Announcement

Collapse
No announcement yet.

Remove domain user from local admin

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Remove domain user from local admin

    I have seen several posts about adding a user to local admin, but not many about removing a domain user from the local administrators group. What I am planning on doing is running this as a login script from group policy so it will run locally when the user logs in. I have this so far, but I am getting issues when it is looking for the path of the user...

    Code:
    strComputer = "."
    
    Set objShell = Wscript.CreateObject("Wscript.Shell")
    UserName = objShell.ExpandEnvironmentStrings("%USERNAME%")
    Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators,group")
    Set objUser = GetObject("WinNT://" & strComputer & "/DOMAIN\"" & UserName &"",user")
    
    'WScript.Echo "/DOMAIN\" & UserName
    
    objGroup.Remove(objUser.ADsPath)
    
    msgbox "User has now been removed from local admin group"
    
    Wscript.Quit
    Can anyone help?

  • #2
    Re: Remove domain user from local admin

    Would you not have to address the user via an LDAP path? i.e. CN=name,OU=name,DC=name,DC=com ? I'm not sure about this as it's mixing domain users and local SAM groups.


    Tom
    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you

    Comment


    • #3
      Re: Remove domain user from local admin

      Yeah I'm not sure about that either, because if you used the LDAP path then it would be different when specifying the local path.

      I was just trying to echo the username as how it would look in the local admin group, which is like "DOMAIN\username"

      When trying to use just the "username" alone, that hasn't worked...

      I could query WMI like this:

      Code:
      Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
      Set colItems = objWMIService.ExecQuery("Select * From Win32_ComputerSystem")
      For Each objItem in colItems
          UserName = objItem.UserName
      Next
      WScript.echo UserName
      And that would show the user as "DOMAIN\username" but I'm not sure how to add that into the script.

      Comment


      • #4
        Re: Remove domain user from local admin

        Can you post one of the scripts to ADD a domain user to a local group? Surely you would simply replace the line "objGroup.Add(objUser.ADsPath)" or equivalent with the appropriate "Remove" or "Delete" method?

        Do they do it with the "Group" object or the "User" object? (e.g. "objUser.AddtoGroup(objGroup.groupname)" (I made up the AddtoGroup method because I don't know the "real" syntax - I know a little about how VBS works but not the actual objects and methods).


        Tom
        For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

        Anything you say will be misquoted and used against you

        Comment


        • #5
          Re: Remove domain user from local admin

          p.s. I'm just trying to throw in ideas to help you to diagnose and resolve...


          Tom
          For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

          Anything you say will be misquoted and used against you

          Comment


          • #6
            Re: Remove domain user from local admin

            Originally posted by Stonelaughter View Post
            Would you not have to address the user via an LDAP path? i.e. CN=name,OU=name,DC=name,DC=com ? I'm not sure about this as it's mixing domain users and local SAM groups.
            The WinNT provider uses a different binding string to bind to objects than the LDAP provider use. The adspath of the object will look different, you cannot use a distinquist name in this script.

            What goes wrong is that your script connect for the useraccount to the computer again, but it should connect to the domain to bind the user object.

            Code:
            Set objNetwork = CreateObject("Wscript.Network") 
            strUser = objNetwork.UserName 
            strDomain = objNetwork.UserDomain 
            strComputer = objNetwork.ComputerName
            
            strLocalGroup = "Administrators"
            
            On Error Resume Next 
            
            ' Bind to local group object.
            Set objGroup = GetObject("WinNT://" _ 
                      & strComputer & "/" & strLocalGroup & ",group")
            If (Err.Number <> 0) Then wscript.Quit
            
            ' Bind to the user object on the Domain.
            ' (use also the WinNT provider). 
            Set objUser = GetObject("WinNT://" _
                      & strDomain & "/" & strUser & ",user")
            If (Err.Number <> 0) Then wscript.Quit
            
            On Error GoTo 0
            
            ' Check If user is a member, then remove him/her self! from local group
            If (objGroup.IsMember(objUser.AdsPath) = True) Then 
                objGroup.Remove(objUser.AdsPath) 
            ' (This script can run as logon script without problems because it first check if the user is a member.
            '  If the user is a local administrator s/he has privileges to remove him/her self from the local group.
            '  Do Keep in mind however that the user at this stage already is logged-on as an Administrator,
            '  s/he will keep all the access rights until the next logon).
            End If 
            
            Wscript.Quit
            \Rems
            Last edited by Rems; 28th May 2008, 06:41. Reason: changed to, "IF IsMember()=TRUE Then"

            This posting is provided "AS IS" with no warranties, and confers no rights.

            __________________

            ** Remember to give credit where credit's due **
            and leave Reputation Points for meaningful posts

            Comment


            • #7
              Re: Remove domain user from local admin

              Thanks Rems + Stoneslaughter. That's exactly what I needed...I somehow always make it more complicated then it really is.

              Comment


              • #8
                Re: Remove domain user from local admin

                I think I made one typo here,
                If (objGroup.IsMember(objUser.AdsPath) = False) Then
                .....

                False should be True here.

                I now have changed it in my previous post.

                Glad we could help,

                \Rems

                This posting is provided "AS IS" with no warranties, and confers no rights.

                __________________

                ** Remember to give credit where credit's due **
                and leave Reputation Points for meaningful posts

                Comment


                • #9
                  Re: Remove domain user from local admin

                  Originally posted by ekrengel View Post
                  Thanks Rems + Stoneslaughter. That's exactly what I needed...I somehow always make it more complicated then it really is.

                  StoneSLAUGHTER?!? LMAO


                  Tom
                  For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                  Anything you say will be misquoted and used against you

                  Comment


                  • #10
                    Re: Remove domain user from local admin

                    Hahahha, my bad.

                    Comment


                    • #11
                      Re: Remove domain user from local admin

                      I modified this script a little for my needs a little more, just added a force log off command with a message. It won't work with windows 2000 machines, but thats not a problem as there is all XP here. The changes are in red.

                      Code:
                      Set objNetwork = CreateObject("Wscript.Network") 
                      Set WshShell = WScript.CreateObject("WScript.Shell")  
                      strUser = objNetwork.UserName 
                      strDomain = objNetwork.UserDomain 
                      strComputer = objNetwork.ComputerName
                      
                      strLocalGroup = "Administrators"
                      
                      On Error Resume Next 
                      
                      Set objGroup = GetObject("WinNT://" _ 
                                & strComputer & "/" & strLocalGroup & ",group")
                      If (Err.Number <> 0) Then WScript.Quit
                      
                      Set objUser = GetObject("WinNT://" _
                                & strDomain & "/" & strUser & ",user")
                      If (Err.Number <> 0) Then WScript.Quit
                      
                      On Error GoTo 0
                      
                      If (objGroup.IsMember(objUser.AdsPath) = True) Then 
                          objGroup.Remove(objUser.AdsPath) 
                            Message = "You have been removed as a local administrator," _
                             + (Chr(13)& Chr(10)) + "and will now be forced to log off for the change to take place." _
                             + (Chr(13)& Chr(10)) + (Chr(13)& Chr(10)) + "Thanks." _
                             + (Chr(13)& Chr(10)) + (Chr(13)& Chr(10)) + "-IT"
                            Msgbox Message, 0,"Company"
                          WshShell.run "shutdown.exe -L -F"
                      End If
                      
                      WScript.Quit

                      Comment


                      • #12
                        Re: Remove domain user from local admin

                        Thanks for coming back with your final solution - it may help others!


                        Tom
                        For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                        Anything you say will be misquoted and used against you

                        Comment


                        • #13
                          Re: Remove domain user from local admin

                          Hi Ekrengel,

                          A question:
                          Why are you using '(Chr(13)& Chr(10))
                          in stead of 'vbcrlf' ?

                          As far as I know 'vbcrlf' is an internal constant of the script host and will transform it to (Chr(13)& Chr(10)) internally....

                          Or am I wrong?
                          Semper in faecibus sumus, sole profundum variat

                          Comment


                          • #14
                            Re: Remove domain user from local admin

                            SaMaLaKo -

                            Yes, it is the same! So it would be...

                            Code:
                                  Message = "You have been removed as a local administrator," _
                                   & VbCrLF & "and will now be forced to log off for the change to take place." _
                                   & VbCrLF & VbCrLF & "Thanks." _
                                   & VbCrLF & VbCrLF & "-Company"

                            Comment

                            Working...
                            X