Using the NET command to change group membership
Have you ever needed to change local administrator group membership on PC's in a Windows Server 2003 Active Directory domain? I have come across a need to do this lately with a client who has about 60 workstations on a domain. I needed to remove the end users from the local administrator's group because always running your PC as an administrator is a large security risk and I was tired of dealing with the consequences. Since there were so many PC's I didn't want to physically touch each one. The solution was to create a script utilizing the NET command in DOS.
I did a little research on what the NET command can do by opening a DOS prompt and typing 'net /?' and pressing Enter. This showed me all the options available for the NET command such as NET USE for mapping resources and NET TIME for setting a computer's time. The syntax I used is as follows:
net localgroup administrators %username% /delete
Using 'net localgroup' tells the computer I am going to reference items found in local groups on the local computer, meaning the computer on which the command is being executed. Adding 'adminsitrators' to that string means I am looking specfically in the local administrators group. I used the variable %username% to insert the currently logged in user into the string and the used the /delete switch to delete that user. Final result? The currently logged in user is deleted from the local administrators group. This can be verified by using 'net localgroup adminsitrators' to print out a list of users in the local administrators group.
Since I didn't want each user to have to execute this command personally I created a batch file called removeadmin.bat which contained the command as seen above: net localgroup administrators %username% /delete. I then added this as a logon script in a Group Policy that was applied to the OU containing the users. In this way I was able to make the script run after login and remove the current user from the administrators group with relative ease.
See http://support.microsoft.com/kb/556003 to learn more about the NET command.
Recent Posts
- WiFi Security – Are you safe online?
- Restore Missing “Compressed (Zipped) Folder” in Send To menu
- Using the NET command to change group membership
Pages
RafaelWolf.com
- Making your own Microsoft Security Essentials update server
- Daily Full Zimbra Email Backup process
- Push out Microsoft Security Essentials to any number of PC’s
Sponsors
