Another way to remove an ID or group from a local group.
I monitor the local administrators group on specific systems using a task
triggered on EventID=4732 which is modification of a group.
The script I run checks the local administrators group for specific types of
IDs using a pattern and removes the IDs if found. I like to log all the
results, so a script rather than just a command. It all happens in a couple of
seconds.
Command line to search a local group for a specific ID or group and then delete
said group. You must escape the backslash with a backslash.
for /f "tokens=1" %a in ('net localgroup administrators^|findstr /i
DOMAIN\\NameToDelete') do net localgroup Administrators %a /Delete
Peter Boyles
BIS Engineering Analyst
PepsiCo Inc. | Global End User Services | GEUS Deploy
SM: Issues: GEUS DEVICE L2 SUPPORT
Requests: MIGRATION AND DISTRIBUTION
Office: (972) 963-6578 | E-Mail: [email protected]
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of Michael Leone
Sent: Tuesday, June 30, 2015 11:07 AM
To: [email protected]
Subject: Re: [NTSysADM] Removing a Restricted Group via GPO
On Tue, Jun 30, 2015 at 11:23 AM, Charles F Sullivan
<[email protected]<mailto:[email protected]>> wrote:
> Unless I'm misunderstanding, this is the answer:
>
> You said the servers OU is blocking inheritance, so already the Restricted
> Group setting won't apply, which I'm sure you already know, but....
Right ...
> I assume you're referencing to the issue where Restricted Groups are
> tattooed onto the Registry, so when you move a server into the Servers OU,
> it still has the group as a member of Administrators.
Yep, exactly.
> To resolve that, set a Group Policy Preference Local Users and Groups
> setting....
>
> Action: Update
> Group Name: Administrators (built-in)
> Members section:
> Name: <domain>\<groupyouwanttoremove>
> Action: REMOVE
Hmm! I will look into that, sounds like what I want ....
Thanks
