Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users
Course Of The Month
3 days, 13 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Delete Local User Accounts by OU
Posted on 2011-02-24
Good Day,
After performing an audit on all our Workstations. I have discovered some Local Administrator accounts which do not follow our normal build standard naming convention. There are around 150 workstations with this misconfiguration. I would like to script their deletion (the proper Admin account also exists on these machines, renamed correctly via GPO). Can someone help me with the script please. It should read the machine names in from an OU in Active Directory, connect to each machine and delete the 2 rogue accounts if they exist.
I already have some code, thanks to a previous post, which reads in machine names from AD and outputs a list of Local Group members to a .csv file. Please see below.
After performing an audit on all our Workstations. I have discovered some Local Administrator accounts which do not follow our normal build standard naming convention. There are around 150 workstations with this misconfiguration. I would like to script their deletion (the proper Admin account also exists on these machines, renamed correctly via GPO). Can someone help me with the script please. It should read the machine names in from an OU in Active Directory, connect to each machine and delete the 2 rogue accounts if they exist.
I already have some code, thanks to a previous post, which reads in machine names from AD and outputs a list of Local Group members to a .csv file. Please see below.
rrGroups = Array("Administrators", "Remote Desktop Users", "Users")
strOutput = "LocalGroupMembers.csv"
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objOutput = objFSO.CreateTextFile(strOutput, True)
objOutput.WriteLine """COMPUTER"",""GROUP NAME"",""MEMBER NAME"""
Const ADS_SCOPE_SUBTREE = -2
Set oConn = CreateObject("ADODB.Connection")
Set oCommand = CreateObject("ADODB.Command")
oConn.Provider = "ADsDSOObject"
oConn.Open "Active Directory Provider"
Set oCommand.ActiveConnection = oConn
oCommand.Properties("Page Size") = 1000
oCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
sOU = "'LDAP://OU=ouServers,DC=example,DC=com'"
oCommand.CommandText = "SELECT Name, ADsPath FROM " & sOU & " WHERE objectCategory ='computer'"
Set oRecordSet = oCommand.Execute
oRecordSet.MoveFirst
Do Until oRecordSet.EOF
strComputer = oRecordSet.Fields("Name").Value
If Ping(strComputer) = True Then
For Each strGroup In arrGroups
'WScript.Echo "List of member of local Administrators group for " & strComputer
On Error Resume Next
Set oLocalAdmins = GetObject("WinNT://" & strComputer & "/" & strGroup)
If Err.Number = 0 Then
On Error GoTo 0
For Each oLocalAdmin in oLocalAdmins.Members
objOutput.WriteLine """" & strComputer & """,""" & strGroup & """,""" & oLocalAdmin.Name & """"
Next
Else
objOutput.WriteLine """" & strComputer & """,""" & strGroup & """,""Error " & Err.Number & ": " & Err.Description & """"
Err.Clear
On Error GoTo 0
End If
Next
Else
objOutput.WriteLine """" & strComputer & """,""" & strGroup & """,""OFFLINE"""
End If
oRecordSet.MoveNext
Loop
objOutput.Close
MsgBox "Done. Please see " & strOutput
Function Ping(strComputer)
Dim objShell, boolCode
Set objShell = CreateObject("WScript.Shell")
boolCode = objShell.Run("Ping -n 1 -w 300 " & strComputer, 0, True)
If boolCode = 0 Then
Ping = True
Else
Ping = False
End If
End Function
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
4
3
7 Comments
Hi, if you actually know the name of the accounts you want to delete, the easiest way to get rid of them would be to add a StartUp script from a GPO, with the following code in it:
That way, the accounts are deleted by the local SYSTEM account, and if they don't exist, nothing happens.
Regards,
Rob.
On Error Resume Next
Set objNetwork = CreateObject("WScript.Network")
arrUsers = Array("AdminWrong", "RDWrong")
Set objComputer = GetObject("WinNT://" & objNetwork.ComputerName & "")
For Each strUser In arrUsers
objComputer.Delete "user", strUser
Next
That way, the accounts are deleted by the local SYSTEM account, and if they don't exist, nothing happens.
Regards,
Rob.
Hi Rob,
That is much better. It will catch every machine as it logs on. Rather than me running a script multiple times trying to catch machines while they're online and still missing a few.
I'll give it a test and post back the results.
Mike
That is much better. It will catch every machine as it logs on. Rather than me running a script multiple times trying to catch machines while they're online and still missing a few.
I'll give it a test and post back the results.
Mike
Yeah, I know what that's like....tried it myself a few times....takes a while!
Let me know how it goes.
Regards,
Rob.
Let me know how it goes.
Regards,
Rob.
Works great! No modification required. (other than inserting the usernames of course) ;)
And copy the script to the Netlogon or Sysvol share so it's available to all machines.
Merci Buckets!!
And copy the script to the Netlogon or Sysvol share so it's available to all machines.
Merci Buckets!!
One question. My Manager is sure to ask.
If we want to do the reverse, delete all user accounts NOT defined in arrUsers. Can you show me the code for this please.
Thanks
Mike
If we want to do the reverse, delete all user accounts NOT defined in arrUsers. Can you show me the code for this please.
Thanks
Mike
Hi, that get's slightly more complicated because you need to enumerate each group for their members, and if the user is not in the array, then delete them.
One way, however, that would cover both scenarios at once, is to use Group Policy Restricted Groups:
http://www.frickelsoft.net/blog/?p=13
This ensures that certian local groups have only the specified members, but it doesn't *delete* the accounts....if you do want to delete the accounts, I can knock up the other version for you.
Regards,
Rob.
One way, however, that would cover both scenarios at once, is to use Group Policy Restricted Groups:
http://www.frickelsoft.net/blog/?p=13
This ensures that certian local groups have only the specified members, but it doesn't *delete* the accounts....if you do want to delete the accounts, I can knock up the other version for you.
Regards,
Rob.
Featured Post
What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s
ManageEngine
webinar, where attendees received a comprehensive look at the ma…
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
The viewer will learn the basics of jQuery, including how to invoke it on a web page.
Reference your jQuery libraries: (CODE)
Include your new external js/jQuery file: (CODE)
Write your first lines of code to setup your site for jQuery.: (CODE)
In this fourth video of the Xpdf series, we discuss and demonstrate the PDFinfo utility, which retrieves the contents of a PDF's Info Dictionary, as well as some other information, including the page count. We show how to isolate the page count in a…
- Document Management
- Document Imaging
- Programming
- Adobe Acrobat
- Scripting Languages
- Printers and Scanners, OCR, *Scripts, *PDF, *text file
Suggested Courses
Earn Certification
HTML5 Specialist - Certification
Free withPremium
Course of the Month3 days, 13 hours left to enroll
630 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.