A few words of thanks would be greatly appreciated.

VBScript - Remove a user from the local administrator group

When multiple computers are added to a domain/AD it is important not to give administrative rights to everyone. This will avoid anyone accidentally deleting important software or installing unauthorised software which could put the entire domain or network at risk. In the event of multiple users having admin rights, one can easily remove them from the local administrative group by using VBscript. This gives the administrators the flexibility of not deleting each user from the local administrative group at the same time. If the required VBscript is run on Windows 2000 then some AD dll's need to be registered. This problem, however, is not seen on Windows XP as it does not need dll registration.


We added 1000 computers to a domain/AD. Before deployment the imaging guy created a local user with admin rights just for administrative purposes. After distributing the computers, we realized that we needed to delete/remove the account from all the computers. We do not want to go in every computer and delete the account. All the computers have already been added to the domain in their proper OU. My question is: can someone help me with a script that can delete the user from the local admin group? I know I can disable the account but I think I would be safer to delete the account.
Any help will be greatly appreciated.


You can write a VBscript that will remove a user from the local administrator group on all the PCs in your domain. Then you set the script up to be a startup script in group policy and it will remove the user from every computers local admin group when the computer boots up. We also use this script to change the local administrator account's name and password. If the systems are Windows 2000 there are some AD dll's that have to be registered. If they are Windows XP, it will work without any dll registration.


Dim strLocalAdminGroup   
Dim strComputer   
Dim remadmins   

Set WshShell = Wscript.CreateObject("Wscript.Shell")   
Set WshSysEnv = WshShell.Environment("SYSTEM")   
Set WshUserEnv = WshShell.Environment("User")   
Set WshProEnv = WshShell.Environment("Process")   

strComputer = WshProEnv("COMPUTERNAME")   
remadmins = array("DomainNameUserID","Everyone")   
strLocalAdminGroup = "Administrators"   

For i = lbound(remAdmins) to ubound(remAdmins)   
Set grp = GetObject("WinNT://" & strComputer & "/" & strLocalAdminGroup)   
member = "WinNT://" & remAdmins(i)   
if grp.Ismember(member) = True then   
end if   


Thanks to JW for this tip on the forum.

A few words of thanks would be greatly appreciated.

Ask a question
CCM is a leading international tech website. Our content is written in collaboration with IT experts, under the direction of Jeff Pillou, founder of CCM.net. CCM reaches more than 50 million unique visitors per month and is available in 11 languages.

Published by . Latest update on by Virginia Parsons.

This document, titled "VBScript - Remove a user from the local administrator group," is available under the Creative Commons license. Any copy, reuse, or modification of the content should be sufficiently credited to CCM (https://ccm.net/).