How should I remove users from Administrators group without Active Directory?

windows windows-server-2003 workgroup

Context: I am a new junior sysadmin and I have inherited a small office workgroup of about 12 windows machines, production and backup fileservers, and a sql server. All user accounts on the fileserver are members of the Administrators group. I realize this creates a vulnerability. Additionally the brass would like to have certain directories on the fileserver off limits to the general users.

How can I remove my users from Administrators group, and get them into two tiers of regular accounts and avoid inconvenience, production downtime, etc.?

I'm all for automation if feasible, so I'm not scared of scripting in .bat files or powershell, although my powershell is rusty and my .bat scripting is hacky.


You should set up a domain.

  • Seriously. I wouldn't want to manage 3 Windows computers without a domain (Active Directory), let alone twelve.
  • If the brass wants to limit the access levels on certain directories, the only way to do so in a manageable fashion is with Active Directory, even for "only 12" machines/users.
  • Best option for you, personally, as well. "Managed a bunch of workgroup computers" is a pretty crap line in the resume. "Created, configured and managed a new Windows Active directory domain for [company]" is a pretty good item on the resume, by contrast.

Assuming you can't set up a domain (and Server 2003), my preference would be for psexec, which is part of the SysInternals Suite to make the remote connections, and then the NET USER and NET GROUP commands to do the actual adding. This will allow you to make the changes without knocking people off their computers, like below.

  1. Download the SysInternals suite.
  2. Open up a command line (cmd.exe)
  3. Connect to the computer you want to make the changes on
    • psexec \\thecomputeryouwanttomakechangeson\ cmd
  4. Execute the NET USER or NET GROUP command desired.
    • NET LOCALGROUP Administrators someuser /ADD
    • NET LOCALGROUP Administrators someotheruser /DEL
    • The link provided has better examples and complete syntax, just keep in mind you're using LOCALGROUP and LOCALUSER in this case..

You can get the list of what users are currently in the Administrators group with:

net localgroup administrators > userlist.txt

You can then split the users from that output into tier1 and tier2 lists and loop through the lists.

$tier1file="c:\path\to\tier1users.txt" 
$tier2file="c:\path\to\tier2users.txt"

foreach ($user in get-content $tier1file)
{
    net localgroup administrators $user /del
    net localgroup tier1 $user /add
}

foreach ($user in get-content $tier2file)
{
    net localgroup administrators $user /del
    net localgroup tier2 $user /add
}

Or something like that.

If all machines are set up identically you could probably get fancier than that, but machines without AD are frequently not identical.

Related

Having trouble with DNS MX records
Evaluating the CPU I/O wait on Linux
aws-cli describe-instances, find by date range
How can I create one large partiton over two drives in CentOS?
Copy lxd containers between hosts
Windows Server - any way to prevent file encryption?
Laptops - RAM vs Disk for performance
Does named/BIND log startup errors?
Managing a Linux cluster
Symantec NetBackup vs. Backup Exec - who wins!
Open Source Filtering of HTTPS Traffic
Are 128 and 256bit AES encryption considered weak?