Bradman Posted March 5, 2007 Share Posted March 5, 2007 (edited) Does anyone have a sample script to remove the current user from the local admin group? I have something but it is crude and not very efficient. I want to keep the domain admins and the local admin on the machine. The question is how do I get rid of the offending local admin user? Here is what I have so far! If IsAdmin() Then MsgBox(16, @UserName, 'YOU ARE NOT A LOCAL ADMIN! PLEASE WAIT!',3) RunWait(@ComSpec & ' /c Net Localgroup Administrators ' & @UserName & ' /Delete') EndIf SplashOff() MsgBox(16, @UserName, 'YOUR ADMIN PRIVILEGES HAVE BEEN RESET! YOU WILL NOW BE LOGGED OFF!',10) ShutDown(0) How do I check to see if the user is a domain admin and keep the domain admin in the group? TY Bradman The problem I have is that our local admins are only allowed to temporarily add themselves to the local admin group. On our network we are finding that some of the local admins are setting themselves up permanently as local admins on their own systems and hooking up other users on their systems as well. I just want to keep all unauthorized users out of the local admin group. I am not sure how to validate the privileges of each user that has admin rights. Edited March 5, 2007 by Bradman Link to comment Share on other sites More sharing options...
lod3n Posted March 5, 2007 Share Posted March 5, 2007 Your script is fine, if a little harsh. To keep the domain admin in the local admin group, DO NOT put the domain admin in by name. Instead, put the "Domain Admins" group in the local admin groups on all of the workstations. As long as your domain admin account is in the "Domain Admins" group, your script can't remove anything it shouldn't. [font="Fixedsys"][list][*]All of my AutoIt Example Scripts[*]http://saneasylum.com[/list][/font] Link to comment Share on other sites More sharing options...
Bradman Posted March 5, 2007 Author Share Posted March 5, 2007 Your script is fine, if a little harsh.To keep the domain admin in the local admin group, DO NOT put the domain admin in by name. Instead, put the "Domain Admins" group in the local admin groups on all of the workstations. As long as your domain admin account is in the "Domain Admins" group, your script can't remove anything it shouldn't.I got it, you are correct I just need to make sure the Domain Admin Names are correct. TY for the reply!BradMan Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now