{"id":68353,"date":"2005-12-12T13:30:00","date_gmt":"2005-12-12T13:30:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2005\/12\/12\/how-can-i-delete-everyone-except-the-administrator-and-the-domain-admins-group-from-the-local-administrators-group\/"},"modified":"2005-12-12T13:30:00","modified_gmt":"2005-12-12T13:30:00","slug":"how-can-i-delete-everyone-except-the-administrator-and-the-domain-admins-group-from-the-local-administrators-group","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/how-can-i-delete-everyone-except-the-administrator-and-the-domain-admins-group-from-the-local-administrators-group\/","title":{"rendered":"How Can I Delete Everyone Except the Administrator and the Domain Admins Group from the Local Administrators Group?"},"content":{"rendered":"

\"Hey, \n

Hey, Scripting Guy! How can I delete everyone except the Administrator and the Domain Admins group from the local Administrators group?

— JS<\/P>\"Spacer\"\"Hey,\"Script<\/A> \n

Hey, JS. You know, when you become a doctor you have to take the Hippocratic Oath, which famously begins, \u201cFirst, do no harm.\u201d When you become a Scripting Guy you have to take the Scriptocratic Oath, an oath which, somewhat less-famously, begins, \u201cFirst, give them a warning. After that it\u2019s not your fault if anything bad happens.\u201d So, JS, consider yourself warned.<\/P>\n

Actually, the script we\u2019re about to show you isn\u2019t particularly dangerous. However, it could<\/I> be a bit of a nuisance. Per your request, the script removes everyone except the Administrator and Domain Admin accounts from the local Administrators group. That\u2019s fine, except in at least one scenario. At Microsoft, for example, users are typically local administrators on their computers. However, those users never log on as the local Administrator; instead, they log on using their domain account, which happens to be a member of the local Administrators group.<\/P>\n

So what\u2019s the problem? Well, the script we\u2019re about to show you will remove that domain user account from the local Administrators group; as a result, those users will no longer be local Administrators. That might very well be what you want<\/I> to happen. But forewarned is forearmed and all that.<\/P>\n\n<\/THEAD>\n\n\n
\n

True story<\/B>. Not too long ago, one of the Scripting Guys had to temporarily remove their computer from the domain. They did so, a process which also removed their domain user account – and the Domain Admins account – from the local Administrators group. Of course, you could still log on as Administrator \u2026 provided you knew the local Administrators password, that is. As you might have guessed, this Scripting Guy had no idea what the local Administrators password was. Uh-oh \u2026.<\/P>\n

And, no, we can\u2019t tell you which<\/I> Scripting Guy did this: Jean would be terribly embarrassed if anyone ever found out.<\/P><\/TD><\/TR><\/TBODY><\/TABLE>\n

<\/DIV>\n

In other words, don\u2019t run with scissors, don\u2019t stick your finger in a light socket, and don\u2019t use this script if it\u2019s going to lock you out of your own machine:<\/P>

strComputer = “atl-ws-01”<\/p>\n
Set objGroup = GetObject(“WinNT:\/\/” & strComputer & “\/Administrators”)<\/p>\n
For Each objUser In objGroup.Members\n    If objUser.Name <> “Administrator” AND objUser.Name <> “Domain Admins” Then\n        objGroup.Remove(objUser.AdsPath)\n    End If\nNext\n<\/PRE>\n
Yes, it does<\/I> look harmless, doesn\u2019t it? And it is: after all, a domain Administrator can still access the machine and add someone back to the local Administrators group. It could create a nuisance for you, but nothing that can\u2019t be fixed.<\/P>\n
As for the script itself, it begins by connecting to the Administrators group on a specified computer; in this sample script, that\u2019s a computer named atl-ws-01. After making the connection the script sets up a For Each loop to loop through all the members of the group; said membership can be accessed via the Members<\/B> property.<\/P>\n
Inside the loop we use this line of code to ensure that the name of our group member is neither Administrator nor Domain Admins:<\/P>
If objUser.Name <> “Administrator” AND objUser.Name <> “Domain Admins” Then\n<\/PRE>\n
Notice that we use the AND operator here: the Name is not Administrator and<\/I> the Name is not Domain Admins. A common mistake scripters make is to use the OR operator in a script like this: the Name is not Administrator or<\/I> the Name is not Domain Admins. Don\u2019t make that mistake. <\/P>\n
Why not? That\u2019s easy: because then every<\/I> member of the group will fit the criteria. Take the Administrator account, for example. Granted, the name of the account is<\/I> equal to Administrator; that would seem to disqualify it. However, the name is not<\/I> equal to Domain Admins; consequently it does<\/I> meet the criteria; after all, you qualify if the name is not equal to Administrator or<\/I> the name is not equal to Domain Admins. That\u2019s why we make sure that the name is not equal to Administrator and<\/I> it is not equal to Domain Admins. <\/P>\n
If you don\u2019t see how this works try running this script, which simply reports back the names of the group members:<\/P>
strComputer = “atl-ws-01”<\/p>\n
Set objGroup = GetObject(“WinNT:\/\/” & strComputer & “\/Administrators”)<\/p>\n
For Each objUser In objGroup.Members\n    If objUser.Name <> “Administrator” AND objUser.Name <> “Domain Admins” Then\n        Wscript.Echo objUser.Name\n    End If\nNext\n<\/PRE>\n
Now replace the AND with OR and see what happens.<\/P>\n
See? Every now and then we actually do<\/I> know what we\u2019re talking about!<\/P>\n
So what happens if an account meets the criteria; for example, the account kenmyer is not equal to Administrator and<\/I> it is not equal to Domain Admins. In that case, we simply call the Remove<\/B> method, passing it the AdsPath of the account in question; that removes the account from the group:<\/P>
objGroup.Remove(objUser.AdsPath)\n<\/PRE>\n
We then repeat the process with the other group members. When we\u2019re done the local Administrators group should have only two members: Administrator and Domain Admins.<\/P>\n
Like we said, make sure this is what you want before you use this script. But how about this: be careful when you use this script and, in return, we\u2019ll let you run with scissors. Deal?<\/P><\/p>\n","protected":false},"excerpt":{"rendered":"
Hey, Scripting Guy! How can I delete everyone except the Administrator and the Domain Admins group from the local Administrators group?— JS Hey, JS. You know, when you become a doctor you have to take the Hippocratic Oath, which famously begins, \u201cFirst, do no harm.\u201d When you become a Scripting Guy you have to take […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[23,24,3,5],"class_list":["post-68353","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-local-accounts-and-windows-nt-4-0-accounts","tag-other-directory-services","tag-scripting-guy","tag-vbscript"],"acf":[],"blog_post_summary":"
Hey, Scripting Guy! How can I delete everyone except the Administrator and the Domain Admins group from the local Administrators group?— JS Hey, JS. You know, when you become a doctor you have to take the Hippocratic Oath, which famously begins, \u201cFirst, do no harm.\u201d When you become a Scripting Guy you have to take […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/68353","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=68353"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/68353\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=68353"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=68353"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=68353"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}