Link to home
Create AccountLog in
Avatar of taki1gostek
taki1gostekFlag for United States of America

asked on

Remove Local Admins Batch File

Hello Experts,

I need to put together a batch file, which will:

1. Remove domain users from local administrators group
2. Add "group1" and "group2" to local administrators group
3. Create "bumblebee" user with a specific password and add that user to the local administrators group

Can you please provide a series of commands that will do this trick?  Would be helpful.  

I plan to run this batch file using psexec.bat on 60 XP workstations and 10 Windows 7 workstations, running with domain admin privileges.

Avatar of Mike Kline
Mike Kline
Flag of United States of America image

Have you thought about using restricted groups for this

You just use the "members of this group" define your admins (DA, group1, group 2, and the bumblbee account you create)


Avatar of taki1gostek


Can't do that, because if you do that, all other local groups and users get removed from those groups... and they're replaced by what gp passes down...  i need to be more flexible than that, but thanks for the tip.
The appropriate NET commands should probably do the trick...  but i'd need the syntax to use psexec.exe to run the command on the remote machines...  then I can compile that into a batch that would process a list of machines...
i mean Net user...
Have you considered using Group Policy for these tasks instead? This sounds somewhat like a discussion here back in 2007:
Avatar of AmazingTech

net localgroup Administrators "Domain Users" /delete
net localgroup Administrators "Group1" /add
net localgroup Administrators "Group2" /add
net user bumblebee password.123 /add
net localgroup Administrators "bumblebee" /add
Amazing -- awesome!

If I have a PC "A" and user Jsmith is a local administrator on PC "A", will the first command (net localgroup Administrators "Domain Users" /delete) move Jsmith into "restricted users" local group?
Nope. It's removing the domain group "Domain Users" if it was added to the administrators.

If you wanted to remove any user I'll need to look in to it.
Yeah... basically remove all users from the local administrators group...  and local power users group.
In order to remove a specific user you need to know the nick of that user.

net localgroup administrators "domain/jsmith" /delete

would remove jsmith from the local administrator group on the PC
Avatar of AmazingTech

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Opps error in the removing of the user from the group.

As a default the Domain Users are added to the local Users group. If the user is in an alternate domain then we could use this script to add them individually to the local Users group.

for %%a in ("Administrators","Power Users") do (
    for /f "tokens=1,* delims=\" %%b in ('net localgroup %%a ^| find "\"') do (
        dsquery user -samid "%%c" -domain %%b | find /i "CN=" >NUL
        if not errorlevel 1 (
            echo Removing user "%%b\%%c" from local %%a group.
            echo net localgroup Users "%%b\%%c" /add
            echo net localgroup %%a "%%b\%%c" /delete
        ) else (
            echo This is not a user "%%b\%%c" in local %%a group.