VBScript - Remove a user from the local administrator group

November 2016

When multiple computers are added to a domain/AD it is important not to give administrative rights to everyone. This will avoid anyone accidentally deleting important software or installing unauthorised software which could put the entire domain or network at risk. In the event of multiple users having admin rights, one can easily remove them from the local administrative group by using VBscript. This gives the administrators the flexibility of not deleting each user from the local administrative group at the same time. If the required VBscript is run on Windows 2000 then some AD dll's need to be registered. This problem, however, is not seen on Windows XP as it does not need dll registration.


Issue


We added 1000 computers to a domain/AD. Before deployment the imaging guy created a local user with admin rights just for administrative purposes. After distributing the computers, we realized that we needed to delete/remove the account from all the computers. We do not want to go in every computer and delete the account. All the computers have already been added to the domain in their proper OU. My question is: can someone help me with a script that can delete the user from the local admin group? I know I can disable the account but I think I would be safer to delete the account.
Any help will be greatly appreciated.

Solution


You can write a VBscript that will remove a user from the local administrator group on all the PCs in your domain. Then you set the script up to be a startup script in group policy and it will remove the user from every computers local admin group when the computer boots up. We also use this script to change the local administrator account's name and password. If the systems are Windows 2000 there are some AD dll's that have to be registered. If they are Windows XP, it will work without any dll registration.

Sample....

Dim strLocalAdminGroup   
Dim strComputer   
Dim remadmins   

Set WshShell = Wscript.CreateObject("Wscript.Shell")   
Set WshSysEnv = WshShell.Environment("SYSTEM")   
Set WshUserEnv = WshShell.Environment("User")   
Set WshProEnv = WshShell.Environment("Process")   

strComputer = WshProEnv("COMPUTERNAME")   
remadmins = array("DomainNameUserID","Everyone")   
strLocalAdminGroup = "Administrators"   

For i = lbound(remAdmins) to ubound(remAdmins)   
Set grp = GetObject("WinNT://" & strComputer & "/" & strLocalAdminGroup)   
member = "WinNT://" & remAdmins(i)   
if grp.Ismember(member) = True then   
grp.Remove(member)   
end if   
next

Note


Thanks to JW for this tip on the forum.

Related :

This document entitled « VBScript - Remove a user from the local administrator group » from CCM (ccm.net) is made available under the Creative Commons license. You can copy, modify copies of this page, under the conditions stipulated by the license, as this note appears clearly.