Re: Remove Users From Local Admin Group

From: Torgeir Bakken \(MVP\) (Torgeir.Bakken-spam_at_hydro.com)
Date: 01/19/05

Next message: Sean M. Loftus: "Re: Script to format file to character number locations?"
Previous message: emebohw2_at_netscape.net: "Re: how do I count only files in a folder with a specific extension?"
In reply to: Forest: "Remove Users From Local Admin Group"
Messages sorted by: [ date ] [ thread ]

Date: Wed, 19 Jan 2005 23:13:53 +0100

Forest wrote:

> Does anyone out there have a script that I can use in the login script to
> remove domain users from the local admin group? I want to lock down the
> local Admin group from the login script. Right now the domain user has admin
> access.
Hi

Below is a script that will remove all *user* accounts from the
Administrators group. Both local and domain users will be removed
(but not the builtin Administrator account). Any group accounts
will not be removed.

'--------------------8<----------------------

Set oWshNet = CreateObject("WScript.Network")
sComputer = oWshNet.ComputerName

' group to remove user from
Set oGroup = GetObject("WinNT://" & sComputer & "/Administrators")

' suppress errors, e.g. trying to remove the builtin Administrator
' account from the Administrators group will fail.
On Error Resume Next

' loop through all members of the Administrators group of type users
For Each oMember In oGroup.Members
   If oMember.Class = "User" Then
     ' remove the user from Administrators group
     oGroup.Remove oMember.ADsPath
   End If
Next
'--------------------8<----------------------

-- 
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx

Next message: Sean M. Loftus: "Re: Script to format file to character number locations?"
Previous message: emebohw2_at_netscape.net: "Re: how do I count only files in a folder with a specific extension?"
In reply to: Forest: "Remove Users From Local Admin Group"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Re: Logon Script
... Administrators group to let all domain users automatically be local admins when they log on to a computer interactively. ... torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway Administration scripting examples and an ONLINE version of the 1328 page Scripting Guide: ...
(microsoft.public.scripting.vbscript)
Re: Script to enumerating list of Local Admingroup member of all d
... How to Configure a Global Group to Be a Member of the Administrators Group on ... This is more secure than adding "Authenticated Domain users", ... avoid the issue with cross network admin rights ... torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway ...
(microsoft.public.windows.server.scripting)
Script (s) to help with file security audit
... I need to do a few things as part of our file security audit (we will be ... to return the path and file name as separate items rather than one long ... - Get a list of all domain users along with their AD location. ... I do have some limited experience with scripting and have already scripted ...
(microsoft.public.scripting.vbscript)
Re: Full access without Administrative rights
... Administrators group to let all domain users automatically be local ... avoid the issue with cross network admin rights ... -- torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway Administration scripting examples and an ONLINE version of the 1328 page Scripting Guide: ...
(microsoft.public.windows.group_policy)
Re: Full access without Administrative rights
... Administrators group to let all domain users automatically be local ... avoid the issue with cross network admin rights ... -- torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway Administration scripting examples and an ONLINE version of the 1328 page Scripting Guide: ...
(microsoft.public.security)