How to remove domain group from LOCAL power users group in MS Server 2003 Environment

Posted on 2005-04-20
Last Modified: 2013-12-04
I'm coming into an environment where folks are part of a domain group 'staff' that at some point had been added to the local power users group on the windows 2K/XP client machines.  I'd prefer to have these users be standard users rather than power users, as they are wreaking all sorts of havoc.  What is the best way to do this without walking over to each of my 400 workstations?  Is there a way to do this through policies or scripting?  
Question by:erndog5800
    LVL 70

    Expert Comment

    by:Chris Dent

    Happy with VBScript?

    I can make it do this for every computer account in the AD structure, but I just haven't got around to re-writing it yet. Currently it expects you to give it a list of computers, generally as an export from AD.

    Domain Users are part of the local machine Users group by default, so I haven't added anything to modify that local group at this point.

    And... let me know if it doesn't do what you'd like (or it comes up with an error because I forgot to type something) and I'll modify it.


    Option Explicit

    Const INPUTFILE = "<AD Exported Computer List>"
    Const GROUPNAME = "Power Users"   ' The Group you want to change on the computers
    Const ITEMTOREMOVE = "staff"   ' The item you want to remove (must be in lower case)

    Dim objFileSystem, objInputFile, objTextStream, objGroup, objMember
    Dim strLine, strComputer
    Dim arrLine

    Set objFileSystem = CreateObject("Scripting.FileSystemObject")
    Set objInputFile = objFileSystem.GetFile(INPUTFILE)
    Set objTextStream = objInputFile.OpenAsTextStream(1,0)

    ' Get rid of the first line - it contains column names


    ' Do the rest until we run out of lines to run through

        strLine = objTextStream.ReadLine()

        ' Chr(9) is the Tab character

        arrLine = Split(strLine, Chr(9))
        strComputer = arrLine(0)

        On Error Resume Next
        Set objGroup = GetObject("WinNT://" & strComputer & "/" & GROUPNAME & ", group")
        If (Err.Number <> 0) Then
            wscript.echo "Error connecting to " & strComputer & "."
            For Each objMember in objGroup.Members
                strMemberName = LCase(objMember.Name)
                If (strMemberName = ITEMTOREMOVE) Then
                    objGroup.Remove objMember.ADsPath
                End If
        End If
    Loop while not objTextStream.AtEndOfStream


    Set objTextStream = Nothing
    Set objFileSystem = Nothing
    LVL 19

    Accepted Solution

    You can create a logon/startup script using NET LOCALGROUP command (, or even better use group policy Restricted Groups function:

    Author Comment

    Thanks CoccoBill- that works for me.   In my case, I added this line to everyone's logon script:

    net localgroup "Power Users" staff /DELETE

    If the user or group is on the same domain as the client workstation you don't have to specify the domain.  If the group is in another domain then the one you are in try this.  

    net localgroup "Power Users" Domain\staff /DELETE


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
    As a Mac user and former AppleCare AHA & Senior Advisor, I'm constantly bombarded with questions about Macs and if they need Antivirus. This short article is my response to those questions.
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    how to add IIS SMTP to handle application/Scanner relays into office 365.

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now