cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Remove user from local admin group

mickeyshowers
Engaged Sweeper III
I searched for an action to do this but I didn't find anything. Basically, I'm looking for a custom action that will remove the Last User from the local administrators group. Any ideas? Thanks!
14 REPLIES 14

jacob_bks
Champion Sweeper
here - not sure if this one was a built-in report or not...

here's the report that will give you local administrators

Select Top 1000000 tblAssets.AssetID,
tblAssets.AssetName,
tblUsersInGroup.Username,
tblUsersInGroup.Domainname,
tblUsersInGroup.Groupname
From tblAssets
Inner Join tblUsersInGroup On tblAssets.AssetID = tblUsersInGroup.AssetID
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tblComputersystem On tblAssets.AssetID = tblComputersystem.AssetID
Where tblUsersInGroup.Groupname =
'administrators' And tblComputersystem.Domainrole > 1 And
tblAssetCustom.State = 1
Order By tblAssets.AssetName



Run it, type in your username you're looking for in the report filter column, deploy your one line Lansweeper deployment package that removes that user.

no scripting required, and you leverage Lansweeper to find exactly what your targets are (like, edit the above group with more criteria, say production servers only...), versus using scripting to scan everything and remove it if it finds it... which can be dangerous and accidentally remove the user from places where he/she needs to be.

jacob_bks
Champion Sweeper
and if that doesn't solve it... add the auditor's email address to the report that emails you when the user gets put back in the group 🙂

jacob_bks
Champion Sweeper
and then if I wanted to be awesome, I would edit the local admin membership report, SAVE AS, put a filter on it where user is na\username, then set deployment package to rescan assets after deploying...

and set up the new report to be emailed to me so I know when that user pops back in the local admin group...

then, set up a schedule every 1 day or so, deploy the package to that report I just made... so in the future, if someone puts the user back in local administrator group... Lansweeper will remove it 🙂

jacob_bks
Champion Sweeper
I use a deployment package, one step:
command > net localgroup administrators DOMAIN\UserName /delete

I then use a report that shows me local administrator group membership, filter by DOMAIN\Username that I am looking for, then deploy package to the results.

Sounds dumb, but it takes like 3 minutes and you're done.



jhartley
Engaged Sweeper II
jacob_bks wrote:
I use a deployment package, one step:
command > net localgroup administrators DOMAIN\UserName /delete

I then use a report that shows me local administrator group membership, filter by DOMAIN\Username that I am looking for, then deploy package to the results.

Sounds dumb, but it takes like 3 minutes and you're done.





How does the command know which username has local admin privilege's?

bubba198
Engaged Sweeper II
jacob_bks wrote:
I use a deployment package, one step:
command > net localgroup administrators DOMAIN\UserName /delete



That's an awesome idea, thank you for sharing. Sweet and simple. I do have a follow up question, I also suck at scripting. Is there a way to choose whether to deploy the package on-the-fly by using if...then inside the actual package script.

In other words before executing the "meat" of it being net localgroup administrators DOMAIN\UserName /delete the first line would check whether DOMAIN\UserName is member of localgroup administrators and only if YES then the "/delete" command is run.

I know there's no harm in banging the /delete against non-existent user but just though it would be more elegant to check first and only if the /delete needs to be carried out then the deployment continues, otherwise it just exists.

jacob_bks wrote:
I use a deployment package, one step:
command > net localgroup administrators DOMAIN\UserName /delete

I then use a report that shows me local administrator group membership, filter by DOMAIN\Username that I am looking for, then deploy package to the results.

Sounds dumb, but it takes like 3 minutes and you're done.





Hi Jacob,

I created a package like you mentioned above but when I run it against one of the machines it fails.

Result: Deployment ended: Incorrect function. Stop(Failure). Credential: (*******\*******). ShareCredential: (lansweeper). Command: net localgroup administrators DOMAIN\UserName /delete

Are DOMAIN and username variables that it should pick up when I run the package against a machine?

scarsysadmin
Engaged Sweeper III
Nows a good time to learn!

Or, use psexec and do it manually. Psexec has to be run from an account that is in the admin group.
psexec.exe \\Computername cmd.exe /K

View users in the group
net localgroup admnistrators

Delete Users in the group
net localgroup administrators /delete Domain\username

warlock1663
Engaged Sweeper
Im not that great at scripting though.