List users in local administrators group on remote machine

Discussion in 'Scripting' started by Nick, Oct 10, 2008.

  1. Nick

    Nick Guest


    I am looking to manage all desktops on our network with regard to the local
    administrators group. There are several things I am looking to accomplish:

    1. list all users (domain and local) in local administrators group on
    multiple remote computers
    2. remove user from local administrators group on remote computer
    3. add domain user account to local administrators group on remote
    4. remove local user account from remote computer
    5. Report on current members of the local administrators group.

    Any assistance you can provide would be greatly appreciated.
    We have .Net software if that would be the best way to tackle this but I am
    not sure which way to go.

    Nick, Oct 10, 2008
    1. Advertisements

  2. You could do the whole lot with the inbuilt net.exe command:
    1. net localgroup administrators
    2. net localgroup administrators nick /delete
    3. net localgroup administrators Domainname\nick /add
    4. net user %ComputerName%\nick /delete
    5. Same as 1. above.

    To run the commands on a remote computer, put them into a batch file, then
    invoke the batch file with psexec.exe ( under your
    domain admin account.
    Pegasus \(MVP\), Oct 10, 2008
    1. Advertisements

  3. I have an example VBScript program that enumerates all members of local
    Administrators group linked here: Local Group.htm

    The program handles membership due to nested local and domain groups. In
    VBScript you use the WinNT provider with local objects. To add and/or remove
    users (or groups) from a local group use code similar to below. With the
    steps that check for direct membership (does not reveal membership due to
    group nesting), you may not need to enumerate membership:
    ' Specify NetBIOS name of computer.
    strComputer = "Test001"

    ' Specify NetBIOS name of domain.
    strDomain = "MyDomain"

    ' Bind to local Administrators group on remove computer.
    Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators,group")

    ' Add a local user to the group.
    ' Check first if they are already a direct member.
    Set objLocalUser = GetObject("WinNT://" & strComputer" & "/JimSmith,user")
    If (objGroup.IsMember(objLocalUser.AdsPath) = False) Then
    objGroup.Add objLocalUser.AdsPath
    End If

    ' Add a domain user to the group.
    ' Check first if they are already a direct member.
    Set objDomainUser = GetObject("WinNT://" & strDomain & "/JimSmith,user")
    If objGroup.IsMember(objDomainUser.AdsPath) = False) Then
    objGroup.Add objDomainUser.AdsPath
    End If

    ' Remove local user from group.
    ' Check first that they are a direct member.
    Set objLocalUser = GetObject("WinNT://" & strComputer" & "/RogerJones,user")
    If (objGroup.IsMember(objLocalUser.AdsPath) = True) Then
    objGroup.Remove objLocalUser.AdsPath
    End If

    ' Remove domain user from group.
    Set objDomainUser = GetObject("WinNT://" & strDomain & "/RogerJones,user")
    ' Check first that they are a direct member.
    If objGroup.IsMember(objDomainUser.AdsPath) = True) Then
    objGroup.Remove objDomainUser.AdsPath
    End If
    All of this can be one remotely, as long as your account is a member of the
    local Administrators group. By default the group Domain Admins is a member
    of the local Adminstrators group when the computer is joined to the domain.

    You can read NetBIOS computer names from a text file and code similar to
    above in a loop. In brief:
    Const ForReading = 1
    ' Specify text file of NetBIOS names of computers.
    strFile = "c:\Scripts\Computers.txt"

    ' Open file for read access.
    Set objFSO = CreateObject("Scripting.FileSystemObject")
    Set objFile = objFSO.OpenTextFile(strFile, ForReading)

    ' Read names from file.
    Do Until objFile.AtEndOfStream
    strComputer = Trim(objFile.ReadLine)
    ' Skip blank lines.
    If (strComputer <> "") Then
    ' Process this computer.
    ' ...
    End If

    ' Clean up.
    Richard Mueller [MVP], Oct 10, 2008
  4. Nick

    Nick Guest


    Thank you very much for your quick reply. I am new at this so can you give
    me a short example of the command to use on remote machine with psexec.exe?
    So if I understand I keep the PSEXEC.EXE on my machine and create a .bat file
    and copy it to the remote machines and execute with PSEXEC.EXE.

    Nick, Oct 10, 2008
  5. Have a look at the ouput from "psexec.exe /?". It tells you everything you
    need to know! Here is a simple example, taken straight from that screen. It
    relies on you keeping your batch file in a central location, which is much
    simpler than copying it to all machines.

    psexe.exe \\SomePC -u DomainName\Nick -p NicksPassword

    If you want psexec.exe to deal with several machines then you should have a
    look at the "@file" parameter of psexec.exe.
    Pegasus \(MVP\), Oct 10, 2008
  6. Nick

    Nick Guest

    Thanks!!! That's great. I appreciate your help.
    Nick, Oct 10, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.