[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Script to remove users from local administrator group

Posted on 2010-03-24
21
Medium Priority
?
3,207 Views
Last Modified: 2012-05-09
I am trying to come up with a fully-automated script, that will remove all users from the local administrator group, except for the local administrator and domain admins accounts. What I have now works, but I have to specify the computer name. It would be nice if I could run the hostname command, then have the script input that information as the computer name (sNode in the script). The idea would then be to apply the script to users via Group Policy. Any ideas?

TIA
sNode = "Computer/Hostname"

On Error Resume Next

Set oGrpAdmin = GetObject("WinNT://" & sNode & "/Administrators")

For Each oAdminGrpUsr In oGrpAdmin.Members
    If sAdminGrpUsr <> "Administrator" AND sAdminGrpUsr <> "Domain Admins" Then
        oGrpAdmin.Remove oAdminGrpUsr.AdsPath
    End If
Next

Open in new window

0
Comment
Question by:clarkincit
  • 8
  • 5
  • 4
  • +2
19 Comments
 
LVL 4

Expert Comment

by:yousef_ad
ID: 28453820
Dim strLocalAdminGroup
Dim strComputer
Dim remadmins

Set WshShell = Wscript.CreateObject("Wscript.Shell")
Set WshSysEnv = WshShell.Environment("SYSTEM")
Set WshUserEnv = WshShell.Environment("User")
Set WshProEnv = WshShell.Environment("Process")

strComputer = WshProEnv("COMPUTERNAME")
remadmins = array("DomainNameUserID","Everyone")
strLocalAdminGroup = "Administrators"

try this scrip

For i = lbound(remAdmins) to ubound(remAdmins)
Set grp = GetObject("WinNT://" & strComputer & "/" & strLocalAdminGroup)
member = "WinNT://" & remAdmins(i)
if grp.Ismember(member) = True then
grp.Remove(member)
end if
0
 

Author Comment

by:clarkincit
ID: 28455513
yousef_ad - Thanks for the quick reply!

That script executed, but it did not remove the local user account. I copied everything, (minus the "try this scrip") added "next" after "end if", and saved it as a .vbs file.

Please advise if you had something else in mind.

Thanks again
0
 
LVL 4

Expert Comment

by:pschakravarthi
ID: 29265884

cName = "Computer Name"
On Error Resume Next
Set oGroupAdm = GetObject("WinNT://" & cName & "/Administrators")
For Each oAdmGrpUser In oGroupAdm.Members
      sAdmGrpUser = LCase(oAdmGrpUser.Name)
      If (sAdmGrpUser <> "administrator") And (sAdmGrpUser <> "domain admins") Then
            oGroupAdm.Remove oAdmGrpUser.ADsPath
      End if
Next
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 17

Expert Comment

by:Jared Luker
ID: 29268258
You should be running the script as a startup script so that it will run on all computers that you want it to and have the rights that it needs to remove people from the admin group.

The attached script is what I use.  Make sure that lines 6, 7, and 9 are set correctly.

The script will loop through the members of the admin group.  If they match Lines 6 and 7 they will stay.  If not, then they will get pulled out of the group by line 28.
Set WshShell = WScript.CreateObject("WScript.Shell")
Set WshSysEnv = WshShell.Environment("SYSTEM")
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set WshNetwork = WScript.CreateObject("WScript.Network")	'Network Object

Const grpDomainAdmins = "Domain Admins"
Const usrLocalAdmin = "administrator"

NetADSPath = "WinNT://domain/"
CompADSPath = "WinNT://" & WshNetwork.ComputerName

'On Error Resume Next

Set objLocalGroup = GetObject(CompADSPath & "/administrators")

grpDomainAdminsStatus = "N"
usrLocalAdminStatus = "N"

	For Each objUser In objLocalGroup.Members
		MemberTemp = objUser.Name
		'WScript.Echo MemberTemp
		Select Case MemberTemp
			Case grpDomainAdmins
				grpDomainAdminsStatus = "Y"
			Case usrLocalAdmin
				usrLocalAdminStatus = "Y"
			Case Else
				objLocalGroup.Remove(NetADSPath & MemberTemp)
		End Select
	Next

Open in new window

0
 
LVL 15

Expert Comment

by:markdmac
ID: 29279495
There is no need to use a script for this in an AD environment.  Simply use Restricted Groups in an AD GPO and it will restrict local admin access to only those IDs in the GPO.  
http://technet.microsoft.com/en-us/library/cc785631%28WS.10%29.aspx
0
 
LVL 17

Expert Comment

by:Jared Luker
ID: 29291430
markdmac has a point.  I don't use restricted groups because my environment requires more flexibility.  Do what works best in your situation.
0
 

Author Comment

by:clarkincit
ID: 29360194
Thank you all for the help!

Markdmac - My main issue is that everyone is currently a member of the local administrators group, and I would like to have them not be a member of any local group. From what I have seen and read, I would have to specify a group to which users belong, otherwise they will not be removed from the local administrator group. I suppose I could simply make them a member of the guest group, but again, I would rather not. Am I correct, or is there a way to remove a user from all local accounts?

jared_luker - I am receiving an 'Access is denied.' error. See below...

Line: 28
Char: 33
Error: Access is denied.

Code: 80070005
Source: Active Directory

Any thoughts?

Thanks again
0
 
LVL 17

Expert Comment

by:Jared Luker
ID: 29361437
That is the line that takes people out of the admin group.  You must not have admin rights on the account that you are running the script under.
0
 

Author Comment

by:clarkincit
ID: 29361596
Weird. I am both a local admin and a domain admin. How is that going to work when a user logs in, and the script runs with their credentials?

0
 
LVL 17

Expert Comment

by:Jared Luker
ID: 29362671
It needs to be run in a startup script so that it runs under the context of the system account. It will have the rights to do what it needs to.

Take the comment out of line 21 and make sure that it's displaying the users that are in the local admin group.
0
 

Author Comment

by:clarkincit
ID: 29365177
Ok, thanks.

After taking the comment out of line 21, it displayed the following: Administrator

I will run it in as a startup script and report back.
0
 
LVL 17

Accepted Solution

by:
Jared Luker earned 750 total points
ID: 29366436
Ok... that means it's trying to remove the Administrator from the admin group and you can't do that... check line 7 to make sure that it says the name of your local admin.  I think it's case sensitive so try putting a capitol A in there too.
0
 
LVL 15

Expert Comment

by:markdmac
ID: 29368229
With restricted groups it will totally wipe the memberships of the local Administrators group.  It won't affect other local groups that may exist on the box, but it will only allow local admins that are defined in the policy.  So you will want to make sure you have the local admin ID as well as Domain Admins listed.
0
 

Author Comment

by:clarkincit
ID: 29373047
markdmac - I am having trouble wrapping my head around exactly how to use 'member of'. For members of this group, I have the domain admins group, and the domain administrator account. But what do I want to add to the member of list?
0
 
LVL 15

Expert Comment

by:markdmac
ID: 29374166
You would only add Domain Admins & Administrator
0
 

Author Comment

by:clarkincit
ID: 29375518
I must still be missing something. I have OurDomain\administrator and OurDomain\Domain Admins entered into the 'members of this group' box. If I try to add Domain Admins to the 'this group is a member of' box, it doesn't take it.

Any thoughts?
0
 
LVL 15

Assisted Solution

by:markdmac
markdmac earned 750 total points
ID: 29376824
I think this walk through will help you: http://www.frickelsoft.net/blog/?p=13
0
 

Author Comment

by:clarkincit
ID: 29820725
markdmac - Thanks. It didn't completely answer my questions, but I'll keep reading and get back to you.
0
 

Author Closing Comment

by:clarkincit
ID: 31706577
I had to do a bit of digging to find the answer to my original question.
0

Featured Post

[Webinar] Improve your customer journey

A positive customer journey is important in attracting and retaining business. To improve this experience, you can use Google Maps APIs to increase checkout conversions, boost user engagement, and optimize order fulfillment. Learn how in this webinar presented by Dito.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Deploying a Microsoft Access application in a Citrix environment is not difficult but takes a few steps. However, Citrix system people are often of little help, as they typically know next to nothing about Access. The script provided here will take …
Enter Foreign and Special Characters Enter characters you can't find on a keyboard using its ASCII code ... and learn how to make a handy reference for yourself using Excel ~ Use these codes in any Windows application! ... whether it is a Micr…
Free Data Recovery software is an advanced solution from Kernel Tools to recover data and files such as documents, emails, database, media and pictures, etc. It supports recovery from physical & logical drive after a hard disk crash, accidental/inte…

591 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question