locked
Removal from local administrators group RRS feed

  • Question

  • I need to write (or find) a PowerShell script to remove all users from the local administrators group on Windows 10 computers apart from the built in administrator, a specified local administrator (which is the same account name on all our computers) and Domain Admins.

    The following will remove all admins apart from the built in administrator but I am not sure how to also leave a named local admin account along with Domain Admins.

    $remove=netlocalgroupadministrators|select-skip6|?{$_-and$_-notmatch'successfully|^administrator$'};foreach($userin$remove){netlocalgroupadministrators"`"$user`""/delete}

    I know GPO would do what I want but I need a script as I want to deploy via Intune and many of our users rarely connect to the corporate network.

    Thanks

    Tuesday, April 10, 2018 1:55 PM

Answers

  • Find-Module LocalUserManagement


    \_(ツ)_/

    Wow, that's really useful.

    For anyone  wondering how this is done, I've found the script that does it.  Hopefully this will come in handy for others.  Just input all the user or group names you want to leave in the administrators group.  For me this was the Administrator, Admin1 and Domain Admins accounts.

    $remove = net localgroup administrators | select -skip 6 | ? {$_ -and $_ -notmatch 'successfully|^Administrator|Admin1|Domain Admins$'}; foreach ($user in $remove) {net localgroup administrators "`"$user`"" /delete};

    • Marked as answer by TimIUK Thursday, April 12, 2018 9:18 PM
    Thursday, April 12, 2018 9:17 PM

All replies

  • Use Restricted Groups policy of a Group Policy. See this reference:

    https://support.microsoft.com/en-us/help/279301/description-of-group-policy-restricted-groups


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Proposed as answer by jrv Tuesday, April 10, 2018 2:50 PM
    • Unproposed as answer by TimIUK Tuesday, April 10, 2018 2:58 PM
    Tuesday, April 10, 2018 2:23 PM
  • Use Restricted Groups policy of a Group Policy. See this reference:

    https://support.microsoft.com/en-us/help/279301/description-of-group-policy-restricted-groups


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Thanks for your response.  Sadly, Group Policy is no good in our environment, which is why I need to do this via PowerShell and then deploy via Intune.
    Tuesday, April 10, 2018 2:25 PM
  • Hi,

    According to your description, I recommend using PowerShell DSC Group Resource with Members property which replace the current group membership with the specified members. The following article for your reference, hope it is helpful to you:
    DSC Group Resource
    https://docs.microsoft.com/en-us/powershell/dsc/groupresource

    If you need further help, please feel free to let us know.

    Best Regards,
    Albert

    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, April 11, 2018 5:00 AM
  • Hi guys,

    Thanks for your help so far, but I've been unable to find quite the right script.

    So we have a standard local admin account (not the built in administrator account) called Admin1 which is on all our Windows 10 computers.  Because the computers are domain joined, they also have the Domain Admins group as a member of the local administrators.  So I need a script that says:

    "Remove all users from the Administrators group on this computer except for Admin1 and Domain Admins."

    I am a Powershell novice but would have thought this should be possible.

    Thanks


    • Edited by TimIUK Thursday, April 12, 2018 8:06 PM
    Thursday, April 12, 2018 8:06 PM
  • Find-Module LocalUserManagement


    \_(ツ)_/

    Thursday, April 12, 2018 9:10 PM
  • Find-Module LocalUserManagement


    \_(ツ)_/

    Wow, that's really useful.

    For anyone  wondering how this is done, I've found the script that does it.  Hopefully this will come in handy for others.  Just input all the user or group names you want to leave in the administrators group.  For me this was the Administrator, Admin1 and Domain Admins accounts.

    $remove = net localgroup administrators | select -skip 6 | ? {$_ -and $_ -notmatch 'successfully|^Administrator|Admin1|Domain Admins$'}; foreach ($user in $remove) {net localgroup administrators "`"$user`"" /delete};

    • Marked as answer by TimIUK Thursday, April 12, 2018 9:18 PM
    Thursday, April 12, 2018 9:17 PM
  • You have to run that at each machine on the console.  The admin module is just as easy and works remotely.


    \_(ツ)_/

    Thursday, April 12, 2018 9:22 PM
  • You have to run that at each machine on the console.  The admin module is just as easy and works remotely.


    \_(ツ)_/

    As stated in my original post, I am deploying via Intune.

    Thanks

    Friday, April 13, 2018 7:32 AM
  • Then you are all set.

    \_(ツ)_/

    Friday, April 13, 2018 7:37 AM