Link to home
Create AccountLog in
Avatar of Jaime Umali
Jaime UmaliFlag for Switzerland

asked on

Script to remove Account Operators on the users' Security Tab in Active Directory

Hi Experts,
Out of my 1000 users 300 of them has "Account operators and Domain Admins" on their "Security object" in AD, I have the list of those users and wanted them to remove those builtin account from script. Can someone help please?

Thank you and happy holidays
Avatar of pwindell
Flag of United States of America image

You don't need a script.

Open the Domains Admins Group
Multi-select the users you do not want in there and remove them,...all in one shot.
Repeat for the Account Operators Group.
Avatar of Jaime Umali


hi, I wasn't talking about the users in account operators or domain admins, its the builtin account which is residing in the users security attribute not the "Members Of". pls see attached.

That is supposed to be there. Leave it alone or you will trash everything.
we have audited and been asked to remove those accounts we cannot say no to them unfortunately, I know its possible, but i cannot find the site where i read it from.
The auditors are wrong. You will trash the system.  Domain Admins and Account Operators must have those permissions to manage the accounts,...that's what those permissions are for, has nothing to do with what the Users in question are allowed or not allowed to do.

As far as auditors go,...yes you can say no to them,...the auditors do not run the network,...too many of them would not be competent to do the job if you put them in that job.  They just look at some stupid checklist and mark what doesn't match the list.  This time they are completely off base here.
The same is true of all the other built in groups you see there,...they all require those permissions for the system to run properly......leave them alone.
As i said previously, of my 1000 users 300 of them has this account, these 300 users has been audited with this accounts.. and my 700 users has been running fine for more than 4 years already without these accounts (from NDS to AD migration). Can you please mention what system will not run without these builtin accounts?
what everyone is saying is that if you remove, i mean if you can remove the Account operators group and Domain admins group, you will cripple your server and nothing will work. Either you are not explaining well enough or there is another form of mis communication. As far as i can see, PWINDELL is right in removing the users from the DOMAIN ADMINS and ACCOUNT OPERATORS group, i think you should be ok doing that and everyone will be back to where the auditors want it to be, not that they always know what is best for the environment.
its hard to defend myself as 700 users DO NOT have these 2 built in accounts. only 300 users have these as they were onboarded last year september 2010. All old users from 2009 do not have these builtin accounts.
And i didn't say anything on deleting thos Builtin account on my AD, I know the implication it will do if I do so....i just want to remove those account from the users' "Security" tab. did you see my attached pdf file? its one of my user which i remove those 2 accounts manually. For the moment i'm removing for my 300 users manually so i can prove to auditors that it is in progress.
Avatar of pwindell
Flag of United States of America image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account