?
Solved

Remove Local Admins Batch File

Posted on 2010-09-03
13
Medium Priority
?
2,887 Views
Last Modified: 2012-05-10
Hello Experts,

I need to put together a batch file, which will:

1. Remove domain users from local administrators group
2. Add "group1" and "group2" to local administrators group
3. Create "bumblebee" user with a specific password and add that user to the local administrators group

Can you please provide a series of commands that will do this trick?  Would be helpful.  

I plan to run this batch file using psexec.bat on 60 XP workstations and 10 Windows 7 workstations, running with domain admin privileges.

Thanks!
0
Comment
Question by:taki1gostek
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 2
  • +1
13 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33599241
Have you thought about using restricted groups for this

http://www.frickelsoft.net/blog/?p=13

You just use the "members of this group" define your admins (DA, group1, group 2, and the bumblbee account you create)

Thanks

Mike
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 33599386
Can't do that, because if you do that, all other local groups and users get removed from those groups... and they're replaced by what gp passes down...  i need to be more flexible than that, but thanks for the tip.
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 33599397
The appropriate NET commands should probably do the trick...  but i'd need the syntax to use psexec.exe to run the command on the remote machines...  then I can compile that into a batch that would process a list of machines...
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 2

Author Comment

by:taki1gostek
ID: 33599399
i mean Net user...
0
 
LVL 26

Expert Comment

by:pony10us
ID: 33599438
Have you considered using Group Policy for these tasks instead? This sounds somewhat like a discussion here back in 2007:   http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_22836115.html
0
 
LVL 21

Expert Comment

by:AmazingTech
ID: 33599449
net localgroup Administrators "Domain Users" /delete
net localgroup Administrators "Group1" /add
net localgroup Administrators "Group2" /add
net user bumblebee password.123 /add
net localgroup Administrators "bumblebee" /add
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 33599855
Amazing -- awesome!

If I have a PC "A" and user Jsmith is a local administrator on PC "A", will the first command (net localgroup Administrators "Domain Users" /delete) move Jsmith into "restricted users" local group?
0
 
LVL 21

Expert Comment

by:AmazingTech
ID: 33600007
Nope. It's removing the domain group "Domain Users" if it was added to the administrators.

If you wanted to remove any user I'll need to look in to it.
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 33600074
Yeah... basically remove all users from the local administrators group...  and local power users group.
0
 
LVL 26

Expert Comment

by:pony10us
ID: 33600181
In order to remove a specific user you need to know the nick of that user.

net localgroup administrators "domain/jsmith" /delete

would remove jsmith from the local administrator group on the PC
0
 
LVL 21

Accepted Solution

by:
AmazingTech earned 2000 total points
ID: 33600723
Here's a script to get all the members of Administrators and Power Users group and check to see if it's a user account using DSQUERY (MS Tool from Server Resource Kit).

This does not actually removes the membership until the ECHO is removed from line 'echo net user "%%b\%%c" /delete'

ECHO OFF
for %%a in ("Administrators","Power Users") do (
    for /f "tokens=1,* delims=\" %%b in ('net localgroup %%a ^| find "\"') do (
        dsquery user -samid "%%c" -domain %%b | find /i "CN=" >NUL
        if not errorlevel 1 (
            echo Removing user "%%b\%%c" from local %%a group.
            echo net user "%%b\%%c" /delete
        ) else (
            echo This is not a user "%%b\%%c" in local %%a group.
        )
    )
)
0
 
LVL 21

Expert Comment

by:AmazingTech
ID: 33600755
Opps error in the removing of the user from the group.

As a default the Domain Users are added to the local Users group. If the user is in an alternate domain then we could use this script to add them individually to the local Users group.

ECHO OFF
for %%a in ("Administrators","Power Users") do (
    for /f "tokens=1,* delims=\" %%b in ('net localgroup %%a ^| find "\"') do (
        dsquery user -samid "%%c" -domain %%b | find /i "CN=" >NUL
        if not errorlevel 1 (
            echo Removing user "%%b\%%c" from local %%a group.
            echo net localgroup Users "%%b\%%c" /add
            echo net localgroup %%a "%%b\%%c" /delete
        ) else (
            echo This is not a user "%%b\%%c" in local %%a group.
        )
    )
)
0
 
LVL 2

Author Closing Comment

by:taki1gostek
ID: 33626636
Thanks!
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question