Remove all users from local administrators group except default administrator account

Hi all,

Please use below procedure to remove admin access form all users except built in system administrator account.

import os

Set WshShell = WScript.CreateObject("WScript.Shell")
Set colItems = GetObject("winmgmts:\\.\root\cimv2").ExecQuery("Select * from Win32_UserAccount Where LocalAccount=True")

On Error Resume Next
For Each objItem in colItems
    If objItem.Name <> "Administrator" Then
        cmd="net localgroup administrators  """ & objItem.Name & """   /delete"        
        WshShell.Run cmd,0, True
        WScript.Echo  objItem.Name & "  removed from local administrator group"
    End If


with open(temp+r'\remove_admin.vbs',"wb") as f :


if 'PROGRAMW6432' in os.environ.keys():
    print os.popen(vb+'    remove_admin.vbs').read()
    print os.popen(vb+'    remove_admin.vbs').read()

if os.path.isfile('remove_admin.vbs'):

20170420-Remove-local-users-from-administrators-group.json (1.59 KB)

Sample output

Download link seems broken.

I tried to copy/paste it and it gives a failure on import.

Ok, I got this to work pasting it directly into procedures, so I think I’m good, thanks!

Hi @ indieserve

We’re glad to be of help. Have a good day

Hi @indieserve

I have uploaded it again.Please confirm downloading script attachment.

thanks mkannan, it works now.

Is there any way to remove non-admin DOMAIN users from the PC’s local admin group also? I guess I wasn’t very clear on my request, but what I wanted is a script that removes local admin access to all users who aren’t domain administrators… eg so Joe User can’t go and make changes to the PC, install software, etc. This is unfortunately very common at most companies but it’s quite a security risk. Ideally I can select an entire site’s desktops and run the script and now only domain admins can have admin privilege on the computer. The script may need to be edited by whoever downloads it though to specify whatever their domain admin group is right? (and maybe the domain itself?)

Hi @indieserve

We will analyze and update you soon on this request.


Hi @indieserve,

Please use the script to remove all local users except all Domain Users and built-in Administrator from the local group Administrators

Run the Script as System Users

The script will not remove the non-admin domain users right now.

def ecmd(CMD, r=False):
    import ctypes
    class disable_file_system_redirection:
        _disable = ctypes.windll.kernel32.Wow64DisableWow64FsRedirection
        _revert = ctypes.windll.kernel32.Wow64RevertWow64FsRedirection
        def __enter__(self):
            self.old_value = ctypes.c_long()
            self.success = self._disable(ctypes.byref(self.old_value))
        def __exit__(self, type, value, traceback):
            if self.success:
    from subprocess import PIPE, Popen
    with disable_file_system_redirection():
        OBJ = Popen(CMD, shell = True, stdout = PIPE, stderr = PIPE)
    out, err = OBJ.communicate()
    if r:
        return ret
        if ret==0:
            return out
            return ret

import os
s=r'''strComputer = "%s"
strTestString = "/" & strComputer & "/"
Set colGroups = GetObject("WinNT://" & strComputer & "/Administrators")
For Each objUser In colGroups.Members
    If InStr(objUser.AdsPath, strTestString) Then
        Wscript.Echo "local:" & objUser.Name
        Wscript.Echo "domain:" & objUser.Name
    End If
temp=os.path.join(os.environ['TEMP'], 'scripttofindlocalusers.vbs')
with open(temp, 'wb') as wb:
out=ecmd('cscript %s'%temp)
local=[i.strip().replace('local:', '') for i in out.split('
') if i.strip() if 'local:' in i.strip().lower()]
domain=[i.strip().replace('domain:', '') for i in out.split('
') if i.strip() if 'domain:' in i.strip().lower()]
print 'Before Removing Local Users'
print 'Members of Local Administrators Group: '
print ecmd('net localgroup Administrators')
if local:
    for i in local:
        ecmd('net localgroup Administrators "%s" /delete'%i, True)
print 'After Removing Local Users'
print ecmd('net localgroup Administrators')

Script to Import:

Sample Output:

The output will contain members of Local Administrators group before removing the local users and also after removing the local users. So you can compare those two reports to ensure the removed users and the users (my be a domain user or built-in administrator) which are not removed from the Local Administrators group.

Please provide your feedback. It is pleasure to help you for any clarification.

Thank you.

20170511-Remove-Local-Users-From-Administrators-Group.json (3.05 KB)

Can you not control this through GP???

Double post, do to an error, said json error, then gave me a bad gateway error, then double posted. Please delete this one if you like, and I changed the post so it is not too redundant.

Yes, that’s a good point. I can do this through a GPO, probably more appropriate than through a script.