Removing local admin rights from logged in user in a batch file from KACE
I'm helping out a new KACE admin work on something while our usual KACE admin is out on paternity leave.
We need to remove local admin rights from all the currently logged-in users.
We are using this command in a KACE script
net localgroup Administrators %username% /DELETE
I've noticed that if I run that command from the desktop in a standard command window it fails. If I run that command in an elevated command window (Run As Administrator), the command works.
When running that script in KACE, it does nothing. I have a feeling it's because KACE is not running the batch file as administrator.
How do I get KACE to run a batch file as administrator? Please keep in mind that we are both pretty new to KACE and may need guidance.
Thanks in advance.
-
Can you try to select the option "Run as all logged in users". After the command, there should be a message informing the user to sign-out so the admin rights are removed. You can put the logoff command after a window timeout to enforce the sign-out. - flip1001 1 year ago
Answers (2)
You need to be sure the KACE script is set to run as the User, not the System account. And the command should have "CMD.exe /C" first:
Directory: $(KACE_SYS_DIR)
File: cmd.exe
Parameters: /c net localgroup administrators %USERDOMAIN%\%USERNAME%/delete
If the user is in the local Administrators group AND they happen to have local admin access, they will be removed. It will fail if they do not have access.
However this is only if they are in there by name. If they are part of a group that is nested, that will not pull them out.
I have the same question and I am also fairly new at KACE SMA. Thank you for asking this.