June 19th, 2007

How Can I Remove a Specific Set of Users From the Local Administrators Group?

Hey, Scripting Guy! Question

Hey, Scripting Guy! How can I delete all the users whose name starts with GER/ad_ from the local Administrators group on a computer?

— ID

SpacerHey, Scripting Guy! AnswerScript Center

Hey, ID. It’s a Friday as the Scripting Guy who writes this column writes this column. Usually Fridays are a very sad day for this Scripting Guy: after all, when Friday comes to an end he faces two days of having to stay home rather than experience the joy of coming in to work. But this Friday is different; this time around the Scripting Guy who writes this column is in a good mood. Why? Because as he drove in to work today he happened to glance down at the odometer and noticed that it was displaying nothing but 6s!

We understand: that sounds too incredible to be true. But true it is. And while the Scripting Guy who writes this column didn’t have a camera with him he did enlist the services of a police artist to recreate exactly what he saw on the odometer:

66666
  6.6

With the top line (66666) representing the total number of miles on the car and the bottom line (6.6) representing the number of miles driven on this particular trip.

That’s what he said, too: wow.

Note. Being the culturally-literate guy that he is, the Scripting Guy who writes this column is well aware of the so-called Mark of the Beast and the alleged meaning of the number 666. So do all these 6s, combined with the fact that the Scripting Guy who writes this column works for Microsoft (of all places!) mean that the Scripting Guy who writes this column is the Evil One? Don’t be silly. And you don’t have to take his word for it; let’s ask the Scripting Editor if she thinks the Scripting Guy who writes this column is the Evil One. What do you say, Scripting Editor? Hello? Scripting Editor? You there?

Well, she seems to have stepped out for a moment. But we all know what she would have said had she been here.

At any rate, seeing as how the Scripting Guy who writes this column is in a good mood today, let’s try to tackle the problem of deleting a specific set of users from the local Administrators group. And this should put you in a good mood, ID; turns out that this isn’t a very hard problem to solve after all:

strComputer = “atl-fs-01”

Set objGroup = GetObject(“WinNT://” & strComputer & “/Administrators”)

For Each objUser In objGroup.Members If InStr(objUser.ADsPath, “WinNT://GER/ad_”) Then objGroup.Remove(objUser.AdsPath) End If Next

Note: If you’re running Windows Vista, this script will only work with elevated privileges. That means that if you run from the command prompt, you need to open the command window by right-clicking and selecting Run As Administrator.

As you can see, we start out by assigning the name of the target computer to a variable called strComputer; we then use this line of code to connect to the local Administrators group on that machine:

Set objGroup = GetObject(“WinNT://” & strComputer & “/Administrators”)

The important thing to note here: we use the WinNT provider, written exactly in that fashion (W-i-n-N-T). Type that in any other way (e.g., winnt or WINNT) and the script will fail.

Before we go much further we should note that, if we were working with Active Directory, we could do some sort of search to locate all the “GER/ad_” users. For better or worse, however, we can’t do a search for local accounts. Instead, we need to bind directly to the Administrators group; in addition, we need to set up a For Each loop that loops through the items in the group’s Members property:

For Each objUser In objGroup.Members

As you might have guessed, the items in the Members property correspond quite nicely to the list of group members. That means that all we have to do now is figure out which users meet our criteria (GER/ad_) and which ones don’t.

Admittedly, that’s a little bit tricky, if for no reason other than the fact that people typically work with the Name property when dealing with local user accounts. That doesn’t help us much, because the Name property doesn’t include the domain (the GER/ in our example). Instead you get back names similar to this:

kmyer
packerman
jhaas

That’s nice, but there’s no way to tell whether these are truly local user accounts or if they are domain accounts. And if they are domain accounts, there’s no way of identifying which domain the account came from.

Because of that, we need to use the account’s ADsPath property rather than the account Name. ADsPath is going to return information similar to this, with GER representing the domain name:

WinNT://GER/kmyer
WinNT://GER/packerman
WinNT://GER/jhaas

Now our task is much easier: if an ADsPath starts with WinNT://GER/ad_ then this is a user we need to remove from the local Administrators group.

That explains our next line of code, a line that checks to see if the string value WinNT://GER/ad_ can be found anywhere in the user’s ADsPath:

If InStr(objUser.ADsPath, “WinNT://GER/ad_”) Then

If that string value can be found we then call the Remove method (passing the ADsPath as the sole method parameter) in order to remove that user from the Administrators group:

objGroup.Remove(objUser.AdsPath)

If that string value can’t be found then we don’t do anything at all; instead we simply loop around and repeat the process with the next user in the collection. Where we’re all done we will have removed all the GER/ad_ users from the local Admins group.

Not as fancy as a search, but, ultimately, every bit as effective.

In case you’re wondering, as excited as the Scripting Guy who writes this column was to see nothing but 6s on his odometer, that was not the most exciting thing that has happened to him lately, not by a longshot. For example, far more exciting was the day he stopped at the grocery store and the bill came to $20.00 exactly. That was cool. And then there was his recent trip to Orlando. While his peers were out partying all night long he and Scripting Guy Jean Ross stayed in their hotel rooms and spent the night creating and publishing Script Center pages. Dance the night away at the Groove or the Glo Lounge, or stay up till 3:00 AM working? For the Scripting Guys, that was an easy decision.

Which goes a long ways towards explaining why something like all 6s on the odometer gets them so excited.

Author

0 comments

Discussion are closed.