--------------------------
' computer name or ip address
sNode = "Computer Name"
' suppress errors
On Error Resume Next
' group name to remove user from
Set oGroupAdm = GetObject("WinNT://" & sNode & "/Administrators")
' loop through all members of the Administrators group
For Each oAdmGrpUser In oGroupAdm.Members
' get the name and make it lowercase
sAdmGrpUser = LCase(oAdmGrpUser.Name)
' Leave administrator and Domain Admins alone
' use lowercase letters in the names in the If statement!
If (sAdmGrpUser <> "administrator") And (sAdmGrpUser <> "domain admins") Then
msgbox oAdmGrpUser.Name
' remove users from Administrators group
oGroupAdm.Remove oAdmGrpUser.ADsPath
End if
Next
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
bluntTony:
This doesn't remove the users currently in local administrators. It just adds whichever users i add to 'Members of this group'
This doesn't remove the users currently in local administrators. It just adds whichever users i add to 'Members of this group'
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the great input guys.
Happy christmas
Happy christmas
This should do it from a login script.. Not sure if the %username% variable could work with this and if it is possible to remove yourself from the admin group...
Do some tests and let me know :)