Link to home
Create AccountLog in
Avatar of aintgot1
aintgot1

asked on

Deleting multiple local user accounts

I have a rather large issue to deal with. I took over a network of approx 1200 user computers. In some computers there are multiple people in the local administrators group that need to be deleted. My new images contain the correct users, but older images do not yet. I can run a command through ghost to delete one user, but not multiple users. I have not had any luck finding a command to remove multiple users, so I may need an alternate method. My guess at that method is probably running a script, which I know nothing about. Is it possible to have a script delete all users in the local administrators group and add specific users? If not, what would be the best method?

Thanks,
Mike

SOLUTION
Avatar of rov17
rov17

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of rov17
rov17

You can leave the script as it is and provide a computer name when it ask you (you have to run the script as a domin admin)
or you can take the first 2 line off and put the script as a log in script.

Also the below one can be put as a start-up script assigned to the computers OU..

Option Explicit 

Dim network, group, user 
Set network = CreateObject("WScript.Network") 
Set group = GetObject("WinNT://" & network.ComputerName & "/Administrators,group") 
For Each user In group.members 
If UCase(user.name) <> "ADMINISTRATOR" And UCase(user.name) <> "DOMAIN ADMINS" Then 
group.remove user.adspath 
End If 
Next

Open in new window

ASKER CERTIFIED SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Take a look at this article. There's a step-by-step guide.

Using Restricted Groups
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
Absolutely agree, Restricted Groups policy is the easiest way to manage admin rights and remove local user accounts.

The way i would set this up is follows:

Domain admins are added to administrators
a Global security group called OU NAME - Administrators is added to administrators
The local admin account is added to administrators

Once this is implemented when group policy updates all local user accounts are removed from the group. Granting access is simply a case of adding domain accounts to the domain gloal group you created.

The article rmrustice linked shows how to setup Restricted groups.
Hope this helps
Avatar of aintgot1

ASKER

Thanks all for the suggestions. I'm going to have to post back when I can see how the Restricted Groups method works. I walked into a crashed server this morning and all attention has been diverted.

I liked the script method, but the problem is I am not in the Domain Admin's group to run it. I am only a site admin.

I will post back when I can get things under control.

Thanks,
Mike
The script should work then, it only needs u to be a local admin on these machines.
You can ask a domain admin to create a group policy for you. It's really not pratical to use a script to do that. Imagine how many changes will happen in 1200 computers over time. Will you run the script on a daily basis? What if your clients use firewalls? It won't work. You might go crazy trying to manage things this way. Use the Active Directory in your favor.
Avatar of Ron Malmstead
Restricted groups is the "microsoft tunnel-vision way"... which means it's the "correct" way.
btw- I don't want points im just backing up rmrustice's comment.
Thanks again. I can see both working, but I will most likely go with the Restricted Groups. With what I have to deal with, something I can set and forget will do me wonders. I should point out that I wouldn't be worried about what happens over time because once I the group membership correct, there is nothing for me to worry about. I already have a command I run through Ghost in which I can add multiple users or delete a single user.

Anyway, I do want to test the script method out. I may have a use for it if I can't get the Restricted Groups to work, even though it looks straight forward. I'll post back the results.

Thanks,
Mike
Hey Mike
Just an additional comment, make sure you have an OU structure that supports your vision for restricted groups.
Per the way I have implenented I user OU's for a server type and apply the restricted groups policy to all hosts in that OU. For example if you have a webservers OU where access requirements are the same, apply the policy to the entire OU.
Good luck!