No announcement yet.

remove "everyone" from local admin group

  • Filter
  • Time
  • Show
Clear All
new posts

  • remove "everyone" from local admin group

    I have roughly 600 clients at my site. all are windows XP pro with SP2.

    there are quite a few applications that require a user to have local admin rights to run properly. in order to accomplish this, i have added the security group "domain users" to the local admin group on the client stations...

    now, i have a group of techs. for some reason, they started adding the domain group of "everyone" to the local admin group. this snafu has been taken a step further, and they included this in the master image i had set them up...

    now every workstation has the domain user "everyone" in the local admin group

    i am not a master of scripting, but i figure that there is probably a way to script the removal of "everyone" from the local admin group and addition of "domain users" to the admin group...

    i have found this at scripting guy, and it does half of what i want it to do... (in theory; i havent tested it)
    strComputer = "atl-ws-01"
    Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators")
    For Each objUser In objGroup.Members
        If objUser.Name <> "Administrator" AND objUser.Name <> "Domain Admins" Then
        End If
    (this, of course, is set to run on a computer named "atl-ws-01"...)

    what would you do to add to the security group "domain users" to the local admin group? i have this, which i believe to be the other half of what i want; again set to run on a computer named "atl-ws-01"...

    strComputer = "atl-ws-01"
    Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators")
    Set objUser = GetObject("WinNT://fabrikam/kenmyer")
    so, could anyone help me clean this up and put it together into one script? is there a way to make it run on all clients, and not just atl-ws-01? and, instead of kenmyer being added to the local admin, could we have "domain users" added instead?

    it should sound like "check the local admin group and if the name of the user isnt 'domain admin' and it isnt 'admin', then remove it, and then add the domain account 'domain user' to the local admin group."

    ya follow? thanks for any input guys...
    its easier to beg forgiveness than ask permission.
    Give karma where karma is due...

  • #2
    Re: remove &quot;everyone&quot; from local admin group

    The best way to control the members of a local group is by using 'Restricted Groups' in a GPO

    else you can use a computer startup script.

    But... be aware when you once make domain users a member of the local administrators group, the users can easialy re-add "Everyone" to the group them selves. And that is not even the biggest risk of making users an administrator of a network client.

    You can not reverse this any more just by changing group membership again. Because local policies could be configured already. Bad applications and services could be running. And anyone could have changed the password of the local Administrator and re-named that account. To correect the last one, you have to reset the local administrator then by using its SID.

    It is better to use Filemon and Regmon, to help with setting specific rights to only those folders, files and keys that apply to enble the users to work with the applications, without giving them any privileges of an administrator.

    Last edited by Rems; 18th September 2007, 19:43.

    This posting is provided "AS IS" with no warranties, and confers no rights.


    ** Remember to give credit where credit's due **
    and leave Reputation Points for meaningful posts


    • #3
      Re: remove &quot;everyone&quot; from local admin group

      point well taken...

      i rely on the users lack of education as a form of preventative maintenance, which is not a reliable course of action...

      i agree with the filemon and regmon, and if i was the original administrator, that is howit would be set up from the get-go. unfortunately, i was next in line, so i have been trying to find a way to counteract the addition of "everyone" and "domain users" for quite some time.

      i recently had issues where the users are clicking whatever they want and a few stations have been hosed due to this improper handling of these security groups.

      so, i suppose that i should start by recreating the image without the groups, and study the permissions necessary to use these applications without the need for local admin rights.

      thank you for the reality check rems. i always find your posts insightful and accurate. great help is hard to come by and always appreciated..
      its easier to beg forgiveness than ask permission.
      Give karma where karma is due...