JSI Tip 10050. How can I remove all invalid members of all local Administrators groups in my domain?

Using standard commands, I have scripted RemoveInvalidLocalAdmins.bat to remove members of the local Administrators group that cannot be resolved. Each removed member is displayed on the console, showing:

"Computer Name","SID"

NOTE: RemoveInvalidLocalAdmins.bat uses Win32_PingStatus, so it must be run on Windows XP, or Windows Server 2003, or a later operating system.

RemoveInvalidLocalAdmins.bat contains:


@echo off
setlocal ENABLEDELAYEDEXPANSION
if exist "%TEMP%\RemoveInvalidLocalAdmins.VBS" goto doit
@echo.Dim WshShell, colGroup, oDomain, strComputer, Item>"%TEMP%\RemoveInvalidLocalAdmins.VBS"
@echo.Set WshShell = CreateObject("WScript.Shell")>>"%TEMP%\RemoveInvalidLocalAdmins.VBS"
@echo.strDomain=WshShell.ExpandEnvironmentStrings("%USERDOMAIN%")>>"%TEMP%\RemoveInvalidLocalAdmins.VBS"
@echo.Set oDomain = GetObject("WinNT://" ^& strDomain)>>"%TEMP%\RemoveInvalidLocalAdmins.VBS"
@echo.oDomain.Filter = Array("Computer")>>"%TEMP%\RemoveInvalidLocalAdmins.VBS"
@echo.Set objWMIService = GetObject("winmgmts:\{impersonationLevel=impersonate\}^!\\.\root\cimv2")>>"%TEMP%\RemoveInvalidLocalAdmins.VBS"
@echo.for each strComputer in oDomain>>"%TEMP%\RemoveInvalidLocalAdmins.VBS"
@echo.Set computers = objWMIService.ExecQuery ("Select * from Win32_PingStatus Where Address = '" ^& strComputer.Name ^& "'")>>"%TEMP%\RemoveInvalidLocalAdmins.VBS"
@echo.For Each objComputer in computers>>"%TEMP%\RemoveInvalidLocalAdmins.VBS"
@echo.     If objComputer.StatusCode = 0 Then>>"%TEMP%\RemoveInvalidLocalAdmins.VBS"
@echo.         Set colGroup = GetObject("WinNT://" ^& strComputer.Name ^& "/Administrators,group")>>"%TEMP%\RemoveInvalidLocalAdmins.VBS"
@echo.         For Each item In ColGroup.Members>>"%TEMP%\RemoveInvalidLocalAdmins.VBS"
@echo.               If Mid(item.Name,1,4) = "S-1-" then>>"%TEMP%\RemoveInvalidLocalAdmins.VBS"
@echo.                Wscript.Echo strComputer.Name ^& " " ^& item.ADsPath>>"%TEMP%\RemoveInvalidLocalAdmins.VBS"
@echo.                colGroup.Remove item.ADsPath>>"%TEMP%\RemoveInvalidLocalAdmins.VBS"
@echo.            End If>>"%TEMP%\RemoveInvalidLocalAdmins.VBS"
@echo.         Next>>"%TEMP%\RemoveInvalidLocalAdmins.VBS"
@echo.     Else>>"%TEMP%\RemoveInvalidLocalAdmins.VBS"
@echo.         Wscript.Echo strComputer.Name ^& " NOT available.">>"%TEMP%\RemoveInvalidLocalAdmins.VBS"
@echo.    End If>>"%TEMP%\RemoveInvalidLocalAdmins.VBS"
@echo.Next>>"%TEMP%\RemoveInvalidLocalAdmins.VBS"
@echo.Next>>"%TEMP%\RemoveInvalidLocalAdmins.VBS"
:doit
for /f "Tokens=1*" %%a in ('cscript //nologo "%TEMP%\RemoveInvalidLocalAdmins.VBS"') do (
 set comp=%%a
 set wrk1=%%b
 set wrk2=!wrk1:~8!
 for /f "Tokens=1,2* Delims=/" %%x in ('@echo !wrk2!') do (
  set p1=%%x
  set p2=%%y
  set p3=%%z
 )
 if "!p3!" NEQ "" set p1=!p2!&set p2=!p3!
 @echo "!comp!","!p1!\!p2!"
)
endlocal



TAGS: Windows 8
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish