List users in local administrators group on remote machine

Hi,

I am looking to manage all desktops on our network with regard to the local
administrators group. There are several things I am looking to accomplish:

1. list all users (domain and local) in local administrators group on
multiple remote computers
2. remove user from local administrators group on remote computer
3. add domain user account to local administrators group on remote
computer
4. remove local user account from remote computer
5. Report on current members of the local administrators group.

Any assistance you can provide would be greatly appreciated.
We have .Net software if that would be the best way to tackle this but I am
not sure which way to go.

Thanks!
Nick

"Nick" <> wrote in message
news:0E9F1D7C-E802-4E55-9935-...
> Hi,
>
> I am looking to manage all desktops on our network with regard to the
> local
> administrators group. There are several things I am looking to
> accomplish:
>
> 1. list all users (domain and local) in local administrators group on
> multiple remote computers
> 2. remove user from local administrators group on remote computer
> 3. add domain user account to local administrators group on remote
> computer
> 4. remove local user account from remote computer
> 5. Report on current members of the local administrators group.
>
> Any assistance you can provide would be greatly appreciated.
> We have .Net software if that would be the best way to tackle this but I
> am
> not sure which way to go.
>
> Thanks!
> Nick

You could do the whole lot with the inbuilt net.exe command:
1. net localgroup administrators
2. net localgroup administrators nick /delete
3. net localgroup administrators Domainname\nick /add
4. net user %ComputerName%\nick /delete
5. Same as 1. above.

To run the commands on a remote computer, put them into a batch file, then
invoke the batch file with psexec.exe (www.sysinternals.com) under your
domain admin account.

Nick wrote:

>
> I am looking to manage all desktops on our network with regard to the
> local
> administrators group. There are several things I am looking to
> accomplish:
>
> 1. list all users (domain and local) in local administrators group on
> multiple remote computers
> 2. remove user from local administrators group on remote computer
> 3. add domain user account to local administrators group on remote
> computer
> 4. remove local user account from remote computer
> 5. Report on current members of the local administrators group.
>
> Any assistance you can provide would be greatly appreciated.
> We have .Net software if that would be the best way to tackle this but I
> am
> not sure which way to go.

I have an example VBScript program that enumerates all members of local
Administrators group linked here:

http://www.rlmueller.net/Enumerate%20Local%20Group.htm

The program handles membership due to nested local and domain groups. In
VBScript you use the WinNT provider with local objects. To add and/or remove
users (or groups) from a local group use code similar to below. With the
steps that check for direct membership (does not reveal membership due to
group nesting), you may not need to enumerate membership:
=========
' Specify NetBIOS name of computer.
strComputer = "Test001"

' Specify NetBIOS name of domain.
strDomain = "MyDomain"

' Bind to local Administrators group on remove computer.
Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators,group")

' Add a local user to the group.
' Check first if they are already a direct member.
Set objLocalUser = GetObject("WinNT://" & strComputer" & "/JimSmith,user")
If (objGroup.IsMember(objLocalUser.AdsPath) = False) Then
objGroup.Add objLocalUser.AdsPath
End If

' Add a domain user to the group.
' Check first if they are already a direct member.
Set objDomainUser = GetObject("WinNT://" & strDomain & "/JimSmith,user")
If objGroup.IsMember(objDomainUser.AdsPath) = False) Then
objGroup.Add objDomainUser.AdsPath
End If

' Remove local user from group.
' Check first that they are a direct member.
Set objLocalUser = GetObject("WinNT://" & strComputer" & "/RogerJones,user")
If (objGroup.IsMember(objLocalUser.AdsPath) = True) Then
objGroup.Remove objLocalUser.AdsPath
End If

' Remove domain user from group.
Set objDomainUser = GetObject("WinNT://" & strDomain & "/RogerJones,user")
' Check first that they are a direct member.
If objGroup.IsMember(objDomainUser.AdsPath) = True) Then
objGroup.Remove objDomainUser.AdsPath
End If
==========
All of this can be one remotely, as long as your account is a member of the
local Administrators group. By default the group Domain Admins is a member
of the local Adminstrators group when the computer is joined to the domain.

You can read NetBIOS computer names from a text file and code similar to
above in a loop. In brief:
=========
Const ForReading = 1
' Specify text file of NetBIOS names of computers.
strFile = "c:\Scripts\Computers.txt"

' Open file for read access.
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile(strFile, ForReading)

' Read names from file.
Do Until objFile.AtEndOfStream
strComputer = Trim(objFile.ReadLine)
' Skip blank lines.
If (strComputer <> "") Then
' Process this computer.
' ...
End If
Loop

' Clean up.
objFile.Close

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

Pegasus,

Thank you very much for your quick reply. I am new at this so can you give
me a short example of the command to use on remote machine with psexec.exe?
So if I understand I keep the PSEXEC.EXE on my machine and create a .bat file
and copy it to the remote machines and execute with PSEXEC.EXE.

Thanks,
Nick

"Pegasus (MVP)" wrote:

>
> "Nick" <> wrote in message
> news:0E9F1D7C-E802-4E55-9935-...
> > Hi,
> >
> > I am looking to manage all desktops on our network with regard to the
> > local
> > administrators group. There are several things I am looking to
> > accomplish:
> >
> > 1. list all users (domain and local) in local administrators group on
> > multiple remote computers
> > 2. remove user from local administrators group on remote computer
> > 3. add domain user account to local administrators group on remote
> > computer
> > 4. remove local user account from remote computer
> > 5. Report on current members of the local administrators group.
> >
> > Any assistance you can provide would be greatly appreciated.
> > We have .Net software if that would be the best way to tackle this but I
> > am
> > not sure which way to go.
> >
> > Thanks!
> > Nick
>
> You could do the whole lot with the inbuilt net.exe command:
> 1. net localgroup administrators
> 2. net localgroup administrators nick /delete
> 3. net localgroup administrators Domainname\nick /add
> 4. net user %ComputerName%\nick /delete
> 5. Same as 1. above.
>
> To run the commands on a remote computer, put them into a batch file, then
> invoke the batch file with psexec.exe (www.sysinternals.com) under your
> domain admin account.
>
>
>

Have a look at the ouput from "psexec.exe /?". It tells you everything you
need to know! Here is a simple example, taken straight from that screen. It
relies on you keeping your batch file in a central location, which is much
simpler than copying it to all machines.

psexe.exe \\SomePC -u DomainName\Nick -p NicksPassword
\\YourServer\SomeShare\SomeFolder\YourBatchfile.ba t

If you want psexec.exe to deal with several machines then you should have a
look at the "@file" parameter of psexec.exe.


"Nick" <> wrote in message
news:AF88B727-7B15-4C26-8A2E-...
> Pegasus,
>
> Thank you very much for your quick reply. I am new at this so can you
> give
> me a short example of the command to use on remote machine with
> psexec.exe?
> So if I understand I keep the PSEXEC.EXE on my machine and create a .bat
> file
> and copy it to the remote machines and execute with PSEXEC.EXE.
>
> Thanks,
> Nick
>
> "Pegasus (MVP)" wrote:
>
>>
>> "Nick" <> wrote in message
>> news:0E9F1D7C-E802-4E55-9935-...
>> > Hi,
>> >
>> > I am looking to manage all desktops on our network with regard to the
>> > local
>> > administrators group. There are several things I am looking to
>> > accomplish:
>> >
>> > 1. list all users (domain and local) in local administrators group on
>> > multiple remote computers
>> > 2. remove user from local administrators group on remote computer
>> > 3. add domain user account to local administrators group on remote
>> > computer
>> > 4. remove local user account from remote computer
>> > 5. Report on current members of the local administrators group.
>> >
>> > Any assistance you can provide would be greatly appreciated.
>> > We have .Net software if that would be the best way to tackle this but
>> > I
>> > am
>> > not sure which way to go.
>> >
>> > Thanks!
>> > Nick
>>
>> You could do the whole lot with the inbuilt net.exe command:
>> 1. net localgroup administrators
>> 2. net localgroup administrators nick /delete
>> 3. net localgroup administrators Domainname\nick /add
>> 4. net user %ComputerName%\nick /delete
>> 5. Same as 1. above.
>>
>> To run the commands on a remote computer, put them into a batch file,
>> then
>> invoke the batch file with psexec.exe (www.sysinternals.com) under your
>> domain admin account.
>>
>>
>>

Thanks!!! That's great. I appreciate your help.

"Pegasus (MVP)" wrote:

> Have a look at the ouput from "psexec.exe /?". It tells you everything you
> need to know! Here is a simple example, taken straight from that screen. It
> relies on you keeping your batch file in a central location, which is much
> simpler than copying it to all machines.
>
> psexe.exe \\SomePC -u DomainName\Nick -p NicksPassword
> \\YourServer\SomeShare\SomeFolder\YourBatchfile.ba t
>
> If you want psexec.exe to deal with several machines then you should have a
> look at the "@file" parameter of psexec.exe.
>
>
> "Nick" <> wrote in message
> news:AF88B727-7B15-4C26-8A2E-...
> > Pegasus,
> >
> > Thank you very much for your quick reply. I am new at this so can you
> > give
> > me a short example of the command to use on remote machine with
> > psexec.exe?
> > So if I understand I keep the PSEXEC.EXE on my machine and create a .bat
> > file
> > and copy it to the remote machines and execute with PSEXEC.EXE.
> >
> > Thanks,
> > Nick
> >
> > "Pegasus (MVP)" wrote:
> >
> >>
> >> "Nick" <> wrote in message
> >> news:0E9F1D7C-E802-4E55-9935-...
> >> > Hi,
> >> >
> >> > I am looking to manage all desktops on our network with regard to the
> >> > local
> >> > administrators group. There are several things I am looking to
> >> > accomplish:
> >> >
> >> > 1. list all users (domain and local) in local administrators group on
> >> > multiple remote computers
> >> > 2. remove user from local administrators group on remote computer
> >> > 3. add domain user account to local administrators group on remote
> >> > computer
> >> > 4. remove local user account from remote computer
> >> > 5. Report on current members of the local administrators group.
> >> >
> >> > Any assistance you can provide would be greatly appreciated.
> >> > We have .Net software if that would be the best way to tackle this but
> >> > I
> >> > am
> >> > not sure which way to go.
> >> >
> >> > Thanks!
> >> > Nick
> >>
> >> You could do the whole lot with the inbuilt net.exe command:
> >> 1. net localgroup administrators
> >> 2. net localgroup administrators nick /delete
> >> 3. net localgroup administrators Domainname\nick /add
> >> 4. net user %ComputerName%\nick /delete
> >> 5. Same as 1. above.
> >>
> >> To run the commands on a remote computer, put them into a batch file,
> >> then
> >> invoke the batch file with psexec.exe (www.sysinternals.com) under your
> >> domain admin account.
> >>
> >>
> >>
>
>
>