Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Remove Local Admins Batch File

Posted on 2010-09-03
13
Medium Priority
?
2,991 Views
Last Modified: 2012-05-10
Hello Experts,

I need to put together a batch file, which will:

1. Remove domain users from local administrators group
2. Add "group1" and "group2" to local administrators group
3. Create "bumblebee" user with a specific password and add that user to the local administrators group

Can you please provide a series of commands that will do this trick?  Would be helpful.  

I plan to run this batch file using psexec.bat on 60 XP workstations and 10 Windows 7 workstations, running with domain admin privileges.

Thanks!
0
Comment
Question by:taki1gostek
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 2
  • +1
13 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33599241
Have you thought about using restricted groups for this

http://www.frickelsoft.net/blog/?p=13

You just use the "members of this group" define your admins (DA, group1, group 2, and the bumblbee account you create)

Thanks

Mike
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 33599386
Can't do that, because if you do that, all other local groups and users get removed from those groups... and they're replaced by what gp passes down...  i need to be more flexible than that, but thanks for the tip.
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 33599397
The appropriate NET commands should probably do the trick...  but i'd need the syntax to use psexec.exe to run the command on the remote machines...  then I can compile that into a batch that would process a list of machines...
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
LVL 2

Author Comment

by:taki1gostek
ID: 33599399
i mean Net user...
0
 
LVL 26

Expert Comment

by:pony10us
ID: 33599438
Have you considered using Group Policy for these tasks instead? This sounds somewhat like a discussion here back in 2007:   http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_22836115.html
0
 
LVL 21

Expert Comment

by:AmazingTech
ID: 33599449
net localgroup Administrators "Domain Users" /delete
net localgroup Administrators "Group1" /add
net localgroup Administrators "Group2" /add
net user bumblebee password.123 /add
net localgroup Administrators "bumblebee" /add
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 33599855
Amazing -- awesome!

If I have a PC "A" and user Jsmith is a local administrator on PC "A", will the first command (net localgroup Administrators "Domain Users" /delete) move Jsmith into "restricted users" local group?
0
 
LVL 21

Expert Comment

by:AmazingTech
ID: 33600007
Nope. It's removing the domain group "Domain Users" if it was added to the administrators.

If you wanted to remove any user I'll need to look in to it.
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 33600074
Yeah... basically remove all users from the local administrators group...  and local power users group.
0
 
LVL 26

Expert Comment

by:pony10us
ID: 33600181
In order to remove a specific user you need to know the nick of that user.

net localgroup administrators "domain/jsmith" /delete

would remove jsmith from the local administrator group on the PC
0
 
LVL 21

Accepted Solution

by:
AmazingTech earned 2000 total points
ID: 33600723
Here's a script to get all the members of Administrators and Power Users group and check to see if it's a user account using DSQUERY (MS Tool from Server Resource Kit).

This does not actually removes the membership until the ECHO is removed from line 'echo net user "%%b\%%c" /delete'

ECHO OFF
for %%a in ("Administrators","Power Users") do (
    for /f "tokens=1,* delims=\" %%b in ('net localgroup %%a ^| find "\"') do (
        dsquery user -samid "%%c" -domain %%b | find /i "CN=" >NUL
        if not errorlevel 1 (
            echo Removing user "%%b\%%c" from local %%a group.
            echo net user "%%b\%%c" /delete
        ) else (
            echo This is not a user "%%b\%%c" in local %%a group.
        )
    )
)
0
 
LVL 21

Expert Comment

by:AmazingTech
ID: 33600755
Opps error in the removing of the user from the group.

As a default the Domain Users are added to the local Users group. If the user is in an alternate domain then we could use this script to add them individually to the local Users group.

ECHO OFF
for %%a in ("Administrators","Power Users") do (
    for /f "tokens=1,* delims=\" %%b in ('net localgroup %%a ^| find "\"') do (
        dsquery user -samid "%%c" -domain %%b | find /i "CN=" >NUL
        if not errorlevel 1 (
            echo Removing user "%%b\%%c" from local %%a group.
            echo net localgroup Users "%%b\%%c" /add
            echo net localgroup %%a "%%b\%%c" /delete
        ) else (
            echo This is not a user "%%b\%%c" in local %%a group.
        )
    )
)
0
 
LVL 2

Author Closing Comment

by:taki1gostek
ID: 33626636
Thanks!
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question