+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 17
Windows Server 2000/2003 Thread, Local Admin Rights in Technical; Hi Guys, Just had a IT Meeting at a client site and we need to take away local admin rights ...
  1. #1
    IanT's Avatar
    Join Date
    Aug 2008
    Location
    @ the back of my server racks farting.....
    Posts
    1,887
    Thank Post
    2
    Thanked 118 Times in 109 Posts
    Rep Power
    59

    Local Admin Rights

    Hi Guys,

    Just had a IT Meeting at a client site and we need to take away local admin rights from all users, now I'm not too keen on going round every desktop and laptop doing this, I am sure I've seen it where on the server side you can take away local admin rights when the user logs on?

  2. #2
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    4,938
    Thank Post
    114
    Thanked 272 Times in 250 Posts
    Rep Power
    104
    You want to look at restricted groups in the relevant GPOs.

  3. #3
    IanT's Avatar
    Join Date
    Aug 2008
    Location
    @ the back of my server racks farting.....
    Posts
    1,887
    Thank Post
    2
    Thanked 118 Times in 109 Posts
    Rep Power
    59
    Just found a VBscript which runs at logon and removes the user from Local Administrator Group.

    Testing now....

  4. #4

    mac_shinobi's Avatar
    Join Date
    Aug 2005
    Posts
    9,213
    Thank Post
    2,766
    Thanked 935 Times in 875 Posts
    Rep Power
    343
    Quote Originally Posted by IanT View Post
    Just found a VBscript which runs at logon and removes the user from Local Administrator Group.

    Testing now....
    Beat me to it haha

  5. #5

    Join Date
    May 2009
    Location
    UK
    Posts
    291
    Thank Post
    64
    Thanked 21 Times in 20 Posts
    Rep Power
    14
    Quote Originally Posted by IanT View Post
    Just found a VBscript which runs at logon and removes the user from Local Administrator Group.
    When you've tested it (and confirmed that it works!), can you post it for my "little black book of useful scripts"?

  6. #6

    mac_shinobi's Avatar
    Join Date
    Aug 2005
    Posts
    9,213
    Thank Post
    2,766
    Thanked 935 Times in 875 Posts
    Rep Power
    343
    delete/remove users from local administrators grou

    should help - create a dummy local admin user and test

    Code:
    ' computer name or ip address
    sNode = "."
    
    ' suppress errors
    On Error Resume Next
    
    ' group name to remove user from
    Set oGroupAdm = GetObject("WinNT://" & sNode & "/Administrators")
    
    ' loop through all members of the Administrators group
    For Each oAdmGrpUser In oGroupAdm.Members
    
    ' get the name and make it lowercase
    sAdmGrpUser = LCase(oAdmGrpUser.Name)
    
    ' Leave administrator and Domain Admins alone
    ' use lowercase letters in the names in the If statement!
    If (sAdmGrpUser <> "administrator") And (sAdmGrpUser <> "domain admins") Then
    msgbox oAdmGrpUser.Name
    ' remove users from Administrators group
    oGroupAdm.Remove oAdmGrpUser.ADsPath
    End if
    Next
    If you leave the sNode variable as sNode = "." that will tell it to select the computer it is on when it runs ( sort of like a localhost or 127.0.0.1 ) kind of thing.

    The rest of the script should take care of removal of local admin rights as long as the users are not the administrator or domain admins as per this line

    Code:
    If (sAdmGrpUser <> "administrator") And (sAdmGrpUser <> "domain admins") Then
    So if your local admin accounts are named something else then you may want to amend the above mentioned line to suit your needs

    Just found this script which is an improvement

    Code:
    Option Explicit 
      
     Dim network, group, user 
     Set network = CreateObject("WScript.Network") 
     Set group = GetObject("WinNT://" & network.ComputerName & "/Administrators,group") 
     For Each user In group.members 
     If UCase(user.name) <> "ADMINISTRATOR" And UCase(user.name) <> "DOMAIN ADMINS" Then 
     group.remove user.adspath 
     End If 
     Next
    Last edited by mac_shinobi; 13th August 2009 at 05:56 PM.

  7. #7

    Join Date
    Mar 2007
    Posts
    1,669
    Thank Post
    72
    Thanked 249 Times in 199 Posts
    Rep Power
    64
    you can use msba to check who is in the admin group to double check your work.

  8. #8

    mac_shinobi's Avatar
    Join Date
    Aug 2005
    Posts
    9,213
    Thank Post
    2,766
    Thanked 935 Times in 875 Posts
    Rep Power
    343
    Quote Originally Posted by strawberry View Post
    you can use msba to check who is in the admin group to double check your work.
    msba ?

  9. #9
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,386
    Thank Post
    10
    Thanked 483 Times in 423 Posts
    Rep Power
    110
    When building images create one (or more) groups in AD, Add this group to Local Administrators, then simply add/remove users from this group. Not quite so useful in more individual environments, but good for schools if you only have a few types of machine (admin/student/teaching etc). It's also handy for running services as a local admin.

  10. #10
    IanT's Avatar
    Join Date
    Aug 2008
    Location
    @ the back of my server racks farting.....
    Posts
    1,887
    Thank Post
    2
    Thanked 118 Times in 109 Posts
    Rep Power
    59
    Once I've fully tested it and happy with it, I will let ya all know.

  11. #11

    mac_shinobi's Avatar
    Join Date
    Aug 2005
    Posts
    9,213
    Thank Post
    2,766
    Thanked 935 Times in 875 Posts
    Rep Power
    343
    Quote Originally Posted by IanT View Post
    Once I've fully tested it and happy with it, I will let ya all know.
    The 2nd script I posted would be better to use as a startup script but will leave the first one there for you to try but linked to the web page where I found the scripts etc

  12. #12

    maniac's Avatar
    Join Date
    Feb 2007
    Location
    Kent
    Posts
    3,037
    Thank Post
    209
    Thanked 425 Times in 306 Posts
    Rep Power
    143
    You can control membership of the local administrators group through Group policy. We do it this way, and have two domain groups - one called local administrators and one called local power users which are automatically added to their respective group on the local machine when group policy is applied.

    We can then add and remove staff from these groups, and it changes their permission on the local machine.

    Mike.

  13. #13


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,534
    Thank Post
    271
    Thanked 752 Times in 590 Posts
    Rep Power
    218

  14. 2 Thanks to pete:

    mac_shinobi (14th August 2009), strawberry (13th August 2009)

  15. #14

    mac_shinobi's Avatar
    Join Date
    Aug 2005
    Posts
    9,213
    Thank Post
    2,766
    Thanked 935 Times in 875 Posts
    Rep Power
    343
    Obviously with not knowing about it - how does that util / app help and what does it allow you to do ?

  16. #15
    rh91uk's Avatar
    Join Date
    Sep 2008
    Location
    UK
    Posts
    862
    Thank Post
    137
    Thanked 132 Times in 114 Posts
    Rep Power
    35
    Or, you could simply run this batch script at startup, if you wanted it to be removed for everyone in a particular group:

    Code:
    net localgroup administrators DOMAIN\GROUP /remove
    Maybe try:

    Code:
    net localgroup administrators DOMAIN\%username% /remove
    That will work too! Will remove the current username from that group.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 7
    Last Post: 26th February 2010, 10:00 AM
  2. Local Admin rights for teachers..
    By kylewilliamson in forum General Chat
    Replies: 13
    Last Post: 13th June 2009, 09:07 AM
  3. Domain Local Admins - Does not have admin rights
    By dhoward_westexetc in forum Windows
    Replies: 2
    Last Post: 7th July 2008, 10:43 AM
  4. Logged in as admin, but no admin rights?
    By boomam in forum Windows
    Replies: 11
    Last Post: 12th March 2008, 03:56 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •