Solved

Remove Local Admins Batch File

Posted on 2010-09-03
13
2,615 Views
Last Modified: 2012-05-10
Hello Experts,

I need to put together a batch file, which will:

1. Remove domain users from local administrators group
2. Add "group1" and "group2" to local administrators group
3. Create "bumblebee" user with a specific password and add that user to the local administrators group

Can you please provide a series of commands that will do this trick?  Would be helpful.  

I plan to run this batch file using psexec.bat on 60 XP workstations and 10 Windows 7 workstations, running with domain admin privileges.

Thanks!
0
Comment
Question by:taki1gostek
  • 6
  • 4
  • 2
  • +1
13 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33599241
Have you thought about using restricted groups for this

http://www.frickelsoft.net/blog/?p=13

You just use the "members of this group" define your admins (DA, group1, group 2, and the bumblbee account you create)

Thanks

Mike
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 33599386
Can't do that, because if you do that, all other local groups and users get removed from those groups... and they're replaced by what gp passes down...  i need to be more flexible than that, but thanks for the tip.
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 33599397
The appropriate NET commands should probably do the trick...  but i'd need the syntax to use psexec.exe to run the command on the remote machines...  then I can compile that into a batch that would process a list of machines...
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 33599399
i mean Net user...
0
 
LVL 26

Expert Comment

by:pony10us
ID: 33599438
Have you considered using Group Policy for these tasks instead? This sounds somewhat like a discussion here back in 2007:   http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_22836115.html
0
 
LVL 21

Expert Comment

by:AmazingTech
ID: 33599449
net localgroup Administrators "Domain Users" /delete
net localgroup Administrators "Group1" /add
net localgroup Administrators "Group2" /add
net user bumblebee password.123 /add
net localgroup Administrators "bumblebee" /add
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 2

Author Comment

by:taki1gostek
ID: 33599855
Amazing -- awesome!

If I have a PC "A" and user Jsmith is a local administrator on PC "A", will the first command (net localgroup Administrators "Domain Users" /delete) move Jsmith into "restricted users" local group?
0
 
LVL 21

Expert Comment

by:AmazingTech
ID: 33600007
Nope. It's removing the domain group "Domain Users" if it was added to the administrators.

If you wanted to remove any user I'll need to look in to it.
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 33600074
Yeah... basically remove all users from the local administrators group...  and local power users group.
0
 
LVL 26

Expert Comment

by:pony10us
ID: 33600181
In order to remove a specific user you need to know the nick of that user.

net localgroup administrators "domain/jsmith" /delete

would remove jsmith from the local administrator group on the PC
0
 
LVL 21

Accepted Solution

by:
AmazingTech earned 500 total points
ID: 33600723
Here's a script to get all the members of Administrators and Power Users group and check to see if it's a user account using DSQUERY (MS Tool from Server Resource Kit).

This does not actually removes the membership until the ECHO is removed from line 'echo net user "%%b\%%c" /delete'

ECHO OFF
for %%a in ("Administrators","Power Users") do (
    for /f "tokens=1,* delims=\" %%b in ('net localgroup %%a ^| find "\"') do (
        dsquery user -samid "%%c" -domain %%b | find /i "CN=" >NUL
        if not errorlevel 1 (
            echo Removing user "%%b\%%c" from local %%a group.
            echo net user "%%b\%%c" /delete
        ) else (
            echo This is not a user "%%b\%%c" in local %%a group.
        )
    )
)
0
 
LVL 21

Expert Comment

by:AmazingTech
ID: 33600755
Opps error in the removing of the user from the group.

As a default the Domain Users are added to the local Users group. If the user is in an alternate domain then we could use this script to add them individually to the local Users group.

ECHO OFF
for %%a in ("Administrators","Power Users") do (
    for /f "tokens=1,* delims=\" %%b in ('net localgroup %%a ^| find "\"') do (
        dsquery user -samid "%%c" -domain %%b | find /i "CN=" >NUL
        if not errorlevel 1 (
            echo Removing user "%%b\%%c" from local %%a group.
            echo net localgroup Users "%%b\%%c" /add
            echo net localgroup %%a "%%b\%%c" /delete
        ) else (
            echo This is not a user "%%b\%%c" in local %%a group.
        )
    )
)
0
 
LVL 2

Author Closing Comment

by:taki1gostek
ID: 33626636
Thanks!
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You may have already been in the need to update a whole folder stucture using a script. Robocopy does it well and even provides a list of non-updated files in a log (if asked to). Generally those files that were locked by a user or a process by the …
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now