Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Andrzejek on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

vbscript to remove domain group out of local "Administrators" group.

Status
Not open for further replies.
0LaoyanG0

0LaoyanG0

MIS
Nov 12, 2002
25
US
Here's my situation. I have a script that works great to remove the "Domain Admins" from my server.
What's the problem you wonder.....
It works great as long as you are logged onto the domain.
My problem is that when I join the domain, I want to immediately delete the "Domain Admins" group from the local "Administrators" group.

Here's the script...

Call RemoveDomainGroupFromLocalGroup("Domain Admins","Administrators")
MsgBox "Done!"
Sub RemoveDomainGroupFromLocalGroup(varDomainGroupName,varLocalGrouName)
Set oWshNet = CreateObject("WScript.Network")

'get computer name
strComputer = oWshNet.ComputerName

'sets string for local computer group
Set objGroup = GetObject("WinNT://" & strComputer & "/" & varLocalGrouName)

'Bind to the Domain Group in the local system you want to remove.
Set objUser = GetObject("WinNT://DomainName/" & varDomainGroupName)

'ignore errors that will result if group is not there
On Error Resume Next
'MsgBox objUser.ADsPath
objGroup.Remove(objUser.ADsPath)
On Error Goto 0

Set oWshNet = Nothing
Set objGroup = Nothing
Set objUser = Nothing
End Sub

Now what I want to do is, after I join the domain, I want to just run the script to delete the "Domain Admins" group. When I run the script I get the error on the following line:
Set objUser = GetObject("WinNT://DomainName/" & varDomainGroupName)

I can't remember offhand but it said it couldn't find the local machine.

If you are going to replicate this, build a server 2003 box, join a domain, DO NOT REBOOT!!!, and run the script.

Any help on this would be greatly appreciated. For a lame workaround I am opening the MMC to prompt to delete through the GUI. I know, lame because real men don't click!
 
Sort by date Sort by votes
can you not just use a gpo and utilise the restricted groups.

if you enable these then it removes the doamin admins unless you add them
 
Upvote 0 Downvote
I am interested to understand why you would remove Domain Admins from being able to manage domain computers. Seems like IT Suicide to me.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at
Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

bdwilcox
  • Locked
  • Question
Trying to adapt VBScript to search if machine is in an AD group 6
Replies
8
Views
925
SoftwareRT
SoftwareRT
Alexvb6
  • Locked
  • Question
Deprecation of VBScript + Classic ASP: How to Ask Microsoft to cancel their planned craziness
Replies
0
Views
249
Alexvb6
Alexvb6
K
  • Locked
  • Question
VBSCRIPT dont work windows 11 23h2 ???
Replies
2
Views
394
SoftwareRT
SoftwareRT
paullem
  • Locked
  • Question
vbscript to read properties of JPEG file
Replies
4
Views
391
paullem
paullem
bdwilcox
  • Locked
  • Question
HTA fails with Syntax Error when working VBScript inserted
Replies
2
Views
293
bdwilcox
bdwilcox

Part and Inventory Search

Sponsor

Back
Top