Removing Users From Local Admin Group 1

[DougInCanada]

I was able to setup a script to remove local users from the local Admin group on a given computer. My problem now is that some DOMAIN users have been added to the local Admin group on some computers.

My code is as follows:

dim UName, CName, Sh, Env, Net, fso, textfile

on error resume next

Set fso = WScript.CreateObject("Scripting.FileSystemObject")
set textfile = fso.CreateTextFile ("C:\update\update.log",2,true)

Set Sh = WScript.CreateObject("Wscript.Shell")
Set Env = Sh.Environment("SYSTEM")
If Env("USERNAME")="" then
Set Net=WScript.CreateObject("Wscript.Network")
UName = Net.UserName
CName = Net.ComputerName
Else
UName = Env("USERNAME")
CName = Env("COMPUTER")
End If

strComputer = "."

Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators,group")
For Each mem In objGroup.Members
	if mem.name = uname then
		textfile.WriteLine mem.name & " is a member of the " & objgroup.name & " group." & vbcrlf
		Set objUser = GetObject("WinNT://" & CName & "/" & UName & ",user")
		objGroup.Remove(objUser.ADsPath)
		objGroup.SetInfo
	end if
Next
textfile.WriteBlankLines(1)

Set objUser = GetObject("WinNT://" & strComputer & "/Administrator,user")
objUser.SetPassword "<New Password Here>"
objUser.SetInfo
textfile.WriteLine "Password reset was successful." & vbcrlf
textfile.close

set textfile = nothing
set Sh = nothing

When the script runs, it needs to enumerate the members (users) of the local Admin group, but differenciate between DOMAIN/username and username (the local user account). The same username could be set up both locally and assigned to the Admins group, as well as the domain username simply assigned to the local Admin group. Both usernames would appear in the Local Administrators group with the domain username appearing as DOMAIN/username. When I wscript.echo the members, the username appears twice, but only removes the local username, not the DOMAIN username. Or is there any way to match the Domain and the username when checking each member (ie: " mem.name = "DOMAINX" & UName)?

Is there a way to determine if the current user is logged on locally or to a domain?

Any help on this would be greatly appreciated.

Doug

 

[tsuji]

One-liner would be something like this.
[tt] if split(mem.name,"/")(ubound(split(mem.name,"/"))) = uname then[/tt]
or[tt]
if right(mem.name,instrrev(mem.name,"/")+1) = uname then[/tt]

 

[DougInCanada]

Thanks for the response, Tsuji.

My problem is that VB Script does not seem to be able to tell the difference between a member of the administrators group who exists only on the local machine and a member who also is a member of the domain.

When viewing the users in the local Admin group in Windows, the difference is visible:

DOMAINx/USERy
USERy

But when vbscript checks each member and I ask for an echo of each member, only the username USERy appears 2 times. You cannot see the domain in the NAME property of the member object.

That is why I'm trying to determine if there is a way to check if a computer is logged onto a domain. Not to determine the domain name (since I don't think that would be possible, for security reasons), but if I provide the domain name, can vbscript see if the computer or current user has logged onto the domain or only the local machine.

It seems like vbscript is unaware that a domain name and a local name are different.

 

[tsuji]

I don't know... can you not always check for the existence of the separator "/" to make the distinction?

 

[mrmovie]

IADsGroup::Members
Description,,Returns an array of strings representing the members of the c...blaablaa

how about

Wscript.Echo mem.AdsPath

, this will give you the domain info you require

 

[mrmovie]

if you like you can then bind to the user account using hte AdsPath and then try something like

Flags = User.Get("UserFlags")
If (Flags And &H100) <> 0 Then
'Local Account
Else
'Global Account
End If

that is all i know for now about local global ...for now ;-)

 

[DougInCanada]

Well, that seems to enumerate all users in the Admin group great, with their full paths (ie:"WINNT://domainY/userX"). That's definitely a step in the right direction. Of course, alot of local users only show up as SIDs (ie: "S-1-5-21-2..."), probably since they do not have AD accounts, they are only local accounts. This is not a prblem.

But when I try the script:

dim UName, CName, Sh, Env, Net, fso, textfile

'on error resume next

Set fso = WScript.CreateObject("Scripting.FileSystemObject")
set textfile = fso.CreateTextFile ("C:\update\SU31032005.R1D",2,true)

Set Sh = WScript.CreateObject("Wscript.Shell")
Set Env = Sh.Environment("SYSTEM")
If Env("USERNAME")="" then
Set Net=WScript.CreateObject("Wscript.Network")
UName = Net.UserName
CName = Net.ComputerName
Else
UName = Env("USERNAME")
CName = Env("COMPUTER")
End If

strComputer = "."

Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators,group")
For Each mem In objGroup.Members
	if mem.name = uname then
		textfile.WriteLine mem.name & " is a member of the " & objgroup.name & " group." & vbcrlf
		Set objUser = GetObject(mem.adspath & mem.name & ",user")
		objGroup.Remove(objUser.ADsPath)
		objGroup.SetInfo
	end if
Next
textfile.close

set textfile = nothing
set Sh = nothing
set Env = nothing
set objUser = nothing
set colGroups = nothing
set Net = nothing

wscript.quit

I get the error "The user name could not be found" on this line:

		Set objUser = GetObject(mem.adspath & mem.name & ",user")

I only want to remove the user from the local admin group, which the current user obviously has privileges for because he's a member. However, the user does not have domain admin privileges. Would this affect their ability to access the AD Path, causing this error message?

 

[tsuji]

But it sounds to me you want to do a simple task and you use a grand detour to sophistication! I have no opinion, just so saying lightly...

 

[mrmovie]

i thought the issue was determining local or domain group due to mem.name only showing the username so a text comparision of mem.AdsPath against ComputerName or domainname should do just fine...

i think i have provided the required information?

Mid(mem.AdsPath, x, y) = MachineName & "/" & Username Then

my second post on Local/Global determination was just an aside for those interested.

 

[mrmovie]

anyway perhaps things would be clearer with the reverse of the approach? (seeing as you are talking about local users

Computer = GetObject(Winnt://computer")
Group = GetOBject("WinNT://computer/Adminsitrators,group")
Computer.Filter("users")
For Each aUser In Computer
If aUser.IsMember("Administrators") Then
Group.Remove(aUser.AdsPath)
End If
Next

 

[mrmovie]

you dont need

Set objUser = GetObject(mem.adspath & mem.name & ",user")

you want

Set objUser = GetObject(mem.adspath ",user")

 

[DougInCanada]

This script now works for domain users, thanks to mrmovie's sharp eye for detail (removed the mem.name from the Set objUser).

However, I still need to determine if the current user has authenticated to a domain or just the local machine. Is there anyway to find out, either through vbscript or WMI, which authentication method has been used?

 

[mrmovie]

check %netlogon% against %computername%

 

[mrmovie]

sorry should be %logonserver% against %computername%

 

[DougInCanada]

Can you detail this process a little bit? I'm not quite sure how I would go about that...

 

[mrmovie]

if a user logs on when his machine is off the network then he will logon with cached credentials. as a result the %logonserver% environment variable is not set to a domaincontroller it is set the name of the local machine,. so...


If WshShell.ExpandEnvironmentStrings("%logonserver%") = WshShell.ExpandEnvironmentStrings("%computername%") Then
Wscript.Echo "user was authenticated by local machine"
End If

 

[DougInCanada]

Got it! Didn't realize that %LogOnServer% was referring to EnvironmentSettings.

mrmovie, you've been a tremendous help. Once I have a QA'ed version of the script, I'll post it to hopefully help others and award you one very large star!

Thanks again.

Doug

 

[DougInCanada]

Well, I've run it through it's paces and this script works great. The challenge was removing users in the admin group even if the username granted admin rights was identical for both a local account and a domain account (ie:MachineName/UserX or DomainY/UserX).

It checks if the user is logged on locally or authenticated by a DC, then checks the admin group for that instance. Works great and I hope it helps someone else.

PS: I also had it reset the local admin password if that user before removing that user from the admin group.

dim UName, CName, Sh, Env, Net, fso, textfile, NetCheck, SvrCheck, SvrName

'on error resume next

Set fso = WScript.CreateObject("Scripting.FileSystemObject")
set textfile = fso.CreateTextFile ("C:\update\update.log",2,true)
Set Sh = WScript.CreateObject("Wscript.Shell")
NetCheck = false

SvrName = Sh.ExpandEnvironmentStrings("%logonserver%")
SvrCheck = Right(SvrName, Len(svrName) -  2)

If SvrCheck = Sh.ExpandEnvironmentStrings("%computername%") Then
	NetCheck = false
else
	NetCheck = true
End If

Set Env = Sh.Environment("SYSTEM")
If Env("USERNAME")="" then
Set Net=WScript.CreateObject("Wscript.Network")
UName = Net.UserName
CName = Net.ComputerName
Else
UName = Env("USERNAME")
CName = Env("COMPUTER")
End If
strComputer = "."

if NetCheck = true then
	textfile.WriteLine netcheck & ": The user is logged onto the network"
	Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators,group")
	For Each mem In objGroup.Members
		textfile.WriteLine mem.AdsPath
		if mem.name = uname then
			Set objUser = GetObject("WinNT://" & strComputer & "/Administrator,user")
			objUser.SetPassword "[i]<New Password Here>[/i]"
			objUser.SetInfo
			textfile.WriteLine "Local Admin password reset was successful." & vbcrlf
			textfile.WriteLine mem.name & " is a member of the " & objgroup.name & " group."
			Set objUser = GetObject(mem.adspath & ",user")
			objGroup.Remove(objUser.ADsPath)
			objGroup.SetInfo
			textfile.WriteLine mem.name & " was removed from the " & objgroup.name & " group."
		end if
	Next
end if
if netcheck = false then
	textfile.WriteLine netcheck & ": The user is logged on locally"
	Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators,group")
	Set objUser = GetObject("WinNT://" & strComputer & "/Administrator,user")
	objUser.SetPassword "[i]<New Password Here>[/i]"
	objUser.SetInfo
	textfile.WriteLine "Local Admin password reset was successful." & vbcrlf
	For Each mem In objGroup.Members
		textfile.WriteLine mem.AdsPath
		if mem.adspath = "WinNT://" & CName & "/" & UName then
				textfile.WriteLine mem.name & " is a member of the " & objgroup.name & " group."
				Set objUser = GetObject(mem.adspath & ",user")
				objGroup.Remove(objUser.ADsPath)
				objGroup.SetInfo
				textfile.WriteLine mem.name & " was removed from the " & objgroup.name & " group."
		end if
	Next
end if

textfile.close

set textfile = nothing
set Sh = nothing
set Env = nothing
set objUser = nothing
set colGroups = nothing
set Net = nothing
wscript.quit

Thanks again, MrMovie!