{"id":68683,"date":"2005-10-24T15:24:00","date_gmt":"2005-10-24T15:24:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2005\/10\/24\/how-can-i-remove-a-group-from-the-local-administrators-group\/"},"modified":"2005-10-24T15:24:00","modified_gmt":"2005-10-24T15:24:00","slug":"how-can-i-remove-a-group-from-the-local-administrators-group","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/how-can-i-remove-a-group-from-the-local-administrators-group\/","title":{"rendered":"How Can I Remove a Group from the Local Administrators Group?"},"content":{"rendered":"

\"Hey, \n

Hey, Scripting Guy! How can I remove a group from the local Administrators group?

— SB<\/P>\"Spacer\"\"Hey,\"Script<\/A> \n

Hey, SB. One of the Scripting Guys has very vague memories of an old TV show called Branded<\/I>, in which the hero (played by Chuck Connors) was accused of cowardice and then dishonorably discharged from the US Cavalry. About all the Scripting Guy remembers from the show is the opening, where they tear the insignias off the guy\u2019s uniform, break his sword in half, and then make him march out of the fort in shame.<\/P>\n

Why do we bring that up? No real reason; we just thought it would be cool if similar ceremonies were held any time a user or group was removed from the local Administrators group. Until such time, however, you can remove a group (in this case, an Active Directory group) from the local Administrators group by using a script similar to this one:<\/P>

strComputer = “atl-fs-01”<\/p>\n
Set objAdmins = GetObject(“WinNT:\/\/” & strComputer & “\/Administrators”)\nSet objGroup = GetObject(“WinNT:\/\/fabrikam\/finance”)<\/p>\n
objAdmins.Remove(objGroup.ADsPath)\n<\/PRE>\n
Yes, it\u2019s very simple, isn\u2019t it? The script begins by assigning the name of the computer (in this case, atl-fs-01<\/I>) to a variable named strComputer. We then use this line of code to bind to the local Administrators group on that computer:<\/P>
Set objAdmins = GetObject(“WinNT:\/\/” & strComputer & “\/Administrators”)\n<\/PRE>\n
Once we have an object reference to the Administrators group, our next task is to create a second<\/I> object reference, this one to the group to be removed. That\u2019s what we do here:<\/P>
Set objGroup = GetObject(“WinNT:\/\/fabrikam\/finance”)\n<\/PRE>\n
Notice that we\u2019re using the old-fashioned, Windows NT-style naming convention when referencing the group account: fabrikam\/finance<\/B>. Why? That\u2019s easy: to work with local users and groups, we have to use the WinNT provider. The WinNT provider doesn\u2019t understand Active Directory lingo; it can\u2019t make heads-or-tails out of an object path like this:<\/P>
cn=Finance Users, ou=Finance, dc=fabrikam, dc=com\n<\/PRE>\n
Therefore, we have to fall back to the old school account name: domain name\/logon name<\/I>. But that\u2019s OK: fortunately, Active Directory understands this naming convention, too. When we request the account fabrikam\/finance, Active Directory knows exactly what we\u2019re talking about.<\/P>\n\n<\/THEAD>\n\n\n
\n
Note<\/B>. This question has come up before, but it\u2019s worth repeating: yes, you can access objects in Active Directory using the WinNT provider. And, yes, it\u2019s true that the object path is much simpler. But don\u2019t be tempted: use the WinNT provider only when you absolutely have to. Why? Well, for example, when it comes to user accounts the LDAP provider typically used when working with Active Directory supports over 200 properties; the WinNT provider supports only about 20 or so. The LDAP provider is much more powerful and much more useful.<\/P><\/TD><\/TR><\/TBODY><\/TABLE>\n
<\/DIV>\n
Once we have an object reference to the group all we have to do is call the Remove<\/B> method to remove that group from the local Administrators group:<\/P>
objAdmins.Remove(objGroup.ADsPath)\n<\/PRE>\n
We still think it\u2019d be cooler to tear someone\u2019s pocket protector off their shirt and then break their stapler over our knee, but this will work.<\/P>\n
Of course, the group you want to remove might not be an Active Directory group, it might be a local group. Is that going to be a problem? No; in fact, it\u2019s a tiny bit easier. Just bind directly to the group account on the local machine and have at it:<\/P>
strComputer = “atl-fs-01”<\/p>\n
Set objAdmins = GetObject(“WinNT:\/\/” & strComputer & “\/Administrators”)\nSet objGroup = GetObject(“WinNT:\/\/finance”)<\/p>\n
objAdmins.Remove(objGroup.ADsPath)\n<\/PRE>\n
Incidentally, the process used to remove a group from another group is the exact same process used to remove a user from a group: you bind to the target group (in this case, the local Administrators group), you bind to the object to be removed (either a group or a user, it doesn\u2019t matter), and then you call the Remove method, passing as the sole parameter the ADsPath<\/B> of the account to be removed<\/P><\/p>\n","protected":false},"excerpt":{"rendered":"
Hey, Scripting Guy! How can I remove a group from the local Administrators group?— SB Hey, SB. One of the Scripting Guys has very vague memories of an old TV show called Branded, in which the hero (played by Chuck Connors) was accused of cowardice and then dishonorably discharged from the US Cavalry. About all […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[7,44,3,5],"class_list":["post-68683","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-active-directory","tag-groups","tag-scripting-guy","tag-vbscript"],"acf":[],"blog_post_summary":"
Hey, Scripting Guy! How can I remove a group from the local Administrators group?— SB Hey, SB. One of the Scripting Guys has very vague memories of an old TV show called Branded, in which the hero (played by Chuck Connors) was accused of cowardice and then dishonorably discharged from the US Cavalry. About all […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/68683","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=68683"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/68683\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=68683"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=68683"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=68683"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}