Remove all users from local administrators group except default administrator account

mkannan · April 20, 2017, 4:01pm

Hi all,

Please use below procedure to remove admin access form all users except built in system administrator account.


import os
temp=os.environ['TEMP']

vbs=r'''
Set WshShell = WScript.CreateObject("WScript.Shell")
Set colItems = GetObject("winmgmts:\\.\root\cimv2").ExecQuery("Select * from Win32_UserAccount Where LocalAccount=True")

On Error Resume Next
For Each objItem in colItems
    If objItem.Name <> "Administrator" Then
        cmd="net localgroup administrators  """ & objItem.Name & """   /delete"        
        WshShell.Run cmd,0, True
        WScript.Echo  objItem.Name & "  removed from local administrator group"
    End If
Next

'''

with open(temp+r'\remove_admin.vbs',"wb") as f :
    f.write(vbs)        

os.chdir(temp)

if 'PROGRAMW6432' in os.environ.keys():
    vb=os.environ['SYSTEMROOT']+r'\SysWOW64\cscript.exe'
    print os.popen(vb+'    remove_admin.vbs').read()
else:
    vb=os.environ['SYSTEMROOT']+r'\System32\cscript.exe'
    print os.popen(vb+'    remove_admin.vbs').read()


if os.path.isfile('remove_admin.vbs'):
    os.remove('remove_admin.vbs')

20170420-Remove-local-users-from-administrators-group.json (1.59 KB)

mkannan · April 20, 2017, 4:04pm

Sample output

indieserve · April 20, 2017, 7:51pm

Download link seems broken.

indieserve · April 20, 2017, 8:09pm

I tried to copy/paste it and it gives a failure on import.

indieserve · April 21, 2017, 1:02am

Ok, I got this to work pasting it directly into procedures, so I think I’m good, thanks!

Jimmy · April 21, 2017, 1:04am

Hi @ indieserve

We’re glad to be of help. Have a good day

mkannan · April 21, 2017, 5:39am

Hi @indieserve

I have uploaded it again.Please confirm downloading script attachment.

indieserve · April 22, 2017, 4:29am

thanks mkannan, it works now.

indieserve · May 3, 2017, 11:40pm

Is there any way to remove non-admin DOMAIN users from the PC’s local admin group also? I guess I wasn’t very clear on my request, but what I wanted is a script that removes local admin access to all users who aren’t domain administrators… eg so Joe User can’t go and make changes to the PC, install software, etc. This is unfortunately very common at most companies but it’s quite a security risk. Ideally I can select an entire site’s desktops and run the script and now only domain admins can have admin privilege on the computer. The script may need to be edited by whoever downloads it though to specify whatever their domain admin group is right? (and maybe the domain itself?)

mkannan · May 4, 2017, 2:28am

Hi @indieserve

We will analyze and update you soon on this request.

Thanks,
Kannan

Purushothaman · May 11, 2017, 10:58am

Hi @indieserve,

Please use the script to remove all local users except all Domain Users and built-in Administrator from the local group Administrators

Note:
Run the Script as System Users

Limitation:
The script will not remove the non-admin domain users right now.

def ecmd(CMD, r=False):
    import ctypes
    class disable_file_system_redirection:
        _disable = ctypes.windll.kernel32.Wow64DisableWow64FsRedirection
        _revert = ctypes.windll.kernel32.Wow64RevertWow64FsRedirection
        def __enter__(self):
            self.old_value = ctypes.c_long()
            self.success = self._disable(ctypes.byref(self.old_value))
        def __exit__(self, type, value, traceback):
            if self.success:
                self._revert(self.old_value)
    from subprocess import PIPE, Popen
    with disable_file_system_redirection():
        OBJ = Popen(CMD, shell = True, stdout = PIPE, stderr = PIPE)
    out, err = OBJ.communicate()
    ret=OBJ.returncode
    if r:
        return ret
    else:            
        if ret==0:
            return out
        else:
            return ret

import os
s=r'''strComputer = "%s"
strTestString = "/" & strComputer & "/"
Set colGroups = GetObject("WinNT://" & strComputer & "/Administrators")
For Each objUser In colGroups.Members
    If InStr(objUser.AdsPath, strTestString) Then
        Wscript.Echo "local:" & objUser.Name
    Else
        Wscript.Echo "domain:" & objUser.Name
    End If
Next'''%(os.environ['COMPUTERNAME'])
temp=os.path.join(os.environ['TEMP'], 'scripttofindlocalusers.vbs')
with open(temp, 'wb') as wb:
    wb.write(s)
out=ecmd('cscript %s'%temp)
os.remove(temp)
local=[i.strip().replace('local:', '') for i in out.split('
') if i.strip() if 'local:' in i.strip().lower()]
domain=[i.strip().replace('domain:', '') for i in out.split('
') if i.strip() if 'domain:' in i.strip().lower()]
try:
    local.remove('Administrator')
except:
    pass
print 'Before Removing Local Users'
print 'Members of Local Administrators Group: '
print ecmd('net localgroup Administrators')
if local:
    for i in local:
        ecmd('net localgroup Administrators "%s" /delete'%i, True)
print 'After Removing Local Users'
print ecmd('net localgroup Administrators')

Script to Import:

Sample Output:

The output will contain members of Local Administrators group before removing the local users and also after removing the local users. So you can compare those two reports to ensure the removed users and the users (my be a domain user or built-in administrator) which are not removed from the Local Administrators group.

Please provide your feedback. It is pleasure to help you for any clarification.

Thank you.

20170511-Remove-Local-Users-From-Administrators-Group.json (3.05 KB)

BOSS · May 15, 2017, 8:13pm

Can you not control this through GP???

BOSS · May 15, 2017, 8:19pm

Double post, do to an error, said json error, then gave me a bad gateway error, then double posted. Please delete this one if you like, and I changed the post so it is not too redundant.

indieserve · May 16, 2017, 9:16pm

Yes, that’s a good point. I can do this through a GPO, probably more appropriate than through a script.