Jump to content

Remove All Except Specified from Admin Group

Recommended Posts

Does anyone have a great way they are restricting who is in the local admin group on non-domain clients? We have one with AzureAD and I wanted to setup a script to remove all "AzureAD\*" accounts from the local admins group but I've not found a great way to script this to deploy via Automate.

Share this post

Link to post
Share on other sites

We have a script we put together for this. We built the core of it in powershell and then just use the "Script Execute" command in a CW Automate script to run our powershell.

Here's what we're using:

# Get list of accounts in local administrators group that are NOT allowed (this filters the allowed accounts)
# We have to leave 'administrator' as it's a built-in account. But we disable the account via ThirdWall.
$remove = net localgroup administrators | select -skip 6 | ? {$_ -and $_ -notmatch 'successfully|^administrator|^msp.localadmin|^xyz.devadmin$'}
# remove the accounts
foreach ($user in $remove) {
   net localgroup administrators $user /delete 

We then just have this script scheduled to run against all machines at this client periodically (every 3-4 days I think).

Edited by tlphipps

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...