Remove a User from the Local Admin Group

[DougInCanada]

I am trying to create a vbscript to perform the following:

- Get the current user's logon name

- Determine if that user is a member of the local administrator group

- delete that username from the local administrator group.

This is needed because we have over 100 field users who have laptops, but do not have computer accounts in AD, so the script must be downloaded via our intranet and run locally.

Here's what I have so far:


Set Sh = WScript.CreateObject("Wscript.Shell)
' For non-networked users
Set Env = Sh.Environment("SYSTEM&quot
' For networked users
If Env("USERNAME&quot="" then
Set Net = WScript.CreateObject("Wscript.Network&quot
CurrentUser = Net.UserName
Else
CurrentUser = Env("USERNAME&quot
End If
' If the current user is the Local Administrator
If CurrentUser = "Administrator" then
Wscript.Echo "You are a local Administrator!"
' Can't remove administrator from the Built-in Group
Else
strComputer = "."
' Designate the local computer
Set colGroups = GetObject(WinNT://" & strComputer & "&quot
colGroups.Filter = Array("group&quot
For Each objGroup in colGroups
For Each objUser in objGroups.Members
If objUser.Name = CurrentUser then
' The script works great up to this point...
If objGroup.Name = "Administrators" then
Set objGroup = GetObject("WinNT://" & strComputer & "Administrators, Group&quot
Set objUser = GetObject("WinNT://" & strComputer & "/" & CurrentUser & ", user&quot
objGroup.Remove(objUser.ADsPath)
Wscript.Echo "You have been removed from the Local Administrators Group!"
End If
End If
Next
Next
End if

When I try the script, it dies on objGroup.Remove(objUser.ADsPath)...

I’ve seen many references to ‘Remove’ as the most common method of removing a user from a group but I can’t get it to work. Can someone help me with this ?

 

[mrmovie]

do you have to do a

objGroup.SetInfo?

 

[DougInCanada]

objGroup.SetInfo would appear after objGroup.Remove...

Is that the right location?

The error message still persists, however, stating that a binding error has occurred...


Could this binding error happen as a result of confusion over the CurrentUser string?

When looking in the group members of the local Admin group, any domain users who have been added to the local admin group are designated as such (ie: DOMAINNAME\CurrentUser ).

While the script will recognize CurrentUser to determine who the members of the group are, when removing the group, do I have to designate the string as above, not just the name?

 

[mrmovie]

oh i think you are right it might be your strComputer that is the issue.

you are trying to bind to a user object. the user object in question is the one in AD. so, for your
Set objUser = GetObject("winnnt://" & strComputer...
instead you should be specifying the strDomain surely???


but yes the setinfo should come after you have finished the write operations, but i am not sureit is really needed in this case

 

[mrmovie]

sorry i have done what you are trying before and forgot, the following works

strComputername = WshShell.ExpandEnvironmentStrings ("%COMPUTERNAME%&quot

Set objAdminGroup = GetObject("WinNT://" & strComputername& "/Administrators,group&quot
Set objUser = GetObject("WinNT://DomainX/UserY,user&quot

' remove the user to the local admin group
objAdminGroup.Remove(objUser.ADsPath)

so your problem was that you werent specifying the domain name for the user, sorry i should have spotted it earlier, you dont need setinfo btw

 

[mrmovie]

ps give me a job in canada ;-)