none
Powershell script to remove domain users from Administrators group RRS feed

  • Question

  • Hey y'all,

    I'm working on a Powershell script to remove all domain users from the Administrators group.  I want to leave in any nested groups and the "Administrator" account.  I beat my head against the wall for a little bit trying to do it with ADSI, but then ran into this that might make it a bit easier:

    $group = Get-CimInstance -ClassName Win32_Group  -Filter “Name = ‘Administrators'”
    
    Get-CimAssociatedInstance -InputObject $group -ResultClassName Win32_UserAccount |
    
    select -ExpandProperty Caption
    

    This gives me a list of all users and leaves out nested groups.  But how do I then filter out the local Administrator account?  I'm guessing I need to use something like "foreach ($member in $group)" to filter and remove the domain users but I'm not sure how to pull it off.  Anyone have any ideas?

    Thanks so much!

    P.S. I'm told by our Server team that there is some reason why we cannot just do this in GPO, we need to do it through a script
    • Edited by Euphoric85 Wednesday, October 5, 2016 1:49 AM
    Wednesday, October 5, 2016 1:45 AM

Answers

  • With the help of scripters from another department, I was able to get this done.  I am surprised at how not-complicated it was:

    $LocalGroup = [ADSI]"WinNT://$env:COMPUTERNAME/Administrators"
    
    $LocalGroup.Invoke("Members") | %{
        $MemberName = $_[0].GetType().InvokeMember("Name",    'GetProperty', $Null, $_, $Null)
        $MemberPath = $_[0].GetType().InvokeMember("ADSPath", 'GetProperty', $null, $_, $null)
        $MemberType = $_[0].GetType().InvokeMember("Class",   'GetProperty', $null, $_, $null)
        If($MemberPath -notmatch "/$($env:COMPUTERNAME)/" -and $MemberType -eq 'User'){ $LocalGroup.Remove($MemberPath) }
    }

    This removes all Domain Users, and retains all local users and local/domain groups.

    • Marked as answer by Euphoric85 Wednesday, October 12, 2016 1:55 PM
    Wednesday, October 12, 2016 1:54 PM

All replies

  • You will have to use local management methods as WMI does not have a method for this.

    See: https://gallery.technet.microsoft.com/Local-Account-Management-a777191b


    \_(ツ)_/

    Wednesday, October 5, 2016 2:06 AM
  • You should probably configure this using Group Policy rather than a script.

    -- Bill Stewart [Bill_Stewart]

    Wednesday, October 5, 2016 3:18 PM
    Moderator
  • Thanks Bill. As I mentioned, there is some reason why they don't want to do it through GPO. I'm not privy to the details, but they want a script
    Wednesday, October 5, 2016 3:27 PM
  • To fix a policy violation this egregious, fixing this with a GPO is by far the best solution.

    -- Bill Stewart [Bill_Stewart]

    Wednesday, October 5, 2016 3:31 PM
    Moderator
  • Good Day

    I made a script for that a while ago let me share it with you

    $computerNames = Get-Content ".\TestComputers.txt"
    foreach ($computerName in $computerNames) {
        if ( -not(Test-Connection $computerName -Quiet -Count 1 -ErrorAction Continue )) {
            Write-Host "Could not connect to computer $computerName - Skipping this computer..." -ForegroundColor Red }
        Else { Write-Host "Computer $computerName is online" -ForegroundColor Green
              $localGroupName = "Administrators"
    
              $group = [ADSI]("WinNT://$computerName/$localGroupName,group")
              $group.Members() |
                 foreach {
                           $AdsPath = $_.GetType().InvokeMember('Adspath', 'GetProperty', $null, $_, $null)
                           $a = $AdsPath.split('/',[StringSplitOptions]::RemoveEmptyEntries)
                           $names = $a[-1] 
                           $domain = $a[-2]
    
                           foreach ($name in $names) {
                             Write-Host "Verifying the local admin users on computer $computerName" 
                             $Admins = Get-Content ".\TestUsers.txt"
                                foreach ($Admin in $Admins) {
                                   if ($name -eq $Admin) {
                                       Write-Host "User $Admin found on computer $computerName ... " -NoNewline -ForegroundColor Cyan
                                       $group.Remove("WinNT://$computerName/$domain/$name")
                                       Write-Host "Removed" -ForegroundColor Cyan }
                                                  }
                                              }
                                          }
                                      }
                                  }

    You will need 2 txt files one with all the computers where you want this script to run and the second one with a list of users that you want to remove from the local admin group
    *Note : Keep in mind that there will be another built in accounts under that group or some other generical accounts that IT uses for troubleshooting so removing them is very dangerous


    Hope this can help
    Regards



    Wednesday, October 5, 2016 3:38 PM
  • With the help of scripters from another department, I was able to get this done.  I am surprised at how not-complicated it was:

    $LocalGroup = [ADSI]"WinNT://$env:COMPUTERNAME/Administrators"
    
    $LocalGroup.Invoke("Members") | %{
        $MemberName = $_[0].GetType().InvokeMember("Name",    'GetProperty', $Null, $_, $Null)
        $MemberPath = $_[0].GetType().InvokeMember("ADSPath", 'GetProperty', $null, $_, $null)
        $MemberType = $_[0].GetType().InvokeMember("Class",   'GetProperty', $null, $_, $null)
        If($MemberPath -notmatch "/$($env:COMPUTERNAME)/" -and $MemberType -eq 'User'){ $LocalGroup.Remove($MemberPath) }
    }

    This removes all Domain Users, and retains all local users and local/domain groups.

    • Marked as answer by Euphoric85 Wednesday, October 12, 2016 1:55 PM
    Wednesday, October 12, 2016 1:54 PM
  • This worked perfectly for me too. I was required to keep the local computer users and domain groups in the Local Administrators group. Something a GPO cannot do.
    • Edited by ConfigMatt Thursday, September 6, 2018 1:08 PM
    Thursday, September 6, 2018 12:57 PM
  • Would you please tell me how to configure a GPO to leave all local user accounts and domain groups in place while only removing domain users?
    Thursday, September 6, 2018 1:08 PM
  • This topic has been answered and closed.  Please do not append new questions toa  closed topic.


    \_(ツ)_/

    Thursday, September 6, 2018 1:37 PM