How should I remove users from Administrators group without Active Directory?
Context: I am a new junior sysadmin and I have inherited a small office workgroup of about 12 windows machines, production and backup fileservers, and a sql server. All user accounts on the fileserver are members of the Administrators group. I realize this creates a vulnerability. Additionally the brass would like to have certain directories on the fileserver off limits to the general users.
How can I remove my users from Administrators group, and get them into two tiers of regular accounts and avoid inconvenience, production downtime, etc.?
I'm all for automation if feasible, so I'm not scared of scripting in .bat files or powershell, although my powershell is rusty and my .bat scripting is hacky.
You should set up a domain.
- Seriously. I wouldn't want to manage 3 Windows computers without a domain (Active Directory), let alone twelve.
- If the brass wants to limit the access levels on certain directories, the only way to do so in a manageable fashion is with Active Directory, even for "only 12" machines/users.
- Best option for you, personally, as well. "Managed a bunch of workgroup computers" is a pretty crap line in the resume. "Created, configured and managed a new Windows Active directory domain for [company]" is a pretty good item on the resume, by contrast.
Assuming you can't set up a domain (and Server 2003), my preference would be for psexec, which is part of the SysInternals Suite to make the remote connections, and then the NET USER and NET GROUP commands to do the actual adding. This will allow you to make the changes without knocking people off their computers, like below.
- Download the SysInternals suite.
- Open up a command line (cmd.exe)
- Connect to the computer you want to make the changes on
psexec \\thecomputeryouwanttomakechangeson\ cmd
- Execute the NET USER or NET GROUP command desired.
NET LOCALGROUP Administrators someuser /ADD
NET LOCALGROUP Administrators someotheruser /DEL
-
The link provided has better examples and complete syntax, just keep in mind you're using
LOCALGROUP
andLOCALUSER
in this case..
You can get the list of what users are currently in the Administrators group with:
net localgroup administrators > userlist.txt
You can then split the users from that output into tier1 and tier2 lists and loop through the lists.
$tier1file="c:\path\to\tier1users.txt"
$tier2file="c:\path\to\tier2users.txt"
foreach ($user in get-content $tier1file)
{
net localgroup administrators $user /del
net localgroup tier1 $user /add
}
foreach ($user in get-content $tier2file)
{
net localgroup administrators $user /del
net localgroup tier2 $user /add
}
Or something like that.
If all machines are set up identically you could probably get fancier than that, but machines without AD are frequently not identical.