Solved

Remove Local Admins Batch File

Posted on 2010-09-03
13
2,649 Views
Last Modified: 2012-05-10
Hello Experts,

I need to put together a batch file, which will:

1. Remove domain users from local administrators group
2. Add "group1" and "group2" to local administrators group
3. Create "bumblebee" user with a specific password and add that user to the local administrators group

Can you please provide a series of commands that will do this trick?  Would be helpful.  

I plan to run this batch file using psexec.bat on 60 XP workstations and 10 Windows 7 workstations, running with domain admin privileges.

Thanks!
0
Comment
Question by:taki1gostek
  • 6
  • 4
  • 2
  • +1
13 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33599241
Have you thought about using restricted groups for this

http://www.frickelsoft.net/blog/?p=13

You just use the "members of this group" define your admins (DA, group1, group 2, and the bumblbee account you create)

Thanks

Mike
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 33599386
Can't do that, because if you do that, all other local groups and users get removed from those groups... and they're replaced by what gp passes down...  i need to be more flexible than that, but thanks for the tip.
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 33599397
The appropriate NET commands should probably do the trick...  but i'd need the syntax to use psexec.exe to run the command on the remote machines...  then I can compile that into a batch that would process a list of machines...
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 2

Author Comment

by:taki1gostek
ID: 33599399
i mean Net user...
0
 
LVL 26

Expert Comment

by:pony10us
ID: 33599438
Have you considered using Group Policy for these tasks instead? This sounds somewhat like a discussion here back in 2007:   http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_22836115.html
0
 
LVL 21

Expert Comment

by:AmazingTech
ID: 33599449
net localgroup Administrators "Domain Users" /delete
net localgroup Administrators "Group1" /add
net localgroup Administrators "Group2" /add
net user bumblebee password.123 /add
net localgroup Administrators "bumblebee" /add
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 33599855
Amazing -- awesome!

If I have a PC "A" and user Jsmith is a local administrator on PC "A", will the first command (net localgroup Administrators "Domain Users" /delete) move Jsmith into "restricted users" local group?
0
 
LVL 21

Expert Comment

by:AmazingTech
ID: 33600007
Nope. It's removing the domain group "Domain Users" if it was added to the administrators.

If you wanted to remove any user I'll need to look in to it.
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 33600074
Yeah... basically remove all users from the local administrators group...  and local power users group.
0
 
LVL 26

Expert Comment

by:pony10us
ID: 33600181
In order to remove a specific user you need to know the nick of that user.

net localgroup administrators "domain/jsmith" /delete

would remove jsmith from the local administrator group on the PC
0
 
LVL 21

Accepted Solution

by:
AmazingTech earned 500 total points
ID: 33600723
Here's a script to get all the members of Administrators and Power Users group and check to see if it's a user account using DSQUERY (MS Tool from Server Resource Kit).

This does not actually removes the membership until the ECHO is removed from line 'echo net user "%%b\%%c" /delete'

ECHO OFF
for %%a in ("Administrators","Power Users") do (
    for /f "tokens=1,* delims=\" %%b in ('net localgroup %%a ^| find "\"') do (
        dsquery user -samid "%%c" -domain %%b | find /i "CN=" >NUL
        if not errorlevel 1 (
            echo Removing user "%%b\%%c" from local %%a group.
            echo net user "%%b\%%c" /delete
        ) else (
            echo This is not a user "%%b\%%c" in local %%a group.
        )
    )
)
0
 
LVL 21

Expert Comment

by:AmazingTech
ID: 33600755
Opps error in the removing of the user from the group.

As a default the Domain Users are added to the local Users group. If the user is in an alternate domain then we could use this script to add them individually to the local Users group.

ECHO OFF
for %%a in ("Administrators","Power Users") do (
    for /f "tokens=1,* delims=\" %%b in ('net localgroup %%a ^| find "\"') do (
        dsquery user -samid "%%c" -domain %%b | find /i "CN=" >NUL
        if not errorlevel 1 (
            echo Removing user "%%b\%%c" from local %%a group.
            echo net localgroup Users "%%b\%%c" /add
            echo net localgroup %%a "%%b\%%c" /delete
        ) else (
            echo This is not a user "%%b\%%c" in local %%a group.
        )
    )
)
0
 
LVL 2

Author Closing Comment

by:taki1gostek
ID: 33626636
Thanks!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction: Recently, I got a requirement to zip all files individually with batch file script in Windows OS. I don't know much about scripting, but I searched Google and found a lot of examples and websites to complete my task. Finally, I was ab…
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html) provided 218 attendees with a step-by-step guide for identifying Acti…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now