none
Removing Domain users from Local Administrators in several servers. RRS feed

  • Question

  • Hi guys,

    I need some help with a script, recently we found that there was a startup script in a gpo that was adding Domain users to the local admins of all our Servers and computers, we disabled the GPO right away and its been investigated, but I need to remove the domain users from a list of about 300 servers, Since I'm not that good at scripting I was hoping someone could lend me a had. All I need to setup is a small script that removes Domain users from local administrators of a list of servers.
    I found this script somewhere, but I have no idea how to adapt it to remove that group, and to pull servers from a list.

    Dim strLocalAdminGroup
    Dim strComputer
    Dim remadmins
     
    Set WshShell = Wscript.CreateObject("Wscript.Shell")
    Set WshSysEnv = WshShell.Environment("SYSTEM")
    Set WshUserEnv = WshShell.Environment("User")
    Set WshProEnv = WshShell.Environment("Process")
     
    strComputer = WshProEnv("COMPUTERNAME")
    remadmins = array("DomainName\UserID","Everyone")
    'note that this pulls the everyone group from the administrators group if it exists
     
    strLocalAdminGroup = "Administrators"
     
     
    For i = lbound(remAdmins) to ubound(remAdmins)
    Set grp = GetObject("WinNT://" & strComputer & "/" & strLocalAdminGroup)
    member = "WinNT://" & remAdmins(i)
    if grp.Ismember(member) = True then
    'write to log file
    Dim filesys, filetxt, getname, path
    Set filesys = CreateObject("Scripting.FileSystemObject")
    Set filetxt = filesys.OpenTextFile("\\servername\foldername\admins.log", 8, True)
    Set WshNetwork = WScript.CreateObject("WScript.Network")
     
    path = filesys.GetAbsolutePathName("\\servername\foldername\admins.log")
    getname = filesys.GetFileName(path)
    filetxt.WriteLine("Username: " & WshNetwork.UserName + " - Computer Name: " & WshNetwork.ComputerName)
    filetxt.Close
     
    'comment or remove next line to prevent removing the user from the admin group
    grp.Remove(member)
    end if
    next

    Thursday, July 31, 2014 4:31 PM

Answers

All replies

  • Use a restricted groups policy or the local users and groups group policy preference. Then you don't need a script.

    -- Bill Stewart [Bill_Stewart]

    • Marked as answer by Arcano30 Thursday, July 31, 2014 6:37 PM
    Thursday, July 31, 2014 5:00 PM
    Moderator
  • Use a restricted groups policy or the local users and groups group policy preference. Then you don't need a script.

    -- Bill Stewart [Bill_Stewart]

    Hi Bill,
    That was my first thought, but doing so will remove existing users from the local admin group to replace them with the list we make, the problem is that we have several environments and different groups need access to different servers, we will need to create a policy per environment. the problem we have is that the startup script was set at the domain level so it run on every machine that was rebooted, we disabled the GPO and will update it to remove domain users from everything on startup, but this only works with the user's computers not the servers since we cannot reboot the whole network.

    I found a much simple script, but I dont know how to add a string to pull a list of servers from a TXT.

    strComputer = "Server name"

    Set objAdmins = GetObject("WinNT://" & strComputer & "/Administrators")
    Set objGroup = GetObject("WinNT://Domain Users")

    objAdmins.Remove(objGroup.ADsPath)

    Already tested it on a few servers and works like a charm.

      
    • Edited by Arcano30 Thursday, July 31, 2014 5:21 PM
    Thursday, July 31, 2014 5:19 PM
  • You can use the local users and groups group policy preference to remove only the Domain Users group from Administrators. You don't need a script. Just use "Remove members".


    -- Bill Stewart [Bill_Stewart]

    • Marked as answer by Arcano30 Thursday, July 31, 2014 6:37 PM
    Thursday, July 31, 2014 6:06 PM
    Moderator
  • Now I get it, using the local groups setting in the GPO, I was thinking about the restricted groups only. Thanks I'll get to work on a gpo to fix this issue.
    Thursday, July 31, 2014 6:36 PM