Script to remove users from local administrator group

I am trying to come up with a fully-automated script, that will remove all users from the local administrator group, except for the local administrator and domain admins accounts. What I have now works, but I have to specify the computer name. It would be nice if I could run the hostname command, then have the script input that information as the computer name (sNode in the script). The idea would then be to apply the script to users via Group Policy. Any ideas?

TIA
sNode = "Computer/Hostname"

On Error Resume Next

Set oGrpAdmin = GetObject("WinNT://" & sNode & "/Administrators")

For Each oAdminGrpUsr In oGrpAdmin.Members
    If sAdminGrpUsr <> "Administrator" AND sAdminGrpUsr <> "Domain Admins" Then
        oGrpAdmin.Remove oAdminGrpUsr.AdsPath
    End If
Next

Open in new window

clarkincitAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

yousef_adCommented:
Dim strLocalAdminGroup
Dim strComputer
Dim remadmins

Set WshShell = Wscript.CreateObject("Wscript.Shell")
Set WshSysEnv = WshShell.Environment("SYSTEM")
Set WshUserEnv = WshShell.Environment("User")
Set WshProEnv = WshShell.Environment("Process")

strComputer = WshProEnv("COMPUTERNAME")
remadmins = array("DomainNameUserID","Everyone")
strLocalAdminGroup = "Administrators"

try this scrip

For i = lbound(remAdmins) to ubound(remAdmins)
Set grp = GetObject("WinNT://" & strComputer & "/" & strLocalAdminGroup)
member = "WinNT://" & remAdmins(i)
if grp.Ismember(member) = True then
grp.Remove(member)
end if
0
clarkincitAuthor Commented:
yousef_ad - Thanks for the quick reply!

That script executed, but it did not remove the local user account. I copied everything, (minus the "try this scrip") added "next" after "end if", and saved it as a .vbs file.

Please advise if you had something else in mind.

Thanks again
0
pschakravarthiCommented:

cName = "Computer Name"
On Error Resume Next
Set oGroupAdm = GetObject("WinNT://" & cName & "/Administrators")
For Each oAdmGrpUser In oGroupAdm.Members
      sAdmGrpUser = LCase(oAdmGrpUser.Name)
      If (sAdmGrpUser <> "administrator") And (sAdmGrpUser <> "domain admins") Then
            oGroupAdm.Remove oAdmGrpUser.ADsPath
      End if
Next
0
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

Jared LukerCommented:
You should be running the script as a startup script so that it will run on all computers that you want it to and have the rights that it needs to remove people from the admin group.

The attached script is what I use.  Make sure that lines 6, 7, and 9 are set correctly.

The script will loop through the members of the admin group.  If they match Lines 6 and 7 they will stay.  If not, then they will get pulled out of the group by line 28.
Set WshShell = WScript.CreateObject("WScript.Shell")
Set WshSysEnv = WshShell.Environment("SYSTEM")
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set WshNetwork = WScript.CreateObject("WScript.Network")	'Network Object

Const grpDomainAdmins = "Domain Admins"
Const usrLocalAdmin = "administrator"

NetADSPath = "WinNT://domain/"
CompADSPath = "WinNT://" & WshNetwork.ComputerName

'On Error Resume Next

Set objLocalGroup = GetObject(CompADSPath & "/administrators")

grpDomainAdminsStatus = "N"
usrLocalAdminStatus = "N"

	For Each objUser In objLocalGroup.Members
		MemberTemp = objUser.Name
		'WScript.Echo MemberTemp
		Select Case MemberTemp
			Case grpDomainAdmins
				grpDomainAdminsStatus = "Y"
			Case usrLocalAdmin
				usrLocalAdminStatus = "Y"
			Case Else
				objLocalGroup.Remove(NetADSPath & MemberTemp)
		End Select
	Next

Open in new window

0
markdmacCommented:
There is no need to use a script for this in an AD environment.  Simply use Restricted Groups in an AD GPO and it will restrict local admin access to only those IDs in the GPO.  
http://technet.microsoft.com/en-us/library/cc785631%28WS.10%29.aspx
0
Jared LukerCommented:
markdmac has a point.  I don't use restricted groups because my environment requires more flexibility.  Do what works best in your situation.
0
clarkincitAuthor Commented:
Thank you all for the help!

Markdmac - My main issue is that everyone is currently a member of the local administrators group, and I would like to have them not be a member of any local group. From what I have seen and read, I would have to specify a group to which users belong, otherwise they will not be removed from the local administrator group. I suppose I could simply make them a member of the guest group, but again, I would rather not. Am I correct, or is there a way to remove a user from all local accounts?

jared_luker - I am receiving an 'Access is denied.' error. See below...

Line: 28
Char: 33
Error: Access is denied.

Code: 80070005
Source: Active Directory

Any thoughts?

Thanks again
0
Jared LukerCommented:
That is the line that takes people out of the admin group.  You must not have admin rights on the account that you are running the script under.
0
clarkincitAuthor Commented:
Weird. I am both a local admin and a domain admin. How is that going to work when a user logs in, and the script runs with their credentials?

0
Jared LukerCommented:
It needs to be run in a startup script so that it runs under the context of the system account. It will have the rights to do what it needs to.

Take the comment out of line 21 and make sure that it's displaying the users that are in the local admin group.
0
clarkincitAuthor Commented:
Ok, thanks.

After taking the comment out of line 21, it displayed the following: Administrator

I will run it in as a startup script and report back.
0
Jared LukerCommented:
Ok... that means it's trying to remove the Administrator from the admin group and you can't do that... check line 7 to make sure that it says the name of your local admin.  I think it's case sensitive so try putting a capitol A in there too.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
markdmacCommented:
With restricted groups it will totally wipe the memberships of the local Administrators group.  It won't affect other local groups that may exist on the box, but it will only allow local admins that are defined in the policy.  So you will want to make sure you have the local admin ID as well as Domain Admins listed.
0
clarkincitAuthor Commented:
markdmac - I am having trouble wrapping my head around exactly how to use 'member of'. For members of this group, I have the domain admins group, and the domain administrator account. But what do I want to add to the member of list?
0
markdmacCommented:
You would only add Domain Admins & Administrator
0
clarkincitAuthor Commented:
I must still be missing something. I have OurDomain\administrator and OurDomain\Domain Admins entered into the 'members of this group' box. If I try to add Domain Admins to the 'this group is a member of' box, it doesn't take it.

Any thoughts?
0
markdmacCommented:
I think this walk through will help you: http://www.frickelsoft.net/blog/?p=13
0
clarkincitAuthor Commented:
markdmac - Thanks. It didn't completely answer my questions, but I'll keep reading and get back to you.
0
clarkincitAuthor Commented:
I had to do a bit of digging to find the answer to my original question.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.