This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Community FAQ
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Remove user from local admin group

mickeyshowers
Engaged Sweeper III

‎08-19-2016 07:44 PM - last edited on ‎04-01-2024 04:31 PM by

I searched for an action to do this but I didn't find anything. Basically, I'm looking for a custom action that will remove the Last User from the local administrators group. Any ideas? Thanks!

Labels:
0 Kudos
14 REPLIES 14
jacob_bks
Champion Sweeper

‎09-07-2017 10:09 PM

here - not sure if this one was a built-in report or not...

here's the report that will give you local administrators

Select Top 1000000 tblAssets.AssetID,
tblAssets.AssetName,
tblUsersInGroup.Username,
tblUsersInGroup.Domainname,
tblUsersInGroup.Groupname
From tblAssets
Inner Join tblUsersInGroup On tblAssets.AssetID = tblUsersInGroup.AssetID
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tblComputersystem On tblAssets.AssetID = tblComputersystem.AssetID
Where tblUsersInGroup.Groupname =
'administrators' And tblComputersystem.Domainrole > 1 And
tblAssetCustom.State = 1
Order By tblAssets.AssetName



Run it, type in your username you're looking for in the report filter column, deploy your one line Lansweeper deployment package that removes that user.

no scripting required, and you leverage Lansweeper to find exactly what your targets are (like, edit the above group with more criteria, say production servers only...), versus using scripting to scan everything and remove it if it finds it... which can be dangerous and accidentally remove the user from places where he/she needs to be.
0 Kudos
jacob_bks
Champion Sweeper

‎09-07-2017 09:59 PM

and if that doesn't solve it... add the auditor's email address to the report that emails you when the user gets put back in the group 🙂

0 Kudos
jacob_bks
Champion Sweeper

‎09-07-2017 09:56 PM

and then if I wanted to be awesome, I would edit the local admin membership report, SAVE AS, put a filter on it where user is na\username, then set deployment package to rescan assets after deploying...

and set up the new report to be emailed to me so I know when that user pops back in the local admin group...

then, set up a schedule every 1 day or so, deploy the package to that report I just made... so in the future, if someone puts the user back in local administrator group... Lansweeper will remove it 🙂

0 Kudos
jacob_bks
Champion Sweeper

‎09-07-2017 09:51 PM

I use a deployment package, one step:
command > net localgroup administrators DOMAIN\UserName /delete

I then use a report that shows me local administrator group membership, filter by DOMAIN\Username that I am looking for, then deploy package to the results.

Sounds dumb, but it takes like 3 minutes and you're done.



0 Kudos
jhartley
Engaged Sweeper II
In response to jacob_bks

‎03-24-2021 04:27 PM

jacob_bks wrote:
I use a deployment package, one step:
command > net localgroup administrators DOMAIN\UserName /delete

I then use a report that shows me local administrator group membership, filter by DOMAIN\Username that I am looking for, then deploy package to the results.

Sounds dumb, but it takes like 3 minutes and you're done.





How does the command know which username has local admin privilege's?
0 Kudos
bubba198
Engaged Sweeper II
In response to jacob_bks

‎08-12-2018 07:14 PM

jacob_bks wrote:
I use a deployment package, one step:
command > net localgroup administrators DOMAIN\UserName /delete



That's an awesome idea, thank you for sharing. Sweet and simple. I do have a follow up question, I also suck at scripting. Is there a way to choose whether to deploy the package on-the-fly by using if...then inside the actual package script.

In other words before executing the "meat" of it being net localgroup administrators DOMAIN\UserName /delete the first line would check whether DOMAIN\UserName is member of localgroup administrators and only if YES then the "/delete" command is run.

I know there's no harm in banging the /delete against non-existent user but just though it would be more elegant to check first and only if the /delete needs to be carried out then the deployment continues, otherwise it just exists.
0 Kudos
mickeyshowers
Engaged Sweeper III
In response to jacob_bks

‎07-16-2018 10:35 PM

jacob_bks wrote:
I use a deployment package, one step:
command > net localgroup administrators DOMAIN\UserName /delete

I then use a report that shows me local administrator group membership, filter by DOMAIN\Username that I am looking for, then deploy package to the results.

Sounds dumb, but it takes like 3 minutes and you're done.





Hi Jacob,

I created a package like you mentioned above but when I run it against one of the machines it fails.

Result: Deployment ended: Incorrect function. Stop(Failure). Credential: (*******\*******). ShareCredential: (lansweeper). Command: net localgroup administrators DOMAIN\UserName /delete

Are DOMAIN and username variables that it should pick up when I run the package against a machine?
0 Kudos
scarsysadmin
Engaged Sweeper III

‎09-07-2017 07:13 PM

Nows a good time to learn!

Or, use psexec and do it manually. Psexec has to be run from an account that is in the admin group.
psexec.exe \\Computername cmd.exe /K

View users in the group
net localgroup admnistrators

Delete Users in the group
net localgroup administrators /delete Domain\username

0 Kudos
warlock1663
Engaged Sweeper

‎09-07-2017 07:07 PM

Im not that great at scripting though.
0 Kudos

General Discussions

Find answers to technical questions about Lansweeper.

New to Lansweeper?

Try Lansweeper For Free

Experience Lansweeper with your own data.
Sign up now for a 14-day free trial.

Try Now
Top