Kaseya Community

Remove Local Admin from All Except - Domain Admin and Administrator

  • AdminRemove.zip
    Just sharing - maybe trying to inspire others...

    This simple script removes all accounts from the Local Administrators group of a workstation except for Domain Admins and Administrator. This can be useful in many ways when "cleaning" client networks - very powerful. Please be weary - and all that other disclaimer goodness....

    It uses a VBScript and takes a log of the domain admins group before and after the VBScript runs and uploads the logs to the agents 'Documents'.


    Script Name: Remove Local Unauthorized Admins - Teklogic
    Script Description:

    IF True
    THEN
    Execute Shell Command
    Parameter 1 : net localgroup administrators >>c:\temp\admins-before.log
    Parameter 2 : 1
    OS Type : 0
    Get File
    Parameter 1 : c:\temp\admins-before.log
    Parameter 2 : ../docs/admins-before.log
    Parameter 3 : 1
    OS Type : 0
    Write File
    Parameter 1 : c:\temp\AdminRemove-Teklogic.vbs
    Parameter 2 : VSASharedFiles\AdminRemove.vbs
    OS Type : 0
    Execute Shell Command
    Parameter 1 : cscript c:\temp\AdminRemove-Teklogic.vbs
    Parameter 2 : 1
    OS Type : 0
    Execute Shell Command
    Parameter 1 : net localgroup administrators >>c:\temp\admins-after.log
    Parameter 2 : 1
    OS Type : 0
    Get File
    Parameter 1 : c:\temp\admins-after.log
    Parameter 2 : ../docs/admins-after.log
    Parameter 3 : 1
    OS Type : 0
    ELSE



    I hope this is helpful to someone.

    -Justin Carter-
    -Teklogic Inc.-

    Legacy Forum Name: Remove Local Admin from All Except - Domain Admin and Administrator,
    Legacy Posted By Username: Teklogic
  • Nice work Justin,

    Script works perfectly

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: jamesw@computerone.com.au
  • i downloaded this script and it removes all from the admin group except the local and domain admins. however, there are not any domain admins because it is a workgroup and therefore, what i need cannot be done in group policy. in that aspect this worked perfectly. BUT, the problem is... the users do not belong to any group now. that means i would still have to go in and do all this manually anyway. is there any way to remove all users from the admin group and add them to the users group? thx in advance for your help and for this post.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: chapmantony
  • I just wanted to bump this thread and ask a question.  I just created and tested and ran into the same problem as the last poster.  Is it possible to modify the VBS to also add all users to the "Users" group to avoid this problem?

  • For reference, I figured out the answer to my own question.  Modify the following sections of the script as follows to add the user to the "Users" group:

    '** Get Local Administrator Group

       Set AdminGroup = GetObject("WinNT://./Administrators, Group")

       Set UserGroup = GetObject("WinNT://./Users, Group")

    '** Search for Invalid Members & Remove Them

       For Each GroupMember in AdminGroup.Members

           Debug.WriteLine GroupMember.Name, GroupMember.Class, IsPermitedAdmin(GroupMember.Name)

           If Not IsPermitedAdmin(GroupMember.Name) Then

               AdminGroup.Remove GroupMember.ADsPath

               UserGroup.Add GroupMember.ADsPath

           End If

       Next

  • Can anyone help with how to modify the script to add all members of the "Users" to the "Administrators" group to basically undo the changes?  The removal script works for local users, but when I run the code below, I get the error "Active Directory: Access is Denied."  The code of the VB Script is below:

       Set AdminGroup = GetObject("WinNT://./Users, Group")

       Set UserGroup = GetObject("WinNT://./Users, Group")

       For Each GroupMember in UserGroup.Members

    AdminGroup.Add GroupMember.ADsPath

       Next

    Thanks in advance

  • eperson, did you ever figure this out? How to make all users local admin

  • etabush - are you trying to do this in a domain or workgroup?

    If you are doing this in a domain, you simply need to run the below command. Note that this will work if run as system account, as %userdomain% will become the domain name of the computer account.

    net localgroup administrators /add "%userdomain%\domain users"

    If you are talking about a workgroup machine, you can use the following:

    for /f "delims= skip=6" %a in ('net localgroup users') do net localgroup administrators /add %a

    Note that if you are doing this in a batch file, replace both instances of %a with %%a. If you are doing this in a Kaseya script, leave them as %a.



    [edited by: ghettomaster at 7:01 PM (GMT -7) on Oct 15, 2012] .
  • Hold on - I think I have mis-read your request.

    In a workgroup environment, to add all users to the users group, punch this into a batch file.

    ---------------------------------------------------------------------

    for /f "delims= skip=4" %%a in ('net user') do echo %%a >> "%temp%\addusersoutput.txt"

    type "%temp%\addusersoutput.txt" | find /v "The command completed" >> "%temp%\addusersoutput2.txt"

    for /f "tokens=1,2,3" %%a in (%temp%\addusersoutput2.txt) do echo %%a >> "%temp%\addusersoutput3.txt" && echo %%b >> "%temp%\addusersoutput3.txt" && echo %%c >> "%temp%\addusersoutput3.txt"

    type "%temp%\addusersoutput3.txt" | find /v "ECHO is on." | find /v "Guest" >> "%temp%\addusersoutput4.txt"

    for /f %%a in (%temp%\addusersoutput4.txt) do net localgroup users /add %%a

    :cleanup

    del "%temp%\addusersoutput.txt"

    del "%temp%\addusersoutput2.txt"

    del "%temp%\addusersoutput3.txt"

    del "%temp%\addusersoutput4.txt"

    -------------------------------------------------------------

  • Thanks. I was talking about doing this in a domain.

    That command will add the current user as an admin? any way to make all future users that are added local admins?

  • Thank you guys for working on this, I just got a request for this from a client

  • Has this file been removed? I can no longer download it.

  • Ditto...I also cannot find the Adminremove.vbs script on this thread? Would really appreciate re-sharing this.