Local Admin Rights

**IanT** · 13th August 2009, 03:12 PM

Hi Guys,

Just had a IT Meeting at a client site and we need to take away local admin rights from all users, now I'm not too keen on going round every desktop and laptop doing this, I am sure I've seen it where on the server side you can take away local admin rights when the user logs on?

**ChrisH** · 13th August 2009, 03:28 PM

You want to look at restricted groups in the relevant GPOs.

**IanT** · 13th August 2009, 03:33 PM

Just found a VBscript which runs at logon and removes the user from Local Administrator Group.

Testing now....

**mac_shinobi** · 13th August 2009, 03:38 PM

Originally Posted by IanT

Just found a VBscript which runs at logon and removes the user from Local Administrator Group.

Testing now....

Beat me to it haha

**Ignatius** · 13th August 2009, 04:55 PM

Originally Posted by IanT

Just found a VBscript which runs at logon and removes the user from Local Administrator Group.

When you've tested it (and confirmed that it works!), can you post it for my "little black book of useful scripts"?

**mac_shinobi** · 13th August 2009, 05:36 PM

delete/remove users from local administrators grou

should help - create a dummy local admin user and test

Code:

' computer name or ip address
sNode = "."

' suppress errors
On Error Resume Next

' group name to remove user from
Set oGroupAdm = GetObject("WinNT://" & sNode & "/Administrators")

' loop through all members of the Administrators group
For Each oAdmGrpUser In oGroupAdm.Members

' get the name and make it lowercase
sAdmGrpUser = LCase(oAdmGrpUser.Name)

' Leave administrator and Domain Admins alone
' use lowercase letters in the names in the If statement!
If (sAdmGrpUser <> "administrator") And (sAdmGrpUser <> "domain admins") Then
msgbox oAdmGrpUser.Name
' remove users from Administrators group
oGroupAdm.Remove oAdmGrpUser.ADsPath
End if
Next

If you leave the sNode variable as sNode = "." that will tell it to select the computer it is on when it runs ( sort of like a localhost or 127.0.0.1 ) kind of thing.

The rest of the script should take care of removal of local admin rights as long as the users are not the administrator or domain admins as per this line

Code:

If (sAdmGrpUser <> "administrator") And (sAdmGrpUser <> "domain admins") Then

So if your local admin accounts are named something else then you may want to amend the above mentioned line to suit your needs

Just found this script which is an improvement

Code:

Option Explicit 
  
 Dim network, group, user 
 Set network = CreateObject("WScript.Network") 
 Set group = GetObject("WinNT://" & network.ComputerName & "/Administrators,group") 
 For Each user In group.members 
 If UCase(user.name) <> "ADMINISTRATOR" And UCase(user.name) <> "DOMAIN ADMINS" Then 
 group.remove user.adspath 
 End If 
 Next

**strawberry** · 13th August 2009, 05:55 PM

you can use msba to check who is in the admin group to double check your work.

**mac_shinobi** · 13th August 2009, 05:56 PM

Originally Posted by strawberry

you can use msba to check who is in the admin group to double check your work.

msba ?

**DMcCoy** · 13th August 2009, 05:59 PM

When building images create one (or more) groups in AD, Add this group to Local Administrators, then simply add/remove users from this group. Not quite so useful in more individual environments, but good for schools if you only have a few types of machine (admin/student/teaching etc). It's also handy for running services as a local admin.

**IanT** · 13th August 2009, 06:02 PM

Once I've fully tested it and happy with it, I will let ya all know.

**mac_shinobi** · 13th August 2009, 06:03 PM

Originally Posted by IanT

Once I've fully tested it and happy with it, I will let ya all know.

The 2nd script I posted would be better to use as a startup script but will leave the first one there for you to try but linked to the web page where I found the scripts etc

**maniac** · 13th August 2009, 06:03 PM

You can control membership of the local administrators group through Group policy. We do it this way, and have two domain groups - one called local administrators and one called local power users which are automatically added to their respective group on the local machine when group policy is applied.

We can then add and remove staff from these groups, and it changes their permission on the local machine.

Mike.

**pete** · 13th August 2009, 07:52 PM

Originally Posted by mac_shinobi

msba ?

mbsa - Download details: Microsoft Baseline Security Analyzer 2.1 (for IT Professionals)

**mac_shinobi** · 14th August 2009, 08:10 AM

Originally Posted by pete

mbsa - Download details: Microsoft Baseline Security Analyzer 2.1 (for IT Professionals)

Obviously with not knowing about it - how does that util / app help and what does it allow you to do ?

**rh91uk** · 14th August 2009, 08:18 AM

Or, you could simply run this batch script at startup, if you wanted it to be removed for everyone in a particular group:

Code:

net localgroup administrators DOMAIN\GROUP /remove

Maybe try:

Code:

net localgroup administrators DOMAIN\%username% /remove

That will work too! Will remove the current username from that group.

LinkBack

Thread Tools

Search Thread

Local Admin Rights

2 Thanks to pete:

Similar Threads

Stop Local Group Policy Applying to the Local Machine Admin

Local Admin rights for teachers..

Domain Local Admins - Does not have admin rights

Logged in as admin, but no admin rights?

Thread Information

Users Browsing this Thread

Posting Permissions