|
 |  |  |  |  |  |  |
| Welcome to Windows Vista Forums. Our forum is dedicated to helping you find solutions with any problems, errors or issues you are experiencing with Windows Vista. The Vista forum also covers news and updates and has an extensive Windows Vista tutorial section that covers a wide range of tips and tricks. |
| |||||||
 |
| |
11-29-2007
| #1 (permalink) |
| | Remove user from administrators group I have this script ################################# $compName = hostname $computer = [ADSI]("WinNT://" + $compName + ",computer") $Group = $computer.psbase.children.find("administrators") $members = $Group.psbase.invoke("Members") | %{$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)} foreach ($username in $members) { if(!(($username -match "Administrator") -or ($username -match "Domain Admins") -or ($username -match "vadmin") -or ($username -match "LocAdmin"))) { $Group.Remove("WinNT://" + "domainName" + "/" + $username) } } ################################### That should remove any user that isn't "administrator", "domain admins", "vadmin" or "LocAdmin" from the administrators group on a vista machine. If I add user1 to the administrators group and run the script as "vadmin" it runs fine and removes the user from the group. However if I add user1 to the administrators group and run it as user1 I get: ############################# Exception calling "Remove" with "1" argument(s): "General access denied error " At C:\Temp\logoutScript.PS1:12 char:17 + $Group.Remove( <<<< "WinNT://" + "domainName" + "/" + $username) ########################### In both cases the script runs as an admin user but one of them doesn't seem to be able to execute it. Presumably due to UAC. Anyone got any ideas how I get round it? |
My System Specs |
|
11-29-2007
| #2 (permalink) |
| | Re: Remove user from administrators group Since 'user1' isn't on your 'keep list' for acceptable admins, my guess would be that your script is attempting to delete user1, while running the script as that self-same user - hence the error. The script is essentially biting the hand that feeds it. This line defines your list of acceptable admins .... if(!(($username -match "Administrator") -or ($username -match "Domain Admins") -or ($username -match "vadmin") -or ($username -match "LocAdmin"))) -- Jon "malckelly" <malckelly@xxxxxx> wrote in message news:6C7D5772-6EB9-40B3-9E49-E2674B08F608@xxxxxx Quote: >I have this script > > ################################# > $compName = hostname > $computer = [ADSI]("WinNT://" + $compName + ",computer") > > $Group = $computer.psbase.children.find("administrators") > > > $members = $Group.psbase.invoke("Members") | > %{$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)} > foreach ($username in $members) > { > if(!(($username -match "Administrator") -or ($username > -match "Domain Admins") -or ($username -match "vadmin") -or > ($username -match > "LocAdmin"))) > { > $Group.Remove("WinNT://" + "domainName" + "/" + > $username) > } > } > ################################### > > That should remove any user that isn't "administrator", "domain admins", > "vadmin" or "LocAdmin" from the administrators group on a vista machine. > > If I add user1 to the administrators group and run the script as "vadmin" > it > runs fine and removes the user from the group. However if I add user1 to > the > administrators group and run it as user1 I get: > > ############################# > Exception calling "Remove" with "1" argument(s): "General access denied > error > " > At C:\Temp\logoutScript.PS1:12 char:17 > + $Group.Remove( <<<< "WinNT://" + "domainName" + "/" + > $username) > ########################### > > > In both cases the script runs as an admin user but one of them doesn't > seem > to be able to execute it. Presumably due to UAC. Anyone got any ideas > how I > get round it? |
| My System Specs |
|
11-29-2007
| #3 (permalink) |
| | Re: Remove user from administrators group Hmm, I see what you mean. The problem is that I would like that script to run as a logoff script when the user logs out. However, since the script runs with the users credentials it doesn't work. Any ideas how I can get around that. Obviously I can't elevate the privileges of the script as its impossible+unethical to hardcode a password. Any ideas? "Jon" wrote: Quote: > Since 'user1' isn't on your 'keep list' for acceptable admins, my guess > would be that your script is attempting to delete user1, while running the > script as that self-same user - hence the error. The script is essentially > biting the hand that feeds it. > > This line defines your list of acceptable admins .... > > if(!(($username -match "Administrator") -or ($username > -match "Domain Admins") -or ($username -match "vadmin") -or > ($username -match > "LocAdmin"))) > > > > -- > Jon > > > "malckelly" <malckelly@xxxxxx> wrote in message > news:6C7D5772-6EB9-40B3-9E49-E2674B08F608@xxxxxx Quote: > >I have this script > > > > ################################# > > $compName = hostname > > $computer = [ADSI]("WinNT://" + $compName + ",computer") > > > > $Group = $computer.psbase.children.find("administrators") > > > > > > $members = $Group.psbase.invoke("Members") | > > %{$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)} > > foreach ($username in $members) > > { > > if(!(($username -match "Administrator") -or ($username > > -match "Domain Admins") -or ($username -match "vadmin") -or > > ($username -match > > "LocAdmin"))) > > { > > $Group.Remove("WinNT://" + "domainName" + "/" + > > $username) > > } > > } > > ################################### > > > > That should remove any user that isn't "administrator", "domain admins", > > "vadmin" or "LocAdmin" from the administrators group on a vista machine. > > > > If I add user1 to the administrators group and run the script as "vadmin" > > it > > runs fine and removes the user from the group. However if I add user1 to > > the > > administrators group and run it as user1 I get: > > > > ############################# > > Exception calling "Remove" with "1" argument(s): "General access denied > > error > > " > > At C:\Temp\logoutScript.PS1:12 char:17 > > + $Group.Remove( <<<< "WinNT://" + "domainName" + "/" + > > $username) > > ########################### > > > > > > In both cases the script runs as an admin user but one of them doesn't > > seem > > to be able to execute it. Presumably due to UAC. Anyone got any ideas > > how I > > get round it? > |
| My System Specs |
|
11-29-2007
| #4 (permalink) |
| | Re: Remove user from administrators group "malckelly" <malckelly@xxxxxx> wrote in message news:732E9A76-4ED0-4AC9-803C-871D8A71660D@xxxxxx Quote: > Hmm, I see what you mean. > > The problem is that I would like that script to run as a logoff script > when > the user logs out. However, since the script runs with the users > credentials > it doesn't work. Any ideas how I can get around that. Obviously I can't > elevate the privileges of the script as its impossible+unethical to > hardcode > a password. > > Any ideas? > You could perhaps have something along the lines of (1) Modified logoff script that deletes all *other* admin users not on the accepted list, other than itself. It could also check to see if it's one of your accepted users, and if not it adds its username add its name to a particular delete file eg DeleteFile.txt (2) A separate system startup scheduled task that deletes all users added to DeleteFile.txt. Others may well have better suggestions. -- Jon |
| My System Specs |
|
| Thread Tools | |
| |
Similar Threads | ||||
| Thread | Forum | |||
| No users in Local Administrators Group | Vista security | |||
| Remove All Group Memberships for all User Accounts in an OU? | VB Script | |||
| how to add add/remove a user to Administrator group? | PowerShell | |||
| Vista no enabled user in administrators group?? | Vista security | |||
| Administrators Group User do not have permission! | Vista General | |||
