Startup Script

Y2KBDS
Y2KBDS used Ask the Experts™
on
I need help building a start-up script i can put in a GP. I want the script to delete everything in the local administrators group and then add certain groups back. a batch or vb script will be helpful.

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Jan Vojtech VanicekIT Specialist

Commented:
I think you cannot delete members of administrators group by logonscript... Users will not have rights do do this.

You can do this by WMI. You can fire it from server on a remote computers...

If you need, I will post the sample code

Author

Commented:
http://technet.microsoft.com/en-us/library/bb742536.aspx

This shows a sample script but it confuses me.
Jan Vojtech VanicekIT Specialist

Commented:
Citation:

Logon scripts run under the authority of the logged-on user account, which limits the types of tasks that these scripts can perform.

---

You need to be a member of administrators group to perform changes in administrators group. If you users are administrators why you need to make any changes to it??? each user can do anything...
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

Author

Commented:
I don't want everyone to be an administrator to their local box. That is why I want to clean it out and then add the groups I want. Maybe the WMI is they way to accomplish this.
Awarded 2009
Top Expert 2010

Commented:
I am fairly sure you can do this with group policy preferences: http://technet.microsoft.com/en-us/magazine/dd314380.aspx

if you have a vista or windows 2008 machine you can configure them.
Jan Vojtech VanicekIT Specialist

Commented:
But Im not sure that Windows 2000 can use WMI... I have some problems with it... I have experience only with windows 2003 server and XP clients, you should assemble it from MSDN, there are pretty examples

http://msdn.microsoft.com/en-us/library/aa394582(VS.85).aspx
Awarded 2009
Top Expert 2010

Commented:
More info here: http://blogs.technet.com/jratsch/archive/2009/03/27/how-to-change-the-password-for-the-local-administrator-account-on-multiple-machines-the-easy-way-without-scripting.aspx
not specifically what you are looking for but it gives you the idea.

The other option is restricted groups in group policy but not sure it would work fir local groups.
Commented:
Yes you can do it with a startup script....but there is group policy entries that specifically do this, any reason for not using those - Restricted groups.

Bring up grou policy for the computer's OU thorugh gpmc or ADUC
In an existing or new GPO look at:
Computer Config/Windows Settings/Securtiy Settings/Restricted Groups
Right-Click, "Add Group" and enter Administrators and then enter members you do want.

Steve

Author

Commented:
This is with Windows 2003 servers and XP Pro machines. Also I tried the GP but it only adds the groups I place in there and does not remove anything.
Awarded 2009
Top Expert 2010

Commented:
I mentioned restricted groups in my last post.

It should remove anything that you do not specify.
Try gpupdate /force just to make sure the polycy is bring applied properly.
Jan Vojtech VanicekIT Specialist

Commented:
Set oWshNet = CreateObject("WScript.Network" )

sUser = "fill in some domain user name here"

sNetBIOSDomain = oWshNet.UserDomain
sComputer = oWshNet.ComputerName

Set oGroup = GetObject("WinNT://" & sComputer & "/Administrators,group" )
Set oUser = GetObject("WinNT://" & sNetBIOSDomain & "/" & sUser & ",user" )

' suppress errors in case the user is already a member
On Error Resume Next

'you should select one of these lines
'oGroup.Add(oUser.ADsPath)
oGroup.Remove oUser.ADsPath

On Error Goto 0

Commented:
sorry missed the previous comment on restricted groups there.  That does work and is the way to go IMO.  You can either do it one way and have it replace the members of a local group with what you want or you can have it add another group you want to the existing contents etc.  on mobile at moment but ask me or others if you want to go down this route.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial