Removing local admin rights
Most of the users in our enterprise are currently local admins on their machines. The time has come to change that. A simple "net localgroup Administrators /delete %USERNAME%" command in a batch file would seem to work, but I haven't been able to figure out how to deploy it with elevated privileges. Anyone have any ideas or sample scripts on how to remove a user's local admin rights using Kace?
Answers (4)
I'd use group policy if possible. It's made for tasks like that. You can enforce local group memberships.
Comments:
-
I agree
http://social.technet.microsoft.com/Forums/eu/winserverGP/thread/79615098-ef17-4bcb-9d1b-7c3040a0cb96 - SMal.tmcc 11 years ago -
I would use GPO for it aswell. My solution is simply for running something with elevated rights. - paul.theelen 11 years ago
The easiest way I found was using Windows Key + R to open Run.
I used autoit in this case to run it.
Then it will run with elevated rights.
Comments:
-
Great solution - I love AutoIT. Mind sharing your script code to save others time?
John - jverbosk 11 years ago-
Here you go
Func RunCMDElevatedRights()
;Run cmd with elevated rights.
Send("{LWINDOWN}")
Send("r")
Send("{LWINUP}")
Sleep(1000)
Send('cmd.exe /k "C:\Program Files (x86)\Test.bat"')
Sleep(1000)
Send("{ENTER}")
EndFunc - paul.theelen 11 years ago
-
If you are deploying the batch file via KACE then you can run as local system.
Is it giving a privilege error using it this way?
It would need to be an online kscript that uses the "run as" option to supply a user with admin rights. From there, you can have it deploy your batch script once you have it working outside of the K1000.
This custom inventory rule would show what local admins are on the systems: http://www.itninja.com/blog/view/howto-create-a-custom-inventory-rule-to-show-all-local-administrators
Edited to add: I agree with those above, group policy would be a much better option. That said, the K1000 can distribute that as well if necessary.
