Jump to content

Remove All Except Specified from Admin Group

Recommended Posts

Does anyone have a great way they are restricting who is in the local admin group on non-domain clients? We have one with AzureAD and I wanted to setup a script to remove all "AzureAD\*" accounts from the local admins group but I've not found a great way to script this to deploy via Automate.

Share this post

Link to post
Share on other sites

We have a script we put together for this. We built the core of it in powershell and then just use the "Script Execute" command in a CW Automate script to run our powershell.

Here's what we're using:

# Get list of accounts in local administrators group that are NOT allowed (this filters the allowed accounts)
# We have to leave 'administrator' as it's a built-in account. But we disable the account via ThirdWall.
$remove = net localgroup administrators | select -skip 6 | ? {$_ -and $_ -notmatch 'successfully|^administrator|^msp.localadmin|^xyz.devadmin$'}
# remove the accounts
foreach ($user in $remove) {
   net localgroup administrators $user /delete 

We then just have this script scheduled to run against all machines at this client periodically (every 3-4 days I think).

Edited by tlphipps

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now