Hey, Scripting Guy! How can I delete everyone except the Administrator and the Domain Admins group from the local Administrators group?
— JS
Hey, JS. You know, when you become a doctor you have to take the Hippocratic Oath, which famously begins, “First, do no harm.” When you become a Scripting Guy you have to take the Scriptocratic Oath, an oath which, somewhat less-famously, begins, “First, give them a warning. After that it’s not your fault if anything bad happens.” So, JS, consider yourself warned.
Actually, the script we’re about to show you isn’t particularly dangerous. However, it could be a bit of a nuisance. Per your request, the script removes everyone except the Administrator and Domain Admin accounts from the local Administrators group. That’s fine, except in at least one scenario. At Microsoft, for example, users are typically local administrators on their computers. However, those users never log on as the local Administrator; instead, they log on using their domain account, which happens to be a member of the local Administrators group.
So what’s the problem? Well, the script we’re about to show you will remove that domain user account from the local Administrators group; as a result, those users will no longer be local Administrators. That might very well be what you want to happen. But forewarned is forearmed and all that.
True story. Not too long ago, one of the Scripting Guys had to temporarily remove their computer from the domain. They did so, a process which also removed their domain user account – and the Domain Admins account – from the local Administrators group. Of course, you could still log on as Administrator … provided you knew the local Administrators password, that is. As you might have guessed, this Scripting Guy had no idea what the local Administrators password was. Uh-oh …. And, no, we can’t tell you which Scripting Guy did this: Jean would be terribly embarrassed if anyone ever found out. |
In other words, don’t run with scissors, don’t stick your finger in a light socket, and don’t use this script if it’s going to lock you out of your own machine:
strComputer = “atl-ws-01”Set objGroup = GetObject(“WinNT://” & strComputer & “/Administrators”)
For Each objUser In objGroup.Members If objUser.Name <> “Administrator” AND objUser.Name <> “Domain Admins” Then objGroup.Remove(objUser.AdsPath) End If Next
Yes, it does look harmless, doesn’t it? And it is: after all, a domain Administrator can still access the machine and add someone back to the local Administrators group. It could create a nuisance for you, but nothing that can’t be fixed.
As for the script itself, it begins by connecting to the Administrators group on a specified computer; in this sample script, that’s a computer named atl-ws-01. After making the connection the script sets up a For Each loop to loop through all the members of the group; said membership can be accessed via the Members property.
Inside the loop we use this line of code to ensure that the name of our group member is neither Administrator nor Domain Admins:
If objUser.Name <> “Administrator” AND objUser.Name <> “Domain Admins” Then
Notice that we use the AND operator here: the Name is not Administrator and the Name is not Domain Admins. A common mistake scripters make is to use the OR operator in a script like this: the Name is not Administrator or the Name is not Domain Admins. Don’t make that mistake.
Why not? That’s easy: because then every member of the group will fit the criteria. Take the Administrator account, for example. Granted, the name of the account is equal to Administrator; that would seem to disqualify it. However, the name is not equal to Domain Admins; consequently it does meet the criteria; after all, you qualify if the name is not equal to Administrator or the name is not equal to Domain Admins. That’s why we make sure that the name is not equal to Administrator and it is not equal to Domain Admins.
If you don’t see how this works try running this script, which simply reports back the names of the group members:
strComputer = “atl-ws-01”Set objGroup = GetObject(“WinNT://” & strComputer & “/Administrators”)
For Each objUser In objGroup.Members If objUser.Name <> “Administrator” AND objUser.Name <> “Domain Admins” Then Wscript.Echo objUser.Name End If Next
Now replace the AND with OR and see what happens.
See? Every now and then we actually do know what we’re talking about!
So what happens if an account meets the criteria; for example, the account kenmyer is not equal to Administrator and it is not equal to Domain Admins. In that case, we simply call the Remove method, passing it the AdsPath of the account in question; that removes the account from the group:
objGroup.Remove(objUser.AdsPath)
We then repeat the process with the other group members. When we’re done the local Administrators group should have only two members: Administrator and Domain Admins.
Like we said, make sure this is what you want before you use this script. But how about this: be careful when you use this script and, in return, we’ll let you run with scissors. Deal?
0 comments