Remove admin rights from all users - BATCH FILE

[nate2345]

Hi guys,

Is there a batch file that could be created at startup that would automatically remove all local admin rights from any user accounts except for the 2 that I specify.

And is there a way to secure a batch file so that noone can edit or view the batch file?

Thanks,
Nate

 

[tfg13]

There is a way to do it, but I must ask, how many users would this entail? The reason I ask is it would probably be easier doing the removal of admin rights yourself, except the 2 accounts you want to remain as local admins.

 

[nate2345]

I want to deploy this on all the computers we give out to our clients (who access our database remotely). Sometimes we find a client who was mistakenly given admin rights. So really there will only be one user with poweruser rights and 2 users with admin rights (one of them being the administrator account). So it's not something we can do manually.

Thanks,
nate

 

[Rick998]

One way to do it would be to use a VBS script on each PC. Something along the following lines will do it.

Copy/paste the code into Notepad and save as something like demote-account.vbs.

Dim WSH, ThisPC, objWMIService, colOperatingSystems
Set WSH = CreateObject ("WScript.shell")
ThisPC = "."
	WSH.Run "cmd /c NET LOCALGROUP Administrators " & """Windows Client""" & " /DELETE",2,False
	WSH.Popup "Windows Client account has been removed from the Administrators group.",2, title
	WSH.Popup "Re-booting the PC so changes take effect. Please wait...",2, title
	Set objWMIService = GetObject("winmgmts:" _
	    & "{impersonationLevel=impersonate,(Shutdown)}!\\" & ThisPC & "\root\cimv2")
	Set colOperatingSystems = objWMIService.ExecQuery _
	    ("Select * from Win32_OperatingSystem")
	For Each objOperatingSystem in colOperatingSystems
	    ObjOperatingSystem.Reboot()
	Next
Set WSH = Nothing
Set objWMIService = Nothing
Set colOperatingSystems = Nothing
WScript.Quit

When the script is run (as 'Administrator' or from an account with admin privileges), the WSH.Run command removes the 'Windows Client' account from the 'Administrators' group and the WMI code re-boots the PC so the changes take effect.

You can reduce the number of quote marks in the WSH.Run line if the account does not include a space in the account name.

So, for example, if the first account you wanted to remove from the 'Administrators' group was called 'Windows User' and the second account was called 'XPClient' then you would add another line under the first WSH.Run line that would read:

WSH.Run "cmd /c NET LOCALGROUP Administrators " & "XPClient" & " /DELETE",2,False

PS - I haven't tested the code above (because it's just been snipped from a much longer script we use to individualize PC's after cloning with Ghost) but you get the idea.

Hope this helps...

 

[tfg13]

How did you plan on getting the script/bat on the PC's if this is something you can't do manually?

 

[nate2345]

tfg13,

We have dialup and broadband connections to these pc's. I'm going to go through Rick998's script. Do you have any suggestions for a batch file?

Thanks,
Nate

 

[tfg13]

I would suggest going the VBS route, as they are much more powerful, and don't require a VM to be created (less processor intensive).