After performing an audit on all our Workstations. I have discovered some Local Administrator accounts which do not follow our normal build standard naming convention. There are around 150 workstations with this misconfiguration. I would like to script their deletion (the proper Admin account also exists on these machines, renamed correctly via GPO). Can someone help me with the script please. It should read the machine names in from an OU in Active Directory, connect to each machine and delete the 2 rogue accounts if they exist.
I already have some code, thanks to a previous post, which reads in machine names from AD and outputs a list of Local Group members to a .csv file. Please see below.
rrGroups = Array("Administrators", "Remote Desktop Users", "Users")strOutput = "LocalGroupMembers.csv"Set objFSO = CreateObject("Scripting.FileSystemObject")Set objOutput = objFSO.CreateTextFile(strOutput, True)objOutput.WriteLine """COMPUTER"",""GROUP NAME"",""MEMBER NAME"""Const ADS_SCOPE_SUBTREE = -2 Set oConn = CreateObject("ADODB.Connection") Set oCommand = CreateObject("ADODB.Command") oConn.Provider = "ADsDSOObject" oConn.Open "Active Directory Provider" Set oCommand.ActiveConnection = oConn oCommand.Properties("Page Size") = 1000 oCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE sOU = "'LDAP://OU=ouServers,DC=example,DC=com'"oCommand.CommandText = "SELECT Name, ADsPath FROM " & sOU & " WHERE objectCategory ='computer'" Set oRecordSet = oCommand.ExecuteoRecordSet.MoveFirstDo Until oRecordSet.EOF strComputer = oRecordSet.Fields("Name").Value If Ping(strComputer) = True Then For Each strGroup In arrGroups 'WScript.Echo "List of member of local Administrators group for " & strComputer On Error Resume Next Set oLocalAdmins = GetObject("WinNT://" & strComputer & "/" & strGroup) If Err.Number = 0 Then On Error GoTo 0 For Each oLocalAdmin in oLocalAdmins.Members objOutput.WriteLine """" & strComputer & """,""" & strGroup & """,""" & oLocalAdmin.Name & """" Next Else objOutput.WriteLine """" & strComputer & """,""" & strGroup & """,""Error " & Err.Number & ": " & Err.Description & """" Err.Clear On Error GoTo 0 End If Next Else objOutput.WriteLine """" & strComputer & """,""" & strGroup & """,""OFFLINE""" End If oRecordSet.MoveNextLoopobjOutput.CloseMsgBox "Done. Please see " & strOutputFunction Ping(strComputer) Dim objShell, boolCode Set objShell = CreateObject("WScript.Shell") boolCode = objShell.Run("Ping -n 1 -w 300 " & strComputer, 0, True) If boolCode = 0 Then Ping = True Else Ping = False End IfEnd Function
Hi, if you actually know the name of the accounts you want to delete, the easiest way to get rid of them would be to add a StartUp script from a GPO, with the following code in it:
On Error Resume NextSet objNetwork = CreateObject("WScript.Network")arrUsers = Array("AdminWrong", "RDWrong")Set objComputer = GetObject("WinNT://" & objNetwork.ComputerName & "")For Each strUser In arrUsers objComputer.Delete "user", strUserNext
That way, the accounts are deleted by the local SYSTEM account, and if they don't exist, nothing happens.
Regards,
Rob.
0
mikevr6Author Commented:
Hi Rob,
That is much better. It will catch every machine as it logs on. Rather than me running a script multiple times trying to catch machines while they're online and still missing a few.
Yeah, I know what that's like....tried it myself a few times....takes a while!
Let me know how it goes.
Regards,
Rob.
0
There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.
Works great! No modification required. (other than inserting the usernames of course) ;)
And copy the script to the Netlogon or Sysvol share so it's available to all machines.
Merci Buckets!!
0
mikevr6Author Commented:
One question. My Manager is sure to ask.
If we want to do the reverse, delete all user accounts NOT defined in arrUsers. Can you show me the code for this please.
Hi, that get's slightly more complicated because you need to enumerate each group for their members, and if the user is not in the array, then delete them.
This ensures that certian local groups have only the specified members, but it doesn't *delete* the accounts....if you do want to delete the accounts, I can knock up the other version for you.
Regards,
Rob.
0
mikevr6Author Commented:
Thanks again Rob!
0
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.
Open in new window
That way, the accounts are deleted by the local SYSTEM account, and if they don't exist, nothing happens.
Regards,
Rob.