How Can I Remove a Group from the Local Administrators Group?

How Can I Remove a Group from the Local Administrators Group?

  • Comments 2
  • Likes
Hey, Scripting Guy! Question

Hey, Scripting Guy! How can I remove a group from the local Administrators group?

-- SB

SpacerHey, Scripting Guy! AnswerScript Center

Hey, SB. One of the Scripting Guys has very vague memories of an old TV show called Branded, in which the hero (played by Chuck Connors) was accused of cowardice and then dishonorably discharged from the US Cavalry. About all the Scripting Guy remembers from the show is the opening, where they tear the insignias off the guy’s uniform, break his sword in half, and then make him march out of the fort in shame.

Why do we bring that up? No real reason; we just thought it would be cool if similar ceremonies were held any time a user or group was removed from the local Administrators group. Until such time, however, you can remove a group (in this case, an Active Directory group) from the local Administrators group by using a script similar to this one:

strComputer = "atl-fs-01"

Set objAdmins = GetObject("WinNT://" & strComputer & "/Administrators")
Set objGroup = GetObject("WinNT://fabrikam/finance")
 
objAdmins.Remove(objGroup.ADsPath)

Yes, it’s very simple, isn’t it? The script begins by assigning the name of the computer (in this case, atl-fs-01) to a variable named strComputer. We then use this line of code to bind to the local Administrators group on that computer:

Set objAdmins = GetObject("WinNT://" & strComputer & "/Administrators")

Once we have an object reference to the Administrators group, our next task is to create a second object reference, this one to the group to be removed. That’s what we do here:

Set objGroup = GetObject("WinNT://fabrikam/finance")

Notice that we’re using the old-fashioned, Windows NT-style naming convention when referencing the group account: fabrikam/finance. Why? That’s easy: to work with local users and groups, we have to use the WinNT provider. The WinNT provider doesn’t understand Active Directory lingo; it can’t make heads-or-tails out of an object path like this:

cn=Finance Users, ou=Finance, dc=fabrikam, dc=com

Therefore, we have to fall back to the old school account name: domain name/logon name. But that’s OK: fortunately, Active Directory understands this naming convention, too. When we request the account fabrikam/finance, Active Directory knows exactly what we’re talking about.

Note. This question has come up before, but it’s worth repeating: yes, you can access objects in Active Directory using the WinNT provider. And, yes, it’s true that the object path is much simpler. But don’t be tempted: use the WinNT provider only when you absolutely have to. Why? Well, for example, when it comes to user accounts the LDAP provider typically used when working with Active Directory supports over 200 properties; the WinNT provider supports only about 20 or so. The LDAP provider is much more powerful and much more useful.

Once we have an object reference to the group all we have to do is call the Remove method to remove that group from the local Administrators group:

objAdmins.Remove(objGroup.ADsPath)

We still think it’d be cooler to tear someone’s pocket protector off their shirt and then break their stapler over our knee, but this will work.

Of course, the group you want to remove might not be an Active Directory group, it might be a local group. Is that going to be a problem? No; in fact, it’s a tiny bit easier. Just bind directly to the group account on the local machine and have at it:

strComputer = "atl-fs-01"

Set objAdmins = GetObject("WinNT://" & strComputer & "/Administrators")
Set objGroup = GetObject("WinNT://finance")
 
objAdmins.Remove(objGroup.ADsPath)

Incidentally, the process used to remove a group from another group is the exact same process used to remove a user from a group: you bind to the target group (in this case, the local Administrators group), you bind to the object to be removed (either a group or a user, it doesn’t matter), and then you call the Remove method, passing as the sole parameter the ADsPath of the account to be removed

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Say I make this script for a company that has about 600+ pc's and i alter it a bit to so it removes a Active Directory group from Local Admins then it adds a different group. I make a job in lets say "Altiris" or something along those lines that pushes it out to all my pc's at once. Is there a way to validate that all the PC's ran the script correctly?

  • thank you