Announcement

Collapse
No announcement yet.

demote user from admin to user

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • demote user from admin to user

    in a server 2003 domain, all of our computers have the domain account set locally to be part of the adminstrators group, is there a way to demote all users (maybe using gpo etc) to be only a power user (i.e. stop installing software)

    also, is there a way to catologue what software is installed on the pc via the server?

  • #2
    Re: demote user from admin to user

    Hi, adencool. Let me see if I got this right. You have:
    domain\user1 administrator of computer1
    domain\user2 administrator of computer2
    .
    .
    .
    and so on?
    And you them all demoted to power users?

    Sorin Solomon


    In order to succeed, your desire for success should be greater than your fear of failure.
    -

    Comment


    • #3
      Re: demote user from admin to user

      Originally posted by sorinso View Post
      Hi, adencool. Let me see if I got this right. You have:
      domain\user1 administrator of computer1
      domain\user2 administrator of computer2
      .
      .
      .
      and so on?
      And you them all demoted to power users?
      yes all are

      domain\user1 administrator of computer1
      domain\user2 administrator of computer2
      .
      .
      .

      but i want to demote them to power user, but would perfer to do it remotly, rather than login in to each pc

      Comment


      • #4
        Re: demote user from admin to user

        How many computers do you have and how many users?
        You can write a CMD file that runs two commands, one to delete a users from Administrators and the other one to add the same user to Power Users. You can use the net group command.
        I don't have a way to test it here, so cannot give you the exact syntax.
        Regarding your second question, I am using a script written in VB to do so:

        Code:
        Const HKLM = &H80000002 'HKEY_LOCAL_MACHINE
        Set objFSO = CreateObject("Scripting.FileSystemObject")
        
        Set objNetwork = WScript.CreateObject("WScript.Network")
        User = objNetwork.UserName
        
        Set objTextFile = objFSO.CreateTextFile("k:\"&User&".tsv", True)
        
        strComputer = "."
        strKey = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\"
        strEntry1a = "DisplayName"
        strEntry1b = "QuietDisplayName"
        strEntry2 = "InstallDate"
        strEntry3 = "VersionMajor"
        strEntry4 = "VersionMinor"
        
        Set objReg = GetObject("winmgmts://" & strComputer & _
         "/root/default:StdRegProv")
        objReg.EnumKey HKLM, strKey, arrSubkeys
        
        objTextFile.WriteLine strEntry1a & vbtab & _
          strEntry2 & vbtab & _
          "Version"
        
        For Each strSubkey In arrSubkeys
          intRet1 = objReg.GetStringValue(HKLM, strKey & strSubkey, _
           strEntry1a, strValue1)
        
          If intRet1 <> 0 Then
            objReg.GetStringValue HKLM, strKey & strSubkey, _
             strEntry1b, strValue1
          End If
          
          objReg.GetStringValue HKLM, strKey & strSubkey, _
           strEntry2, strValue2
          
          objReg.GetDWORDValue HKLM, strKey & strSubkey, _
           strEntry3, intValue3
          objReg.GetDWORDValue HKLM, strKey & strSubkey, _
           strEntry4, intValue4
          
        strValues = ""
        If strValue1 <> "" Then
            strValues = strValues & strValue1 & vbtab
          Else
            strValues = strValues & vbtab
          End If
        If strValue2 <> "" Then
                strValues = strValues & strValue2 & vbtab
          Else
            strValues = strValues & vbtab
          End If
        If intValue3 <> "" Then
                 strValues = strValues & intValue3 & "." & intValue4 & vbtab
          Else
            strValues = strValues & vbtab
          End If
        
        objTextFile.WriteLine strValues
        Next
        
        objTextFile.Close
        Notice the line in DarkRed. There you should enter a shared folder available to everyone, so everyone's file will be written in there. This way, in a day or two you will have a file for every user. And you can distinguish them by their names (you will know who's who).
        With a little work afterward, I got all TSV files together under the same Excel file.
        Let me know what you think.

        Sorin Solomon


        In order to succeed, your desire for success should be greater than your fear of failure.
        -

        Comment


        • #5
          Re: demote user from admin to user

          Why not use Restricted Groups?

          Also see http://www.google.com/search?hl=en&l...tricted+groups
          Regards,
          Jeremy

          Network Consultant/Engineer
          Baltimore - Washington area and beyond
          www.gma-cpa.com

          Comment


          • #6
            Re: demote user from admin to user

            Originally posted by JeremyW View Post
            Why not use Restricted Groups?
            Hi, Jeremy.
            As far as I saw, Restricted Groups work with Domain groups. We are talking here about Local groups (Administrators and Power Users), on each computer separately.
            More than that, adencool talks about a user per computer, and on every computer, different user(s?). Meaning, that that policy will have a lot of lines to be defined...
            The change adencool asks is something done once-in-a-lifetime (or in the worst case, once-in-a-long-time). One of those things you do and afterward forget. Making this change through GPO has its setbacks: enough that someone else (a new admin? another admin?) disables the link or deletes the GPO and the definition is gone.
            These points make me believe it might be better to use a one-time scenario (a script of some kind) and not a permanent definition.
            But that's my opinion.

            Sorin Solomon


            In order to succeed, your desire for success should be greater than your fear of failure.
            -

            Comment


            • #7
              Re: demote user from admin to user

              Good point about the one user to one computer. The administrative effort would be the same.

              Yes, Restricted Groups work on Domain groups but will also affect local groups (if is didn't then I see no need for it). You could, if you wanted to, use Restricted Groups to put the local Users group into the local Power Users group.
              Regards,
              Jeremy

              Network Consultant/Engineer
              Baltimore - Washington area and beyond
              www.gma-cpa.com

              Comment

              Working...
              X