abd_1980us
asked on
Remove local administrators group members and assign them as power users
Hi Experts;
I want you to help me in writing a script that will do the following:
1- Keeps the following groups or users in the local administrators group:
Domain\domain admins
Domain\support
Computername\manager - local user account
2- Disable the local administrator account if exist since our domain policy is to rename the administrator account to (manager) but wrongly during some installations of windows some of the technical support team adds a local account named (manager) in addition to administrator, so the policy cannot be applied because of name conflict
3- Remove any other member from local administrators group and assign him to power users group
4- (optional) reset the password for account manager, for example to password (abcd1234)
Noting that I will deploy this script using Altiris Deployment server as a job also note our environment have win Xp and windows 2000
I want you to help me in writing a script that will do the following:
1- Keeps the following groups or users in the local administrators group:
Domain\domain admins
Domain\support
Computername\manager - local user account
2- Disable the local administrator account if exist since our domain policy is to rename the administrator account to (manager) but wrongly during some installations of windows some of the technical support team adds a local account named (manager) in addition to administrator, so the policy cannot be applied because of name conflict
3- Remove any other member from local administrators group and assign him to power users group
4- (optional) reset the password for account manager, for example to password (abcd1234)
Noting that I will deploy this script using Altiris Deployment server as a job also note our environment have win Xp and windows 2000
ASKER
Hi RobSampson,
I want to thank you for helping me, also I want to inform you two things:
1- the first thing I ran the script on a pc that have a special case, the account (manager) not exist, only (administrator) account is available, at this case I suggest to create a new account (manager) and disable the (administrator) account
error:
Script: ...
line: 64
char 1
error: the group could not be found code 800708AC
source: (null)
2- some groups of computers I need the user be in Power users group + Network Configuration Operators group, how can I modify the script at this case
I want to thank you for helping me, also I want to inform you two things:
1- the first thing I ran the script on a pc that have a special case, the account (manager) not exist, only (administrator) account is available, at this case I suggest to create a new account (manager) and disable the (administrator) account
error:
Script: ...
line: 64
char 1
error: the group could not be found code 800708AC
source: (null)
2- some groups of computers I need the user be in Power users group + Network Configuration Operators group, how can I modify the script at this case
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thak you RobSampson, you are very great
Try running this script on a client computer, as a member of the Domain Admins group:
'=========================
Set wshNetwork = WScript.CreateObject( "WScript.Network" )
strUserDomain = wshNetwork.UserDomain
strUserComputer = wshNetwork.ComputerName
strUserName = wshNetwork.UserName
' Get the group that we are controlling
strGroupToCheck = "Administrators"
strGroupToAddTo = "Power Users"
Set objAdmins = GetObject("WinNT://" & strUserComputer & "/" & strGroupToCheck)
Set objPowerUsers = GetObject("WinNT://" & strUserComputer & "/" & strGroupToAddTo)
' Define the user groups or accounts that are required to be in the group
arrDefaultUsers = Array(strUserDomain & "/Domain Admins", strUserDomain & "/Support", strUserComputer & "/Manager")
' Make sure the DefaultUsers exist in the group
For intCount = LBound(arrDefaultUsers) To UBound(arrDefaultUsers)
On Error Resume Next
Set objWinntUser = GetObject("WinNT://" & arrDefaultUsers(intCount))
If Err.Number = 0 Then
On Error GoTo 0
If IsMemberOfGroup(strUserCom
objAdmins.Add(objWinntUser
'MsgBox strUserDomain & "/" & strUserName & " was added to the " & strGroupToCheck & " group."
'Else
'MsgBox strUserDomain & "/" & strUserName & " is already a member of the " & strGroupToCheck & " group."
End If
Else
MsgBox arrDefaultUsers(intCount) & " could not be found."
Err.Clear
On Error GoTo 0
End If
Next
' Now check remaining users in the Administrators group
For Each objMember In objAdmins.Members
' Get the proper account name
If InStr(objMember.ADsPath, strUserComputer) > 0 Then
strAccountName = Replace(objMember.ADsPath,
Else
strAccountName = Replace(objMember.ADsPath,
End If
' Check if they "should" be there or not
boolValidMember = False
For intCount = LBound(arrDefaultUsers) To UBound(arrDefaultUsers)
If LCase(strAccountName) = LCase(arrDefaultUsers(intC
Next
' Reset the Administrator password, or move them to the Power Users group
If boolValidMember = False Then
If LCase(strAccountName) = LCase(strUserComputer & "/Administrator") Then
If objMember.AccountDisabled = False Then
objMember.AccountDisabled = True
objMember.SetInfo
End If
Else
objAdmins.Remove(objMember
objPowerUsers.Add(objMembe
End If
End If
Next
' Now reset the manager password
Set objUser = GetObject("WinNT://" & strUserComputer & "/Manager")
objUser.SetPassword("passw
MsgBox "Done"
Function IsMemberOfGroup(strUserDom
IsMemberOfGroup = False
Dim objGroup
On Error Resume Next
Set objGroup = GetObject("WinNT://" & strUserDomain & "/" & strGroup & ",group")
If Err.Number Then
IsMemberOfGroup = "Error"
Else
IsMemberOfGroup = objGroup.IsMember(objUser.
'MsgBox objUser.ADsPath
End If
End Function
'======================
Regards,
Rob.