Announcement

Collapse
No announcement yet.

Detect Domain User If member of Local Administrator Group

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Detect Domain User If member of Local Administrator Group

    Good Day.
    We have a domain network about 300 users.
    Some of these domain users have local administrative rights (They are member of local administrators Group).

    I have asked to removed them from the local administrator Group (although some users from certain OU's, will not be removed)

    Can I make a script that detects who are domain users who have a local administrative rights?

    Pls. I need a help badly.

    What should I do? Thanks

  • #2
    Re: Detect Domain User If member of Local Administrator Group

    it's better to make a new group restriction on an GPO, and deny apply policy permission on any child OUs that you don't want this setting will apply upon, or block inheritance for it. after everything created, use RSOP or GP result mode to see what have been applied

    http://support.microsoft.com/kb/279301
    Description of Group Policy Restricted Groups

    Comment


    • #3
      Re: Detect Domain User If member of Local Administrator Group

      Use a group policy under machine policies called "Restricted Groups". This will allow you to specify the members of the local administrators group. Anyone not appearing in the list you specify will be removed from the group at every GP Refresh, and at every login on a machine which has received this policy.


      Tom
      For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

      Anything you say will be misquoted and used against you

      Comment


      • #4
        Re: Detect Domain User If member of Local Administrator Group

        Use Ifmember.exe from Windows Server 2003 Resource Kit Tools.

        Copy IfMember.exe to shared folder accessible to all users.

        And You can have script like this:

        @echo off
        "\\Server\sharename\ifmember" "Administrators"
        if not errorlevel 1 goto user
        net localgroup "Administrators" /delete %username%
        goto quit
        user:
        Not in Admin Group
        :quit
        Last edited by entadm; 25th June 2007, 16:01.
        Cheers!!
        MCSE 2003,MCSA- Messaging 2003, VCP

        Comment

        Working...
        X