Here is a script we use to monitor local administrator accounts. This will dump all local administrators into a log file and upload the log file to your K server. Use the documents tab to retrieve the file.

Script Name: Get Local Administrators
Script Description:

IF True
THEN
Execute Shell Command
Parameter 1 : net localgroup administrators >> #vAgentConfiguration.agentTempDir#\local_admins.log
Parameter 2 : 1
OS Type : 0
Get File
Parameter 1 : #vAgentConfiguration.agentTempDir#\local_admins.log
Parameter 2 : ..\Docs\LocalAdmins\local_admins.log
Parameter 3 : 2
OS Type : 0
Delete File
Parameter 1 : #vAgentConfiguration.agentTempDir#\local_admins.log
OS Type : 0
ELSE

Legacy Forum Name: Scripts Forum,
Legacy Posted By Username: cnwicsurrett

Awesome. I found a VB script that will do this sort of thing but dumps it to an excel file but not knowing vbs from the back of my hand I was intimidated to even attempt anything with it. I was really hoping to get a report going that would grab the info, I'm not sure I will be able to do it in a timely fashion though.

Legacy Forum Name: Scripts Forum,
Legacy Posted By Username: tsorensen@group1auto.com

Let me take this one a step further...

We are just beginning a project to remove local admin rights from users - to address security concerns, reduce virus/malware infections, etc. I am tryign to think of a way that I might be able to automate this with Kaseya.

I can use the above logic to export a list to a text/log file. But then I need to parge that file, ake a list of the local administrators, then remove each of them from the local adminsitrators group - execpt for the domain admin account, and our custom account.

I haven't started this effort yet. I thought I would check to see if anyone else migth have already written the script, or a piece of it.

Lloyd

Legacy Forum Name: Scripts Forum,
Legacy Posted By Username: lwolf

I have the remove local admin portion but it would be for one username at a time. Would be swell if the net command could b triggered with a wildcard and except statement. Here's the script we use to remove a user from the local admins group.

Script Name: Remove an account from local admins 

Script Description: Removes the defined domain user from the local administrators group. Edit the script before executing to customize for your use.



IF True 

THEN

   Execute Shell Command

     Parameter 1 : net localgroup administrators "domain\user" /delete

     Parameter 2 : 1

         OS Type : 0

ELSE

Legacy Forum Name: Scripts Forum,
Legacy Posted By Username: tsorensen@group1auto.com

lwolf

Let me take this one a step further...

We are just beginning a project to remove local admin rights from users - to address security concerns, reduce virus/malware infections, etc. I am tryign to think of a way that I might be able to automate this with Kaseya.

I can use the above logic to export a list to a text/log file. But then I need to parge that file, ake a list of the local administrators, then remove each of them from the local adminsitrators group - execpt for the domain admin account, and our custom account.

I haven't started this effort yet. I thought I would check to see if anyone else migth have already written the script, or a piece of it.

Lloyd

script to removal all local admins can be found here:

http://www.microsoft.com/technet/scriptcenter/resources/qanda/dec05/hey1212.mspx

Assuming your custom account is the same on every domain you could use a managed variable for the domain name and add that user back in. A FQDN managed variable is one of my most use managed variables, its a pain to setup but well worth it after the fact.

Legacy Forum Name: Scripts Forum,
Legacy Posted By Username: cnwicsurrett

What you could do is run the first script that gives you that list of local admin users, then in the same script write a vbs file that will parse the first file and build an array of users (excluding the domain admin and anyone else you thought should not be included). then you had the array to a loop statement that will use Todd's delete user command to remove everyone but who you want to keep as a local admin.

Legacy Forum Name: Scripts Forum,
Legacy Posted By Username: boudj

The script on the technet website only goes so far as to allow you to change one machine name at a time with the strComputer = "atl-ws-01" which doesn't work for me. I didn't want to make a list of machine names and would rather have a script to dump on a machine, run it and be done, so after toying with the one thing i fail at most... vbs, i have a working vbs file (thanks to a long time friend who figured out my fail in 20 seconds grrr). Edit the kserviceaccount to your local/domain service you use. all other users are removed from local admins group.

Set oShell = CreateObject( "WScript.Shell" )

comp=oShell.ExpandEnvironmentStrings("%ComputerName%")



Set objGroup = GetObject("WinNT://" & comp & "/Administrators")



For Each objUser In objGroup.Members

    If objUser.Name <> "Administrator" AND objUser.Name <> "Domain Admins" AND objUser.Name <> "kserviceaccount Then

        objGroup.Remove(objUser.AdsPath)

    End If

Next

Legacy Forum Name: Scripts Forum,
Legacy Posted By Username: tsorensen@group1auto.com

boudj

that will use Todd's delete user command to remove everyone but who you want to keep as a local admin.

**GASP** DUDE! NO FIRST NAMES!

I kid

Legacy Forum Name: Scripts Forum,
Legacy Posted By Username: tsorensen@group1auto.com

tsorensen,

Wow, that looks very promising. I will give it a try. Thanks so much for sharing!

Lloyd

Legacy Forum Name: Scripts Forum,
Legacy Posted By Username: lwolf

tsorensen,

Looking very good. I am working on a combined script that does the following:
- export BEFORE list of local administrators to text file, and upload to kserver
- copy VBScript from KServer to Agent
- Use VBScript to purge local administrators, leaving only local administrator, domain admins, and our custom Kaseya account
- export AFTER list of local administrators to text file, and upload to kserver
- write message to local Windows event log, and K script log.

I will definately post when I am done.

But, I have a VB Script question that I need help with. The code provided uses

If objUser.Name <> "Administrator" AND objUser.Name <> "Domain Admins" AND objUser.Name <> "kserviceaccount" Then

In some cases, we were inconsistent with our Kaseya service account. In some cases it is "kserviceaccount", other cases it is "Kserviceaccount", other cases it is "KServiceAccount", etc. Always the same letters of the alphabet, just different lowercase and uppercase combinations.

Could you provdie the VB Script IF statement to make the comparison be case insensitive?

Thanks so much!

Lloyd

Legacy Forum Name: Scripts Forum,
Legacy Posted By Username: lwolf

lwolf

tsorensen,

Looking very good. I am working on a combined script that does the following:
- export BEFORE list of local administrators to text file, and upload to kserver
- copy VBScript from KServer to Agent
- Use VBScript to purge local administrators, leaving only local administrator, domain admins, and our custom Kaseya account
- export AFTER list of local administrators to text file, and upload to kserver
- write message to local Windows event log, and K script log.

I will definately post when I am done.

But, I have a VB Script question that I need help with. The code provided uses


In some cases, we were inconsistent with our Kaseya service account. In some cases it is "kserviceaccount", other cases it is "Kserviceaccount", other cases it is "KServiceAccount", etc. Always the same letters of the alphabet, just different lowercase and uppercase combinations.

Could you provdie the VB Script IF statement to make the comparison be case insensitive?

Thanks so much!

Lloyd

Try

If objUser.Name <> "Administrator" AND objUser.Name <> "Domain Admins" AND LCase(objUser.Name) <> "kserviceaccount" Then

Legacy Forum Name: Scripts Forum,
Legacy Posted By Username: RCS-Michael

Ok. Time to teach a couple VBS tips:

1. Forget the computer name stuff. It's only useful if your using a VBS script to connect and retrieve information from other computers. For most VBS scripts ran/scheduled by Kaseya you want to use the current computer. So change the computer name to ".".

2. UCase / LCase functions. These functions convert a string to upper or lower case.

So here's the VB script modified to run on the local computer and ignore case.

strComputer = "."

Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators")

For Each objUser In objGroup.Members
If LCase(objUser.Name) <> "administrator" AND LCase(objUser.Name) <> "domain admins" Then
Wscript.Echo objUser.Name
End If
Next

Matt

Legacy Forum Name: Scripts Forum,
Legacy Posted By Username: connectex

Thanks connectex. I tried googling to see if there was a variable to use to just make it run local but all the scripts i looked over were all meant to be run from apparently a workstation or server on the same local lan. Now i know to do the "." which is extremely helpful. Thanks again.

I also noticed after i pasted i forgot the other quote on the other side of kservice account, sorry.

Legacy Forum Name: Scripts Forum,
Legacy Posted By Username: tsorensen@group1auto.com

While this is all very cool, are we making this way too complicated? Why not just use Restricted Groups in group policy? Takes 30 seconds to set up and will be enforced on each PC boot.

I'm all for Kaseya scripting but sometimes it is not the best tool for the job.

Legacy Forum Name: Scripts Forum,
Legacy Posted By Username: djmundy