aintgot1
asked on
Deleting multiple local user accounts
I have a rather large issue to deal with. I took over a network of approx 1200 user computers. In some computers there are multiple people in the local administrators group that need to be deleted. My new images contain the correct users, but older images do not yet. I can run a command through ghost to delete one user, but not multiple users. I have not had any luck finding a command to remove multiple users, so I may need an alternate method. My guess at that method is probably running a script, which I know nothing about. Is it possible to have a script delete all users in the local administrators group and add specific users? If not, what would be the best method?
Thanks,
Mike
Thanks,
Mike
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Take a look at this article. There's a step-by-step guide.
Using Restricted Groups
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
Using Restricted Groups
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
Absolutely agree, Restricted Groups policy is the easiest way to manage admin rights and remove local user accounts.
The way i would set this up is follows:
Domain admins are added to administrators
a Global security group called OU NAME - Administrators is added to administrators
The local admin account is added to administrators
Once this is implemented when group policy updates all local user accounts are removed from the group. Granting access is simply a case of adding domain accounts to the domain gloal group you created.
The article rmrustice linked shows how to setup Restricted groups.
Hope this helps
The way i would set this up is follows:
Domain admins are added to administrators
a Global security group called OU NAME - Administrators is added to administrators
The local admin account is added to administrators
Once this is implemented when group policy updates all local user accounts are removed from the group. Granting access is simply a case of adding domain accounts to the domain gloal group you created.
The article rmrustice linked shows how to setup Restricted groups.
Hope this helps
ASKER
Thanks all for the suggestions. I'm going to have to post back when I can see how the Restricted Groups method works. I walked into a crashed server this morning and all attention has been diverted.
I liked the script method, but the problem is I am not in the Domain Admin's group to run it. I am only a site admin.
I will post back when I can get things under control.
Thanks,
Mike
I liked the script method, but the problem is I am not in the Domain Admin's group to run it. I am only a site admin.
I will post back when I can get things under control.
Thanks,
Mike
The script should work then, it only needs u to be a local admin on these machines.
You can ask a domain admin to create a group policy for you. It's really not pratical to use a script to do that. Imagine how many changes will happen in 1200 computers over time. Will you run the script on a daily basis? What if your clients use firewalls? It won't work. You might go crazy trying to manage things this way. Use the Active Directory in your favor.
Restricted groups is the "microsoft tunnel-vision way"... which means it's the "correct" way.
btw- I don't want points im just backing up rmrustice's comment.
ASKER
Thanks again. I can see both working, but I will most likely go with the Restricted Groups. With what I have to deal with, something I can set and forget will do me wonders. I should point out that I wouldn't be worried about what happens over time because once I the group membership correct, there is nothing for me to worry about. I already have a command I run through Ghost in which I can add multiple users or delete a single user.
Anyway, I do want to test the script method out. I may have a use for it if I can't get the Restricted Groups to work, even though it looks straight forward. I'll post back the results.
Thanks,
Mike
Anyway, I do want to test the script method out. I may have a use for it if I can't get the Restricted Groups to work, even though it looks straight forward. I'll post back the results.
Thanks,
Mike
Hey Mike
Just an additional comment, make sure you have an OU structure that supports your vision for restricted groups.
Per the way I have implenented I user OU's for a server type and apply the restricted groups policy to all hosts in that OU. For example if you have a webservers OU where access requirements are the same, apply the policy to the entire OU.
Good luck!
Just an additional comment, make sure you have an OU structure that supports your vision for restricted groups.
Per the way I have implenented I user OU's for a server type and apply the restricted groups policy to all hosts in that OU. For example if you have a webservers OU where access requirements are the same, apply the policy to the entire OU.
Good luck!
or you can take the first 2 line off and put the script as a log in script.
Also the below one can be put as a start-up script assigned to the computers OU..
Open in new window