none
Script to remove local admin rights only after checking against an approved admin list RRS feed

  • Question

  • Hello,

    I am searching for a vbscript that does things a little backwards from the majority I have seen.

    I need to implement a GPO that will remove local admin rights from a specific domain username each time they login on each device they login to only after checking to see if that domain username is on an approved admin rights list or not.

    We don't want to remove all and then add approved after, we want to check against an approved list and then remove only if the username object is not on the list.

    For example- User X logs in to their device, they were already given local admin rights on the device in the past, they have been approved as being able to have local admin rights so the script notices this and does not remove their local admin rights. If User Y logs into their device, they were already given local admin rights on the device in the past but are NOT on the approved admin list they will be remove from local admin.

    We don't necessarily want to create a separate group of admins because we don't want the GPO to add them to the admin group if they aren't already there. This level of security would be designed to simply remove the people who were given admin rights in the past but should not have them.

    We are running Win 7 Enterprise and Pro and have roughly 6000 devices.



    • Edited by cbates5 Wednesday, June 22, 2016 1:17 PM
    Wednesday, June 22, 2016 1:15 PM

Answers

  • Can you get a list of administrators on a remote computer and remove ones not in the list?

    Yes, this is possible. See this article:

    Windows IT Pro: Enforcing the Membership of the Administrators Group

    This script will not do exactly what you ask, but you can use combine with a text file and a PowerShell ForEach-Object loop or something to achieve the effect you need.

    As jrv noted, this isn't something you should use to try to enforce security; Group Policy is better for that. End users shouldn't be administrators on their machines anyway.


    -- Bill Stewart [Bill_Stewart]

    Wednesday, June 22, 2016 3:01 PM
    Moderator

All replies

  • We don't use scripts to enforce security.  It cannot be done.  We cannot manage GPOs with scripts dynamically. 

    You can use a GPO to manage a user but it cannot be done by a script.

    Post your question in the GP forum and they will help you to learn how to use GP to manage a user.

    I highly recommend that you find an admin in your company that is trained in GP and user management before attempting such critical alterations.

    The way we enforce Admin access is to use Restricted Groups and the list you are talking about is just a group that a user is either in or not.  This would be set up with ADUC and Group Policy.


    \_(ツ)_/

    Wednesday, June 22, 2016 1:26 PM
  • Can you get a list of administrators on a remote computer and remove ones not in the list?

    Yes, this is possible. See this article:

    Windows IT Pro: Enforcing the Membership of the Administrators Group

    This script will not do exactly what you ask, but you can use combine with a text file and a PowerShell ForEach-Object loop or something to achieve the effect you need.

    As jrv noted, this isn't something you should use to try to enforce security; Group Policy is better for that. End users shouldn't be administrators on their machines anyway.


    -- Bill Stewart [Bill_Stewart]

    Wednesday, June 22, 2016 3:01 PM
    Moderator