• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 634
  • Last Modified:

How to remove domain group from LOCAL power users group in MS Server 2003 Environment

I'm coming into an environment where folks are part of a domain group 'staff' that at some point had been added to the local power users group on the windows 2K/XP client machines.  I'd prefer to have these users be standard users rather than power users, as they are wreaking all sorts of havoc.  What is the best way to do this without walking over to each of my 400 workstations?  Is there a way to do this through policies or scripting?  
 
0
erndog5800
Asked:
erndog5800
1 Solution
 
Chris DentPowerShell DeveloperCommented:

Happy with VBScript?

I can make it do this for every computer account in the AD structure, but I just haven't got around to re-writing it yet. Currently it expects you to give it a list of computers, generally as an export from AD.

Domain Users are part of the local machine Users group by default, so I haven't added anything to modify that local group at this point.

And... let me know if it doesn't do what you'd like (or it comes up with an error because I forgot to type something) and I'll modify it.

Chris


Option Explicit

Const INPUTFILE = "<AD Exported Computer List>"
Const GROUPNAME = "Power Users"   ' The Group you want to change on the computers
Const ITEMTOREMOVE = "staff"   ' The item you want to remove (must be in lower case)

Dim objFileSystem, objInputFile, objTextStream, objGroup, objMember
Dim strLine, strComputer
Dim arrLine

Set objFileSystem = CreateObject("Scripting.FileSystemObject")
Set objInputFile = objFileSystem.GetFile(INPUTFILE)
Set objTextStream = objInputFile.OpenAsTextStream(1,0)

' Get rid of the first line - it contains column names

objTextStream.ReadLine()

' Do the rest until we run out of lines to run through

Do
    strLine = objTextStream.ReadLine()

    ' Chr(9) is the Tab character

    arrLine = Split(strLine, Chr(9))
    strComputer = arrLine(0)


    On Error Resume Next
    Set objGroup = GetObject("WinNT://" & strComputer & "/" & GROUPNAME & ", group")
    If (Err.Number <> 0) Then
        wscript.echo "Error connecting to " & strComputer & "."
    Else
        For Each objMember in objGroup.Members
            strMemberName = LCase(objMember.Name)
            If (strMemberName = ITEMTOREMOVE) Then
                objGroup.Remove objMember.ADsPath
            End If
        Next
    End If
Loop while not objTextStream.AtEndOfStream

objInputFile.Close

Set objTextStream = Nothing
Set objFileSystem = Nothing
0
 
CoccoBillCommented:
You can create a logon/startup script using NET LOCALGROUP command (http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/net_localgroup.mspx), or even better use group policy Restricted Groups function: http://support.microsoft.com/Default.aspx?kbid=279301.
0
 
erndog5800Author Commented:
Thanks CoccoBill- that works for me.   In my case, I added this line to everyone's logon script:

net localgroup "Power Users" staff /DELETE

If the user or group is on the same domain as the client workstation you don't have to specify the domain.  If the group is in another domain then the one you are in try this.  

net localgroup "Power Users" Domain\staff /DELETE

Thanks!
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now