Photo Gallery Member List Search Calendars FAQ Ticket List Log Out


Remove domain users (not local account) from the local admin

  		Logged in as: Guest
arrSession:exec spGetSession 2,2,34488
Active Users: There are 0 members and 0 guests.
Users viewing this topic: none
 

 

  
 
  Printable Version
All Forums >> [Scripting] >> WSH & Client Side VBScript >> Remove domain users (not local account) from the local admin
  Do you like VisualBasicScript.com? Link to us and help spread the word about our forum. Thanks! 		Page: [1]
Login
Message << Older Topic   Newer Topic >>
Remove domain users (not local account) from the local ... - 5/15/2006 3:07:37 AM   
  awe3s

 

Posts: 21
Score: 0
Joined: 4/20/2006
Status: offline 		Hi,

I have searched here and also the internet for the above but could only come up with removing all users (local and domain) from the local admin. What I need is just to remove domain users from the local admin group and leave any local accounts if they are part of the admin group of the machine. Ofcourse I need to leave the administrator, domain admin and some other domain groups. I have the following two scripts that I tried and they work, but need to leave "local user accounts" if they have admin rights.

Set oWshNet = CreateObject("WScript.Network")
sComputer = oWshNet.ComputerName
' group to remove user from
Set oGroup = GetObject("WinNT://" & sComputer & "/Administrators")
' suppress errors, e.g. trying to remove the builtin Administrator
' account from the Administrators group will fail.
On Error Resume Next
' loop through all members of the Administrators group of type users
For Each oMember In oGroup.Members
If oMember.Class = "User" Then
' remove the user from Administrators group
oGroup.Remove oMember.ADsPath
End If
Next

2nd one

Option Explicit
Dim network, group, user
Set network = CreateObject("WScript.Network")
Set group = GetObject("WinNT://" & network.ComputerName & "/Administrators,group")
For Each user In group.members
If UCase(user.name) <> "ADMINISTRATOR" And UCase(user.name) <> "DOMAIN ADMINS"  And UCase(user.name) <> "TEST" And UCase(user.name) <> "TEST123" Then
group.remove user.adspath
End If
Next

Thanks
 
 
Post #: 1
 
RE: Remove domain users (not local account) from the lo... - 5/15/2006 3:28:05 AM   
  dalemontgomery45177

 

Posts: 26
Score: 0
Joined: 5/11/2006
Status: offline 		perhaps something like...

if instr(user.name, "@myDomain.com") then
'remove user now
end if

...could work?

< Message edited by dalemontgomery45177 -- 5/15/2006 5:50:05 AM >

(in reply to awe3s)
 
 
Post #: 2
 
RE: Remove domain users (not local account) from the lo... - 5/15/2006 5:45:56 AM   
  awe3s

 

Posts: 21
Score: 0
Joined: 4/20/2006
Status: offline 		Thanks,

I will give it a go, not @ work now. Will report back later.

(in reply to dalemontgomery45177)
 
 
Post #: 3
 
RE: Remove domain users (not local account) from the lo... - 5/16/2006 12:22:37 AM   
  awe3s

 

Posts: 21
Score: 0
Joined: 4/20/2006
Status: offline 		Hi,

That didn't work. Though the script runs but doesn't remove anything. I have put the if instr on both the scripts below and they didn't work. Anyone help please?

(in reply to awe3s)
 
 
Post #: 4
 
RE: Remove domain users (not local account) from the lo... - 5/16/2006 3:30:48 AM   
  Country73


Posts: 733
Score: 10
Joined: 8/25/2004
From: USA
Status: offline 		I had to do something similar to what you are needing a little while back.
I first had to generate a list of all our machines and what accounts were setup as Local Admin.
This would create an excel spreadsheet listing machine name and all local admin accounts that were setup.

Once this was created, upper management went over the list to verify what accounts should remain and which ones should be removed.
(They basically deleted all of the rows of the accounts they wanted to keep)
When the list was returned to me, I ran a script to read through that file to create a text file to run my "RemoveAdmin.vbs".
The text file listed:
Machine;Account;Account;etc...
Machine;Account;Account;etc...
etc...

The RemoveAdmin script would then take that text file and remove those specific accounts from those specific machines.

Is this something that you are interested in, or are you just wanting to remove all accounts listed in the local admin group?

(in reply to awe3s)
 
 
Post #: 5
 
RE: Remove domain users (not local account) from the lo... - 5/16/2006 3:41:06 AM   
  dalemontgomery45177

 

Posts: 26
Score: 0
Joined: 5/11/2006
Status: offline 		in a test, echo  user.name  to see how the domain is named and then change the "@myDomain.com" to what is appropriate unique to the domain user accounts.  You may have to make exceptions for the Domain Admins group.

(in reply to awe3s)
 
 
Post #: 6
 
RE: Remove domain users (not local account) from the lo... - 5/17/2006 9:04:05 AM   
  awe3s

 

Posts: 21
Score: 0
Joined: 4/20/2006
Status: offline 		Hi dalemontgomery45177,

I echoed the user.name, but it doesn't echo back anything although the script runs but nothing happens. So I thought to see how the line "For Each user In group.members" looks when echoed back and guess what it echoed, just pure user name as in Jack.smith instead of domain\jack.smith or jack.smith@domain.com that is why the line
if instr(user.name, "@myDomain.com") 
never worked as it could not find that type of user

I think I maybe nearer to a solution but I have tried so many options in that area, I took off @mydomain.com and replaced it with just the domain without .com and so on but it doesn't make a difference. Can you point me into where I'm missing.

Thanks for your help

(in reply to dalemontgomery45177)
 
 
Post #: 7
 
RE: Remove domain users (not local account) from the lo... - 5/17/2006 3:39:34 PM   
  dalemontgomery45177

 

Posts: 26
Score: 0
Joined: 5/11/2006
Status: offline 		 
This worked in my test domain...


      

(in reply to awe3s)
 
 
Post #: 8
 
RE: Remove domain users (not local account) from the lo... - 5/17/2006 11:28:28 PM   
  awe3s

 

Posts: 21
Score: 0
Joined: 4/20/2006
Status: offline 		Thanks so much, that worked perfectly. Under the
if oMember.name <> "Domain Admin"

I added some other groups that I wanted except and it worked brilliantly

Thanks for all your input

(in reply to dalemontgomery45177)
 
 
Post #: 9
 
RE: Remove domain users (not local account) from the lo... - 5/18/2006 8:03:26 AM   
  awe3s

 

Posts: 21
Score: 0
Joined: 4/20/2006
Status: offline 		Hi dalemontgomery45177,

I have been asked (by management) to exclude certain users. Now my idea is to create a domain global group, add those users in that group and make the script excempt them by querying the domain. This is what I added in the script, (got it from this site )

Set objOU = GetObject _
("LDAP://ou=Test,ou=Test1,dc=mydomain,dc=com")
ObjOU.Filter= Array("user")
For Each objUser in objOU
arrMemberOf = objUser.GetEx("memberOf")
For Each Group in arrMemberOf
If Not InStr(Group, "Global group name") Then
'remove user

It first failed at GetObject section - with error no such domain exists or it can't be found. I was logged on as local administrator then. So I logged on as a domain admin (on the test PC) and again it failed at arrMemberOf with an error of The directory property cannot be found in the cache.

Where am I going wrong, or is this the best way to do this.

Cheers guys

< Message edited by awe3s -- 5/18/2006 8:11:19 AM >

(in reply to awe3s)
 
 
Post #: 10
 
RE: Remove domain users (not local account) from the lo... - 5/18/2006 12:58:31 PM   
  dalemontgomery45177

 

Posts: 26
Score: 0
Joined: 5/11/2006
Status: offline 		try this...

      

(in reply to awe3s)
 
 
Post #: 11
 
RE: Remove domain users (not local account) from the lo... - 5/18/2006 9:52:29 PM   
  awe3s

 

Posts: 21
Score: 0
Joined: 4/20/2006
Status: offline 		Thanks allot, it worked. One more thing. I was planning to run this as a GPO startup script. I realised that the script will only run if logged on user is a domain admin (when I was testing it). If I deploy this as a GPO, will the system account be able to query the LDAP without authentication? or does it need modifiying to enable the system account to query the LDAP?

Thanks allot for all your input in this, you are a star

(in reply to dalemontgomery45177)
 
 
Post #: 12
 
RE: Remove domain users (not local account) from the lo... - 5/19/2006 1:30:21 AM   
  dalemontgomery45177

 

Posts: 26
Score: 0
Joined: 5/11/2006
Status: offline 		Relating to System acct., I don't know without experimenting.

Depending on your environment, you may get the desired results by changing the line to specify the remote computer.

For example, you could make a script to query to Active Directory, pull out the list computer names into an array, then run the current script once per machine while substituting the oWshNet.ComputerName with the actual names.

Then it could all be done using your Domain Admin credentials whenever you wanted to run it.

(in reply to awe3s)
 
 
Post #: 13
 
RE: Remove domain users (not local account) from the lo... - 5/19/2006 8:42:23 AM   
  awe3s

 

Posts: 21
Score: 0
Joined: 4/20/2006
Status: offline 		Cheers mate, you surely have been a great help on this. I will sort something out in this regard. Once again, thank you so much.

(in reply to dalemontgomery45177)
 
 
Post #: 14
 
RE: Remove domain users (not local account) from the lo... - 5/23/2006 4:42:34 PM   
  manu4u007

 

Posts: 8
Score: 0
Joined: 3/20/2006
Status: offline 		why dont you go for a restricted group policy rather than going for a script and applying it through a GPO. restricted group is simple and a quick and tested resolution..


Cheers
KILLER

(in reply to awe3s)
 
 
Post #: 15
 
RE: Remove domain users (not local account) from the lo... - 5/23/2006 9:23:25 PM   
  awe3s

 

Posts: 21
Score: 0
Joined: 4/20/2006
Status: offline 		Hi Manu4u007,

The idea of restricted GPO is something I considered but would not suit what I'm after. I don't think a restricted GPO will leave local accounts which are part of the admin group which I want. If it does, please let me know how.

Cheers

(in reply to manu4u007)
 
 
Post #: 16
 
 
 
 

If you found our site useful please link to us <a href="http://www.visualbasicscript.com">VisualBasicScript.com</a>.
All Forums >> [Scripting] >> WSH & Client Side VBScript >> Remove domain users (not local account) from the local admin Page: [1]
Jump to:





New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts




Forum Software © ASPPlayground.NET Advanced Edition 2.5.5 ANSI