VBScripts to Remove Domain Users from Local Admins on PC's
First of all thanks to The Scripting Guy, The Google Groups on Scripting & ScriptingAnswers.com - truly invaluable sources of script code & information on how to do things- making life easier for scripting noobs like me!
I have just started to delve a little into the world of Scripting & what a learning curve it is! I can honestly say that I still know hardly anything about vbscript & the wmi components, but have managed to implement a few minor scripts which do what I have required at various intervals.
Not too long ago I had to complete a Domain Migration for 200 PC's at one of my client's. User Profiles had to be maintained intact with no access to the source Domain so some work Arounds had to be implemented. The procedure was tedious and complex & in order to ensure we would be able to complete the necessary steps to success at the task, we added Domain Users to the Local Admins on all PC's using Group Policy. The idea being that once everything had settled Post Migration, we could then simply remove the priviledge & carry on with normal day to day activities.
As it turned out, removing the priviledges became pretty tedious in that we had to touch each workstation to make 100% sure the rights required remained after the Domain Users were removed. This was not acceptable, not by myslef and not by the Client.
A work around in the way of a script had to be realised & this is what I came up with:
Scenario #1: Normal Users who require NO Admin Priviledges on their PC - The following Script Removes ALL objects from the Local Admins Group on the computer it runs, EXCEPT Administrator & Domain Admins
Set objNetwork = CreateObject("Wscript.Network")
strComputer = objNetwork.ComputerName
Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators")
For Each objUser In objGroup.Members
If objUser.Name <> "Administrator" AND objUser.Name <> "Domain Admins" Then
objGroup.Remove(objUser.AdsPath)
End If
Next
Scenario #2: Power Users who require Local Admins rights on their PC ONLY for themselves & Domain Admins
(Note: USER MUST ALREADY BE AN ADMIN FOR THIS SCRIPT TO WORK, e.g. Domain Users in Local Admins)
blnUserinAdmGroup = False
Set objNetwork = CreateObject("Wscript.Network")
strComputer = objNetwork.ComputerName
strDomain = objNetwork.UserDomain
strUser = objNetwork.UserName
Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators")
For Each objUser in objGroup.Members
If objUser.Name = "Domain Users" Then objGroup.Remove "WinNT://YourDOMAIN/Domain Users"
Next
Set objUser = GetObject("WinNT://" & strDomain & "/" & strUser)
Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators")
If Not objGroup.IsMember(objUser.ADsPath) Then
objGroup.Add(objUser.ADsPath)
End If
The above script will remove all objects from Local Admins Except for Administrator & Domain Admins, then it will Add the Logged On user to the Local Admins Group.
To Use the scripts, simply copy & paste the Italicised text into NotePad, save it as ChosenFileName.vbs & execute using cscript by typing cscript <PathToFile>\ChosenFileName.vbs on the computer you want to make the changes to.
In my case, I use a batch to call Cscript & run the Command, then added the batch as a Logon for my users.
Enjoy
Comments