Solved

Remove Local Admins Batch File

Posted on 2010-09-03
13
2,589 Views
Last Modified: 2012-05-10
Hello Experts,

I need to put together a batch file, which will:

1. Remove domain users from local administrators group
2. Add "group1" and "group2" to local administrators group
3. Create "bumblebee" user with a specific password and add that user to the local administrators group

Can you please provide a series of commands that will do this trick?  Would be helpful.  

I plan to run this batch file using psexec.bat on 60 XP workstations and 10 Windows 7 workstations, running with domain admin privileges.

Thanks!
0
Comment
Question by:taki1gostek
  • 6
  • 4
  • 2
  • +1
13 Comments
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
Have you thought about using restricted groups for this

http://www.frickelsoft.net/blog/?p=13

You just use the "members of this group" define your admins (DA, group1, group 2, and the bumblbee account you create)

Thanks

Mike
0
 
LVL 2

Author Comment

by:taki1gostek
Comment Utility
Can't do that, because if you do that, all other local groups and users get removed from those groups... and they're replaced by what gp passes down...  i need to be more flexible than that, but thanks for the tip.
0
 
LVL 2

Author Comment

by:taki1gostek
Comment Utility
The appropriate NET commands should probably do the trick...  but i'd need the syntax to use psexec.exe to run the command on the remote machines...  then I can compile that into a batch that would process a list of machines...
0
 
LVL 2

Author Comment

by:taki1gostek
Comment Utility
i mean Net user...
0
 
LVL 26

Expert Comment

by:pony10us
Comment Utility
Have you considered using Group Policy for these tasks instead? This sounds somewhat like a discussion here back in 2007:   http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_22836115.html
0
 
LVL 21

Expert Comment

by:AmazingTech
Comment Utility
net localgroup Administrators "Domain Users" /delete
net localgroup Administrators "Group1" /add
net localgroup Administrators "Group2" /add
net user bumblebee password.123 /add
net localgroup Administrators "bumblebee" /add
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 2

Author Comment

by:taki1gostek
Comment Utility
Amazing -- awesome!

If I have a PC "A" and user Jsmith is a local administrator on PC "A", will the first command (net localgroup Administrators "Domain Users" /delete) move Jsmith into "restricted users" local group?
0
 
LVL 21

Expert Comment

by:AmazingTech
Comment Utility
Nope. It's removing the domain group "Domain Users" if it was added to the administrators.

If you wanted to remove any user I'll need to look in to it.
0
 
LVL 2

Author Comment

by:taki1gostek
Comment Utility
Yeah... basically remove all users from the local administrators group...  and local power users group.
0
 
LVL 26

Expert Comment

by:pony10us
Comment Utility
In order to remove a specific user you need to know the nick of that user.

net localgroup administrators "domain/jsmith" /delete

would remove jsmith from the local administrator group on the PC
0
 
LVL 21

Accepted Solution

by:
AmazingTech earned 500 total points
Comment Utility
Here's a script to get all the members of Administrators and Power Users group and check to see if it's a user account using DSQUERY (MS Tool from Server Resource Kit).

This does not actually removes the membership until the ECHO is removed from line 'echo net user "%%b\%%c" /delete'

ECHO OFF
for %%a in ("Administrators","Power Users") do (
    for /f "tokens=1,* delims=\" %%b in ('net localgroup %%a ^| find "\"') do (
        dsquery user -samid "%%c" -domain %%b | find /i "CN=" >NUL
        if not errorlevel 1 (
            echo Removing user "%%b\%%c" from local %%a group.
            echo net user "%%b\%%c" /delete
        ) else (
            echo This is not a user "%%b\%%c" in local %%a group.
        )
    )
)
0
 
LVL 21

Expert Comment

by:AmazingTech
Comment Utility
Opps error in the removing of the user from the group.

As a default the Domain Users are added to the local Users group. If the user is in an alternate domain then we could use this script to add them individually to the local Users group.

ECHO OFF
for %%a in ("Administrators","Power Users") do (
    for /f "tokens=1,* delims=\" %%b in ('net localgroup %%a ^| find "\"') do (
        dsquery user -samid "%%c" -domain %%b | find /i "CN=" >NUL
        if not errorlevel 1 (
            echo Removing user "%%b\%%c" from local %%a group.
            echo net localgroup Users "%%b\%%c" /add
            echo net localgroup %%a "%%b\%%c" /delete
        ) else (
            echo This is not a user "%%b\%%c" in local %%a group.
        )
    )
)
0
 
LVL 2

Author Closing Comment

by:taki1gostek
Comment Utility
Thanks!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

When you receive another warning that your shared drive is almost full and you have asked your users to clean out old files again and again, here is a single command that may help. This command will place all the files that have not been used rec…
I have published numerous articles here at Experts Exchange that present programs/scripts written in a language called AutoHotkey. Each of those articles has a brief paragraph describing where to download the product and how to install it. I have al…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now