Please use below procedure to remove admin access form all users except built in system administrator account.
import os
temp=os.environ['TEMP']
vbs=r'''
Set WshShell = WScript.CreateObject("WScript.Shell")
Set colItems = GetObject("winmgmts:\\.\root\cimv2").ExecQuery("Select * from Win32_UserAccount Where LocalAccount=True")
On Error Resume Next
For Each objItem in colItems
If objItem.Name <> "Administrator" Then
cmd="net localgroup administrators """ & objItem.Name & """ /delete"
WshShell.Run cmd,0, True
WScript.Echo objItem.Name & " removed from local administrator group"
End If
Next
'''
with open(temp+r'\remove_admin.vbs',"wb") as f :
f.write(vbs)
os.chdir(temp)
if 'PROGRAMW6432' in os.environ.keys():
vb=os.environ['SYSTEMROOT']+r'\SysWOW64\cscript.exe'
print os.popen(vb+' remove_admin.vbs').read()
else:
vb=os.environ['SYSTEMROOT']+r'\System32\cscript.exe'
print os.popen(vb+' remove_admin.vbs').read()
if os.path.isfile('remove_admin.vbs'):
os.remove('remove_admin.vbs')
Is there any way to remove non-admin DOMAIN users from the PC’s local admin group also? I guess I wasn’t very clear on my request, but what I wanted is a script that removes local admin access to all users who aren’t domain administrators… eg so Joe User can’t go and make changes to the PC, install software, etc. This is unfortunately very common at most companies but it’s quite a security risk. Ideally I can select an entire site’s desktops and run the script and now only domain admins can have admin privilege on the computer. The script may need to be edited by whoever downloads it though to specify whatever their domain admin group is right? (and maybe the domain itself?)
Please use the script to remove all local users except all Domain Users and built-in Administrator from the local group Administrators
Note:
Run the Script as System Users
Limitation: The script will not remove the non-admin domain users right now.
def ecmd(CMD, r=False):
import ctypes
class disable_file_system_redirection:
_disable = ctypes.windll.kernel32.Wow64DisableWow64FsRedirection
_revert = ctypes.windll.kernel32.Wow64RevertWow64FsRedirection
def __enter__(self):
self.old_value = ctypes.c_long()
self.success = self._disable(ctypes.byref(self.old_value))
def __exit__(self, type, value, traceback):
if self.success:
self._revert(self.old_value)
from subprocess import PIPE, Popen
with disable_file_system_redirection():
OBJ = Popen(CMD, shell = True, stdout = PIPE, stderr = PIPE)
out, err = OBJ.communicate()
ret=OBJ.returncode
if r:
return ret
else:
if ret==0:
return out
else:
return ret
import os
s=r'''strComputer = "%s"
strTestString = "/" & strComputer & "/"
Set colGroups = GetObject("WinNT://" & strComputer & "/Administrators")
For Each objUser In colGroups.Members
If InStr(objUser.AdsPath, strTestString) Then
Wscript.Echo "local:" & objUser.Name
Else
Wscript.Echo "domain:" & objUser.Name
End If
Next'''%(os.environ['COMPUTERNAME'])
temp=os.path.join(os.environ['TEMP'], 'scripttofindlocalusers.vbs')
with open(temp, 'wb') as wb:
wb.write(s)
out=ecmd('cscript %s'%temp)
os.remove(temp)
local=[i.strip().replace('local:', '') for i in out.split('
') if i.strip() if 'local:' in i.strip().lower()]
domain=[i.strip().replace('domain:', '') for i in out.split('
') if i.strip() if 'domain:' in i.strip().lower()]
try:
local.remove('Administrator')
except:
pass
print 'Before Removing Local Users'
print 'Members of Local Administrators Group: '
print ecmd('net localgroup Administrators')
if local:
for i in local:
ecmd('net localgroup Administrators "%s" /delete'%i, True)
print 'After Removing Local Users'
print ecmd('net localgroup Administrators')
Script to Import:
Sample Output:
The output will contain members of Local Administrators group before removing the local users and also after removing the local users. So you can compare those two reports to ensure the removed users and the users (my be a domain user or built-in administrator) which are not removed from the Local Administrators group.
Please provide your feedback. It is pleasure to help you for any clarification.
Double post, do to an error, said json error, then gave me a bad gateway error, then double posted. Please delete this one if you like, and I changed the post so it is not too redundant.