Skip to main content

I have been trying to figure out a way to remove local admin rights from users on domain joined devices with an Automox worklet but haven't made any progress. 

 

The closest I got was with a worklet that would check to see if the current signed in user is a member of the local administrator's group, and if so, add them to the local Users group and delete them from the local administrator's group, but it always tries to move the NT AUTHORITY\SYSTEM account.  

I need to do this on a large scale, so having to specify the account to move isn't viable.  Has anyone tried to do something like this before?  Any hints or suggestions?

 

The only domain account that should be in the local administrator's group would be “ Domain]\Domain Admins“

 

This is what I tried:

# Get the current logged-in user
$currentUser = >System.Security.Principal.WindowsIdentity]::GetCurrent()
$userName = $currentUser.Name

# Define the local groups
$usersGroup = "Users"
$adminGroup = "Administrators"

# Check if the user is already in the Users group
$isInUsersGroup = (Get-LocalGroupMember -Group $usersGroup | Where-Object { $_.Name -eq $userName })

# Check if the user is in the Administrators group
$isInAdminGroup = (Get-LocalGroupMember -Group $adminGroup | Where-Object { $_.Name -eq $userName })

# Add the user to the Users group if not already a member
if (-not $isInUsersGroup) {
    try {
        Add-LocalGroupMember -Group $usersGroup -Member $userName
        Write-Host "$userName has been added to the $usersGroup group."
    } catch {
        Write-Host "Failed to add $userName to the $usersGroup group. Error: $_"
    }
} else {
    Write-Host "$userName is already a member of the $usersGroup group."
}

# Remove the user from the Administrators group if they are a member
if ($isInAdminGroup) {
    try {
        Remove-LocalGroupMember -Group $adminGroup -Member $userName
        Write-Host "$userName has been removed from the $adminGroup group."
        Exit 0
    } catch {
        Write-Host "Failed to remove $userName from the $adminGroup group. Error: $_"
        Exit 1
    }
} else {
    Write-Host "$userName is not a member of the $adminGroup group."
    Exit 0
}

 

 

This was the result:

Failed to add NT AUTHORITY\SYSTEM to the Users group. Error: The term 'Add-LocalGroupMember' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
NT AUTHORITY\SYSTEM is not a member of the Administrators group.

Be the first to reply!

Reply


Terms & ConditionsCookie settings