Removal from local administrators group

All replies

• 

  

  0

  Sign in to vote

  Use Restricted Groups policy of a Group Policy. See this reference:

  https://support.microsoft.com/en-us/help/279301/description-of-group-policy-restricted-groups

  ---

  Richard Mueller - MVP Enterprise Mobility (Identity and Access)

  • Proposed as answer by jrv Tuesday, April 10, 2018 2:50 PM
  • Unproposed as answer by TimIUK Tuesday, April 10, 2018 2:58 PM

  Tuesday, April 10, 2018 2:23 PM
• 

  

  0

  Sign in to vote

  Use Restricted Groups policy of a Group Policy. See this reference:

  https://support.microsoft.com/en-us/help/279301/description-of-group-policy-restricted-groups

  ---

  Richard Mueller - MVP Enterprise Mobility (Identity and Access)

  Thanks for your response.  Sadly, Group Policy is no good in our environment, which is why I need to do this via PowerShell and then deploy via Intune.

  Tuesday, April 10, 2018 2:25 PM
• 

  

  0

  Sign in to vote

  Hi,
  
  According to your description, I recommend using PowerShell DSC Group Resource with Members property which replace the current group membership with the specified members. The following article for your reference, hope it is helpful to you:
  DSC Group Resource
  https://docs.microsoft.com/en-us/powershell/dsc/groupresource
  
  If you need further help, please feel free to let us know.
  
  Best Regards,
  Albert

  ---

  Please remember to mark the replies as an answers if they help.
  If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

  Wednesday, April 11, 2018 5:00 AM
• 

  

  0

  Sign in to vote

  Hi guys,

  Thanks for your help so far, but I've been unable to find quite the right script.

  So we have a standard local admin account (not the built in administrator account) called Admin1 which is on all our Windows 10 computers.  Because the computers are domain joined, they also have the Domain Admins group as a member of the local administrators.  So I need a script that says:

  "Remove all users from the Administrators group on this computer except for Admin1 and Domain Admins."

  I am a Powershell novice but would have thought this should be possible.

  Thanks

  
  

  • Edited by TimIUK Thursday, April 12, 2018 8:06 PM

  Thursday, April 12, 2018 8:06 PM
• 

  

  0

  Sign in to vote

  Find-Module LocalUserManagement

  ---

  \_(ツ)_/

  Thursday, April 12, 2018 9:10 PM
• 

  

  0

  Sign in to vote

  Find-Module LocalUserManagement

  ---

  \_(ツ)_/

  Wow, that's really useful.

  For anyone  wondering how this is done, I've found the script that does it.  Hopefully this will come in handy for others.  Just input all the user or group names you want to leave in the administrators group.  For me this was the Administrator, Admin1 and Domain Admins accounts.

  $remove = net localgroup administrators | select -skip 6 | ? {$_ -and $_ -notmatch 'successfully|^Administrator|Admin1|Domain Admins$'}; foreach ($user in $remove) {net localgroup administrators "`"$user`"" /delete};
  

  • Marked as answer by TimIUK Thursday, April 12, 2018 9:18 PM

  Thursday, April 12, 2018 9:17 PM
• 

  

  0

  Sign in to vote

  You have to run that at each machine on the console.  The admin module is just as easy and works remotely.

  ---

  \_(ツ)_/

  Thursday, April 12, 2018 9:22 PM
• 

  

  0

  Sign in to vote

  You have to run that at each machine on the console.  The admin module is just as easy and works remotely.

  ---

  \_(ツ)_/

  As stated in my original post, I am deploying via Intune.

  Thanks

  Friday, April 13, 2018 7:32 AM
• 

  

  0

  Sign in to vote

  Then you are all set.

  ---

  \_(ツ)_/

  Friday, April 13, 2018 7:37 AM