Announcement

Collapse
No announcement yet.

Removing Users From Machine Local Group

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Removing Users From Machine Local Group

    Environment:
    Mixed Mode
    Three Sites
    Site A:Win2k DC
    Site B:Win2k DC
    Site C:Win2k3 DC

    Site C has all 100 Win XP Clients and all the users are members of their Machine Local Admin Group, I need to change this situation by Friday so I'm thinking that if some kind soul could point me to a script that will do this for me I would be very grateful.

    All the users in Site C are held in an OU with the same name in AD.

    I hope I've provided enough info.

  • #2
    You could add something like this to the users logon scripts:
    Code:
    net localgroup Administrators %USERDOMAIN%\%USERNAME% /delete
    As the users are admins, they have write perms over the local Administrators group and on the first logon they will be removed from the group.

    Another approach would be to use GPO and restricted groups feature as shown in the picture attached. This would reset the computer's Administrators group to the list of accounts&groups you define in the GPO.
    Attached Files
    Guy Teverovsky
    "Smith & Wesson - the original point and click interface"

    Comment


    • #3
      thanks Guyt, I've tried it already at home and it works! I will implement it at work onMonday. Thanks very much.

      Comment


      • #4
        Thanks very much Guyt!! It does work, but like everything, there is a slight problem. We are using HP USDTs that have this wierd 'setrefresh' key in the registry which doesn't allow anybody to be able to change screen resolution unless they are in the Local admin Group. Deleting the 'setrefresh' key takes care of the problem, they key is in HKey Local Machine\Software\Microsoft\Windows\Current Version\Run\...do you know of a way to include a line to delete the 'setrefresh' key before the net local group command? Thanks for your help in advance.

        Comment


        • #5
          Code:
          reg delete "HKLM\Software\Microsoft\Windows\Current Version\Run" /v setrefresh /f
          should do the job.

          "reg /?" for more info
          Guy Teverovsky
          "Smith & Wesson - the original point and click interface"

          Comment


          • #6
            thanks for your quick reply, I've been testing that line for nearly an hour by trying to run it from the command prompt on a machine that has the 'SetRefresh' key but I keep getting Error: The system was unable to find the specified registry key or value. Any more ideas? That key is definitely there 'cause I've checked and I'm running it as admin for the test. here is what i typed at the CP:

            C:\>reg delete "HKLM\Software\Microsoft\Windows\Current Version\Run" /v SetRefresh /f

            Comment


            • #7
              Are you sure the path you specified is the correct one ?
              I have the key under:
              HKLM\Software\Microsoft\Windows\Current Version\Run\Compaq and not HKLM\Software\Microsoft\Windows\Current Version\Run

              If I'm right, run it like this:

              Code:
              C:\>reg delete "HKLM\Software\Microsoft\Windows\Current Version\Run\Compaq" /v SetRefresh /f
              Guy Teverovsky
              "Smith & Wesson - the original point and click interface"

              Comment


              • #8
                Is SetRefresh a Key or a Value ?

                If it's a key then you need
                Code:
                reg delete "HKLM\Software\Microsoft\Windows\Current Version\Run\Compaq\SetRefresh\" /f
                If it's a value then the code guy gave you should work fine.

                topper
                * Shamelessly mentioning "Don't forget to add reputation!"

                Comment


                • #9
                  Sorry for the confusion. setRefresh is a value, so the code I gave still stands.
                  Guy Teverovsky
                  "Smith & Wesson - the original point and click interface"

                  Comment


                  • #10
                    Sorry guys, first of all I have to apologise for getting my registry terminologies in a twist, but the path as I've given it is correct. However we have decided to fix the problem by using remote or network registry feature, the previous script ran and therefore all the users are no longer local administrators so it will be impossible to have the "reg delete" line run. Besides, only a few machines are affected. Thanks guys!

                    Comment

                    Working...
                    X