When multiple computers are added to a domain/AD it is important not to give administrative rights
to everyone. This will avoid anyone accidentally deleting important software or installing unauthorised software which could put the entire domain or network at risk. In the event of multiple users having admin rights
, one can easily remove them from the local administrative group
by using VBscript. This gives the administrators the flexibility of not deleting each user from the local administrative group
at the same time. If the required VBscript is run on Windows 2000
then some AD dll's need to be registered. This problem, however, is not seen on Windows XP
as it does not need dll registration.
We added 1000 computers to a domain/AD. Before deployment the imaging guy created a local user with admin rights just for administrative purposes. After distributing the computers, we realized that we needed to delete/remove the account from all the computers. We do not want to go in every computer and delete the account. All the computers have already been added to the domain in their proper OU. My question is: can someone help me with a script that can delete the user from the local admin group? I know I can disable the account but I think I would be safer to delete the account.
Any help will be greatly appreciated.
You can write a VBscript that will remove a user from the local administrator group on all the PCs in your domain. Then you set the script up to be a startup script in group policy and it will remove the user from every computers local admin group when the computer boots up. We also use this script to change the local administrator account's name and password. If the systems are Windows 2000 there are some AD dll's that have to be registered. If they are Windows XP, it will work without any dll registration.
Set WshShell = Wscript.CreateObject("Wscript.Shell")
Set WshSysEnv = WshShell.Environment("SYSTEM")
Set WshUserEnv = WshShell.Environment("User")
Set WshProEnv = WshShell.Environment("Process")
strComputer = WshProEnv("COMPUTERNAME")
remadmins = array("DomainNameUserID","Everyone")
strLocalAdminGroup = "Administrators"
For i = lbound(remAdmins) to ubound(remAdmins)
Set grp = GetObject("WinNT://" & strComputer & "/" & strLocalAdminGroup)
member = "WinNT://" & remAdmins(i)
if grp.Ismember(member) = True then
Thanks to JW
for this tip on the forum.