Re: Remove users fom all Local Administrators!!
- From: "Richard Mueller" <rlmueller-NOSPAM@xxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 11 Nov 2006 10:58:46 -0600
Ahmad Sabry wrote:
I've alot of clients who their domain account is added to local
administrator group.. . it will take alot of time to remove one by one ,
so if there are a script to remove all accounts from local Administrator
group on each machine & keep the local administrator ?
You will want to keep both the local Administrator user and the "Domain
Admins" group. A VBScript program can do this remotely, assuming you have
sufficient permissions (are a member of "Domain Admins"). You bind to the
local Administrators group with the WinNT provider and use the Remove method
of the group object to remove unwanted members. For one computer:
==============
Option Explicit
Dim objAdmGrp, strComputer, objMember, strName
' Specify NetBIOS name of computer.
strComputer = "MyComputer"
' Bind to local Administrators group on the computer.
Set objAdmGrp = GetObject("WinNT://" & strComputer _
& "/Administrators,group")
' Enumerate members.
For Each objMember In objAdmGrp.Members
strName = LCase(objMember.Name)
' Remove non-admin members.
If (strName <> "administrator") And (strName <> "domain admins") Then
objAdmGrp.Remove(objMember.AdsPath)
End If
Next
=======
You could use ADO to retrieve all computer objects in the domain and perform
the above. However, it might be better to enumerate the computer objects in
a container. Since the WinNT provider is blind to OU's, I would use the LDAP
provider to enumerate the computers, then retrieve the sAMAccountName
attribute of each. This attribute is the NetBIOS name of the machine with
"$" appended on the end. You can remove the trailing "$" from the value of
sAMAccountName and use this to bind to the local Administrators group (you
must use the WinNT provider for local objects). For example:
==============
Option Explicit
Dim objAdmGrp, strComputer, objMember, strName
Dim objOU, objComputer
' Bind to container/OU.
Set objOU = GetObject("LDAP://ou=Sales,dc=MyDomain,dc=com";)
' Filter on computer objects.
objOU.Filter = Array("computer")
' Enumerate all computers in the container.
For Each objComputer In objOU
' Retrieve the NetBIOS name of the computer.
strComputer = objComputer.sAMAccountName
' Remove trailing "$".
strComputer = Left(strComputer, Len(strComputer) - 1)
' Bind to local Administrators group on the computer.
Set objAdmGrp = GetObject("WinNT://" & strComputer _
& "/Administrators,group")
' Enumerate members.
For Each objMember In objAdmGrp.Members
strName = LCase(objMember.Name)
' Remove non-admin members.
If (strName <> "administrator") And (strName <> "domain admins")
Then
objAdmGrp.Remove(objMember.AdsPath)
End If
Next
Next
==========
--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
.
- Follow-Ups:
- Re: Remove users fom all Local Administrators!!
- From: Steve Foster [SBS MVP]
- Re: Remove users fom all Local Administrators!!
- References:
- Remove users fom all Local Administrators!!
- From: Ahmad Sabry
- Remove users fom all Local Administrators!!
- Prev by Date: Remove users fom all Local Administrators!!
- Next by Date: Re: Remove users fom all Local Administrators!!
- Previous by thread: Remove users fom all Local Administrators!!
- Next by thread: Re: Remove users fom all Local Administrators!!
- Index(es):
Relevant Pages
|
