clarkincit
asked on
Script to remove users from local administrator group
I am trying to come up with a fully-automated script, that will remove all users from the local administrator group, except for the local administrator and domain admins accounts. What I have now works, but I have to specify the computer name. It would be nice if I could run the hostname command, then have the script input that information as the computer name (sNode in the script). The idea would then be to apply the script to users via Group Policy. Any ideas?
TIA
TIA
sNode = "Computer/Hostname"
On Error Resume Next
Set oGrpAdmin = GetObject("WinNT://" & sNode & "/Administrators")
For Each oAdminGrpUsr In oGrpAdmin.Members
If sAdminGrpUsr <> "Administrator" AND sAdminGrpUsr <> "Domain Admins" Then
oGrpAdmin.Remove oAdminGrpUsr.AdsPath
End If
Next
ASKER
yousef_ad - Thanks for the quick reply!
That script executed, but it did not remove the local user account. I copied everything, (minus the "try this scrip") added "next" after "end if", and saved it as a .vbs file.
Please advise if you had something else in mind.
Thanks again
That script executed, but it did not remove the local user account. I copied everything, (minus the "try this scrip") added "next" after "end if", and saved it as a .vbs file.
Please advise if you had something else in mind.
Thanks again
cName = "Computer Name"
On Error Resume Next
Set oGroupAdm = GetObject("WinNT://" & cName & "/Administrators")
For Each oAdmGrpUser In oGroupAdm.Members
sAdmGrpUser = LCase(oAdmGrpUser.Name)
If (sAdmGrpUser <> "administrator") And (sAdmGrpUser <> "domain admins") Then
oGroupAdm.Remove oAdmGrpUser.ADsPath
End if
Next
You should be running the script as a startup script so that it will run on all computers that you want it to and have the rights that it needs to remove people from the admin group.
The attached script is what I use. Make sure that lines 6, 7, and 9 are set correctly.
The script will loop through the members of the admin group. If they match Lines 6 and 7 they will stay. If not, then they will get pulled out of the group by line 28.
The attached script is what I use. Make sure that lines 6, 7, and 9 are set correctly.
The script will loop through the members of the admin group. If they match Lines 6 and 7 they will stay. If not, then they will get pulled out of the group by line 28.
Set WshShell = WScript.CreateObject("WScript.Shell")
Set WshSysEnv = WshShell.Environment("SYSTEM")
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set WshNetwork = WScript.CreateObject("WScript.Network") 'Network Object
Const grpDomainAdmins = "Domain Admins"
Const usrLocalAdmin = "administrator"
NetADSPath = "WinNT://domain/"
CompADSPath = "WinNT://" & WshNetwork.ComputerName
'On Error Resume Next
Set objLocalGroup = GetObject(CompADSPath & "/administrators")
grpDomainAdminsStatus = "N"
usrLocalAdminStatus = "N"
For Each objUser In objLocalGroup.Members
MemberTemp = objUser.Name
'WScript.Echo MemberTemp
Select Case MemberTemp
Case grpDomainAdmins
grpDomainAdminsStatus = "Y"
Case usrLocalAdmin
usrLocalAdminStatus = "Y"
Case Else
objLocalGroup.Remove(NetADSPath & MemberTemp)
End Select
Next
There is no need to use a script for this in an AD environment. Simply use Restricted Groups in an AD GPO and it will restrict local admin access to only those IDs in the GPO.
http://technet.microsoft.com/en-us/library/cc785631%28WS.10%29.aspx
http://technet.microsoft.com/en-us/library/cc785631%28WS.10%29.aspx
markdmac has a point. I don't use restricted groups because my environment requires more flexibility. Do what works best in your situation.
ASKER
Thank you all for the help!
Markdmac - My main issue is that everyone is currently a member of the local administrators group, and I would like to have them not be a member of any local group. From what I have seen and read, I would have to specify a group to which users belong, otherwise they will not be removed from the local administrator group. I suppose I could simply make them a member of the guest group, but again, I would rather not. Am I correct, or is there a way to remove a user from all local accounts?
jared_luker - I am receiving an 'Access is denied.' error. See below...
Line: 28
Char: 33
Error: Access is denied.
Code: 80070005
Source: Active Directory
Any thoughts?
Thanks again
Markdmac - My main issue is that everyone is currently a member of the local administrators group, and I would like to have them not be a member of any local group. From what I have seen and read, I would have to specify a group to which users belong, otherwise they will not be removed from the local administrator group. I suppose I could simply make them a member of the guest group, but again, I would rather not. Am I correct, or is there a way to remove a user from all local accounts?
jared_luker - I am receiving an 'Access is denied.' error. See below...
Line: 28
Char: 33
Error: Access is denied.
Code: 80070005
Source: Active Directory
Any thoughts?
Thanks again
That is the line that takes people out of the admin group. You must not have admin rights on the account that you are running the script under.
ASKER
Weird. I am both a local admin and a domain admin. How is that going to work when a user logs in, and the script runs with their credentials?
It needs to be run in a startup script so that it runs under the context of the system account. It will have the rights to do what it needs to.
Take the comment out of line 21 and make sure that it's displaying the users that are in the local admin group.
Take the comment out of line 21 and make sure that it's displaying the users that are in the local admin group.
ASKER
Ok, thanks.
After taking the comment out of line 21, it displayed the following: Administrator
I will run it in as a startup script and report back.
After taking the comment out of line 21, it displayed the following: Administrator
I will run it in as a startup script and report back.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
With restricted groups it will totally wipe the memberships of the local Administrators group. It won't affect other local groups that may exist on the box, but it will only allow local admins that are defined in the policy. So you will want to make sure you have the local admin ID as well as Domain Admins listed.
ASKER
markdmac - I am having trouble wrapping my head around exactly how to use 'member of'. For members of this group, I have the domain admins group, and the domain administrator account. But what do I want to add to the member of list?
You would only add Domain Admins & Administrator
ASKER
I must still be missing something. I have OurDomain\administrator and OurDomain\Domain Admins entered into the 'members of this group' box. If I try to add Domain Admins to the 'this group is a member of' box, it doesn't take it.
Any thoughts?
Any thoughts?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
markdmac - Thanks. It didn't completely answer my questions, but I'll keep reading and get back to you.
ASKER
I had to do a bit of digging to find the answer to my original question.
Dim strComputer
Dim remadmins
Set WshShell = Wscript.CreateObject("Wscr
Set WshSysEnv = WshShell.Environment("SYST
Set WshUserEnv = WshShell.Environment("User
Set WshProEnv = WshShell.Environment("Proc
strComputer = WshProEnv("COMPUTERNAME")
remadmins = array("DomainNameUserID","
strLocalAdminGroup = "Administrators"
try this scrip
For i = lbound(remAdmins) to ubound(remAdmins)
Set grp = GetObject("WinNT://" & strComputer & "/" & strLocalAdminGroup)
member = "WinNT://" & remAdmins(i)
if grp.Ismember(member) = True then
grp.Remove(member)
end if