Kaseya Community

Determine local admin rights on workstations

  • Daniel,

    I am pretty good with Actiev Directory and Group Policies, but I am not familiar with Restricted Groups. Could you elaborate?

    Thanks.

    Lloyd

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: lwolf
  • No probs Smile

    Create a group policy object that applies to computer accounts. Edit it, go to Computer Configuration > Windows Settings > Security Settings > Restricted Groups

    Then add a group, called Administrators (just type it in, don't click Browse, because the browse only knows about domain groups.. not local groups like we are interested in).

    Click OK and you can add any user accounts or groups that will be a member of local administrators. I usually just add domain admins and leave it at that. Next time the machine policy is applied, this group's membership will be enforced, and all other members will be taken out.

    More info: http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: djmundy
  • Daniel,

    Thanks very much for the extra info. Migth I ask a followup question...

    We have a lcoal admin account that we use to Kaseya. For the sake of discussion, lets call it "KaseyaServiceAccount" This account is not a domain account, it is just a local account, and it is a member of the lcoal administrators group.

    Using the GPO method, would it be possible to have the local KaseyaServiceAccount still be a part of the local administrators group?

    Thanks!

    Lloyd

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: lwolf
  • Yep, just add it to the list Smile

    Because it's a local account you'll want to type it in without clicking on the Browse button.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: djmundy
  • i downloaded teklogic's script that removes all from the admin group except the local and domain admins. however, there are not any domain admins because it is a workgroup and therefore, what i need cannot be done in group policy. so the problem is... the users do not belong to any group now. that means i would still have to go in and do all this manually anyway. is there any way to remove all users from the admin group and add them to the users group? thx in advance for your help.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: chapmantony
  • chapmantony
    i downloaded teklogic's script that removes all from the admin group except the local and domain admins. however, there are not any domain admins because it is a workgroup and therefore, what i need cannot be done in group policy. so the problem is... the users do not belong to any group now. that means i would still have to go in and do all this manually anyway. is there any way to remove all users from the admin group and add them to the users group? thx in advance for your help.


    Not tested, but the following should work:

    for /f "skip=6 tokens=*" %g in ('net localgroup administrators') do net localgroup /add users "%g"

    This will add every user that was in Administrators to Users - prune as necessary.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: sequoya
  • Rather than "poking" names to the Users group, you could use the local group "Authenticated Users" - if that would be appropriate for you. We use it on all our workstations.

    BTW this thread is great, just what I was looking for to remove users from the Admins group. Keep up the good work folks, I am new to the product and the scripting. I don't really want to learn another scripting language at my age so I will steal all I can Smile

    .

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: GEL-boy