Jump to content

Remove User From Local Admin Group!

Bradman
 Share

Recommended Posts

Bradman Seeker

Bradman

Posted
Posted (edited)

Does anyone have a sample script to remove the current user from the local admin group?

I have something but it is crude and not very efficient.

I want to keep the domain admins and the local admin on the machine.

The question is how do I get rid of the offending local admin user?

Here is what I have so far!

If IsAdmin() Then

MsgBox(16, @UserName, 'YOU ARE NOT A LOCAL ADMIN! PLEASE WAIT!',3)

RunWait(@ComSpec & ' /c Net Localgroup Administrators ' & @UserName & ' /Delete')

EndIf

SplashOff()

MsgBox(16, @UserName, 'YOUR ADMIN PRIVILEGES HAVE BEEN RESET! YOU WILL NOW BE LOGGED OFF!',10)

ShutDown(0)

How do I check to see if the user is a domain admin and keep the domain admin in the group?

TY

Bradman

The problem I have is that our local admins are only allowed to temporarily add themselves to the local admin group. On our network we are finding that some of the local admins are setting themselves up permanently as local admins on their own systems and hooking up other users on their systems as well. I just want to keep all unauthorized users out of the local admin group.

I am not sure how to validate the privileges of each user that has admin rights.

Edited by Bradman
Link to comment
Share on other sites
lod3n Universalist

lod3n

Posted
Posted

Your script is fine, if a little harsh.

To keep the domain admin in the local admin group, DO NOT put the domain admin in by name. Instead, put the "Domain Admins" group in the local admin groups on all of the workstations. As long as your domain admin account is in the "Domain Admins" group, your script can't remove anything it shouldn't.

[font="Fixedsys"][list][*]All of my AutoIt Example Scripts[*]http://saneasylum.com[/list][/font]

Link to comment
Share on other sites
Bradman Seeker

Bradman

Posted
  • Author
Posted

Your script is fine, if a little harsh.

To keep the domain admin in the local admin group, DO NOT put the domain admin in by name. Instead, put the "Domain Admins" group in the local admin groups on all of the workstations. As long as your domain admin account is in the "Domain Admins" group, your script can't remove anything it shouldn't.

I got it, you are correct I just need to make sure the Domain Admin Names are correct. TY for the reply!

BradMan

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...