Sign in to follow this  
Followers 0
Bradman

Remove User From Local Admin Group!

3 posts in this topic

#1 ·  Posted (edited)

Does anyone have a sample script to remove the current user from the local admin group?

I have something but it is crude and not very efficient.

I want to keep the domain admins and the local admin on the machine.

The question is how do I get rid of the offending local admin user?

Here is what I have so far!

If IsAdmin() Then

MsgBox(16, @UserName, 'YOU ARE NOT A LOCAL ADMIN! PLEASE WAIT!',3)

RunWait(@ComSpec & ' /c Net Localgroup Administrators ' & @UserName & ' /Delete')

EndIf

SplashOff()

MsgBox(16, @UserName, 'YOUR ADMIN PRIVILEGES HAVE BEEN RESET! YOU WILL NOW BE LOGGED OFF!',10)

ShutDown(0)

How do I check to see if the user is a domain admin and keep the domain admin in the group?

TY

Bradman

The problem I have is that our local admins are only allowed to temporarily add themselves to the local admin group. On our network we are finding that some of the local admins are setting themselves up permanently as local admins on their own systems and hooking up other users on their systems as well. I just want to keep all unauthorized users out of the local admin group.

I am not sure how to validate the privileges of each user that has admin rights.

Edited by Bradman

Share this post


Link to post
Share on other sites



Your script is fine, if a little harsh.

To keep the domain admin in the local admin group, DO NOT put the domain admin in by name. Instead, put the "Domain Admins" group in the local admin groups on all of the workstations. As long as your domain admin account is in the "Domain Admins" group, your script can't remove anything it shouldn't.


[font="Fixedsys"][list][*]All of my AutoIt Example Scripts[*]http://saneasylum.com[/list][/font]

Share this post


Link to post
Share on other sites

Your script is fine, if a little harsh.

To keep the domain admin in the local admin group, DO NOT put the domain admin in by name. Instead, put the "Domain Admins" group in the local admin groups on all of the workstations. As long as your domain admin account is in the "Domain Admins" group, your script can't remove anything it shouldn't.

I got it, you are correct I just need to make sure the Domain Admin Names are correct. TY for the reply!

BradMan

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0