This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Community FAQ
Register | Log In
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Lansweeper Community
- Forums
- General Discussions
- Re: Remove user from local admin group
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Register to ask a question, start a topic or share an idea
Join the Community
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-19-2016 07:44 PM - last edited on ‎04-01-2024 04:31 PM by Mercedes_O
I searched for an action to do this but I didn't find anything. Basically, I'm looking for a custom action that will remove the Last User from the local administrators group. Any ideas? Thanks!
Labels:
- Labels:
-
API & Integrations
14 REPLIES 14
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎09-07-2017 10:09 PM
here - not sure if this one was a built-in report or not...
here's the report that will give you local administrators
Select Top 1000000 tblAssets.AssetID,
tblAssets.AssetName,
tblUsersInGroup.Username,
tblUsersInGroup.Domainname,
tblUsersInGroup.Groupname
From tblAssets
Inner Join tblUsersInGroup On tblAssets.AssetID = tblUsersInGroup.AssetID
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tblComputersystem On tblAssets.AssetID = tblComputersystem.AssetID
Where tblUsersInGroup.Groupname =
'administrators' And tblComputersystem.Domainrole > 1 And
tblAssetCustom.State = 1
Order By tblAssets.AssetName
Run it, type in your username you're looking for in the report filter column, deploy your one line Lansweeper deployment package that removes that user.
no scripting required, and you leverage Lansweeper to find exactly what your targets are (like, edit the above group with more criteria, say production servers only...), versus using scripting to scan everything and remove it if it finds it... which can be dangerous and accidentally remove the user from places where he/she needs to be.
here's the report that will give you local administrators
Select Top 1000000 tblAssets.AssetID,
tblAssets.AssetName,
tblUsersInGroup.Username,
tblUsersInGroup.Domainname,
tblUsersInGroup.Groupname
From tblAssets
Inner Join tblUsersInGroup On tblAssets.AssetID = tblUsersInGroup.AssetID
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tblComputersystem On tblAssets.AssetID = tblComputersystem.AssetID
Where tblUsersInGroup.Groupname =
'administrators' And tblComputersystem.Domainrole > 1 And
tblAssetCustom.State = 1
Order By tblAssets.AssetName
Run it, type in your username you're looking for in the report filter column, deploy your one line Lansweeper deployment package that removes that user.
no scripting required, and you leverage Lansweeper to find exactly what your targets are (like, edit the above group with more criteria, say production servers only...), versus using scripting to scan everything and remove it if it finds it... which can be dangerous and accidentally remove the user from places where he/she needs to be.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎09-07-2017 09:59 PM
and if that doesn't solve it... add the auditor's email address to the report that emails you when the user gets put back in the group 🙂
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎09-07-2017 09:56 PM
and then if I wanted to be awesome, I would edit the local admin membership report, SAVE AS, put a filter on it where user is na\username, then set deployment package to rescan assets after deploying...
and set up the new report to be emailed to me so I know when that user pops back in the local admin group...
then, set up a schedule every 1 day or so, deploy the package to that report I just made... so in the future, if someone puts the user back in local administrator group... Lansweeper will remove it 🙂
and set up the new report to be emailed to me so I know when that user pops back in the local admin group...
then, set up a schedule every 1 day or so, deploy the package to that report I just made... so in the future, if someone puts the user back in local administrator group... Lansweeper will remove it 🙂
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎09-07-2017 09:51 PM
I use a deployment package, one step:
command > net localgroup administrators DOMAIN\UserName /delete
I then use a report that shows me local administrator group membership, filter by DOMAIN\Username that I am looking for, then deploy package to the results.
Sounds dumb, but it takes like 3 minutes and you're done.
command > net localgroup administrators DOMAIN\UserName /delete
I then use a report that shows me local administrator group membership, filter by DOMAIN\Username that I am looking for, then deploy package to the results.
Sounds dumb, but it takes like 3 minutes and you're done.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-24-2021 04:27 PM
jacob_bks wrote:
I use a deployment package, one step:
command > net localgroup administrators DOMAIN\UserName /delete
I then use a report that shows me local administrator group membership, filter by DOMAIN\Username that I am looking for, then deploy package to the results.
Sounds dumb, but it takes like 3 minutes and you're done.
How does the command know which username has local admin privilege's?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-12-2018 07:14 PM
jacob_bks wrote:
I use a deployment package, one step:
command > net localgroup administrators DOMAIN\UserName /delete
That's an awesome idea, thank you for sharing. Sweet and simple. I do have a follow up question, I also suck at scripting. Is there a way to choose whether to deploy the package on-the-fly by using if...then inside the actual package script.
In other words before executing the "meat" of it being net localgroup administrators DOMAIN\UserName /delete the first line would check whether DOMAIN\UserName is member of localgroup administrators and only if YES then the "/delete" command is run.
I know there's no harm in banging the /delete against non-existent user but just though it would be more elegant to check first and only if the /delete needs to be carried out then the deployment continues, otherwise it just exists.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-16-2018 10:35 PM
jacob_bks wrote:
I use a deployment package, one step:
command > net localgroup administrators DOMAIN\UserName /delete
I then use a report that shows me local administrator group membership, filter by DOMAIN\Username that I am looking for, then deploy package to the results.
Sounds dumb, but it takes like 3 minutes and you're done.
Hi Jacob,
I created a package like you mentioned above but when I run it against one of the machines it fails.
Result: Deployment ended: Incorrect function. Stop(Failure). Credential: (*******\*******). ShareCredential: (lansweeper). Command: net localgroup administrators DOMAIN\UserName /delete
Are DOMAIN and username variables that it should pick up when I run the package against a machine?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎09-07-2017 07:13 PM
Nows a good time to learn!
Or, use psexec and do it manually. Psexec has to be run from an account that is in the admin group.
psexec.exe \\Computername cmd.exe /K
View users in the group
net localgroup admnistrators
Delete Users in the group
net localgroup administrators /delete Domain\username
Or, use psexec and do it manually. Psexec has to be run from an account that is in the admin group.
psexec.exe \\Computername cmd.exe /K
View users in the group
net localgroup admnistrators
Delete Users in the group
net localgroup administrators /delete Domain\username
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎09-07-2017 07:07 PM
Im not that great at scripting though.
General Discussions
Find answers to technical questions about Lansweeper.
New to Lansweeper?
Try Lansweeper For Free
Experience Lansweeper with your own data. Sign up now for a 14-day free trial.
Try Now
Related Content
- Local Admin Account Audit in General Discussions
- Missing AD user in LS in General Discussions
- Asset Group - Unable to Edit or Delete a Particular Group in General Discussions
- How to set up scannig ADC ... without being DomainAdmin? in General Discussions
- Email Notification When PC is Online in General Discussions
