I wrote a script to remove a global group (DomainName\Domain Admins) from the local Administrators group on many servers. When I run this script, I receive the error message The Group Name could not be found. However, the global group's name is correct and the group is in the local Administrators group. Listing 3, page 10, shows the part of the script in which the error is occurring. What am I doing wrong?
The code in Listing 3 isn't trying to remove the global group from the local Administrators group—the code is trying to delete the global group altogether. Furthermore, the code is trying to perform this delete operation on a built-in group and possibly on a machine in which the group doesn't exist.
To remove one group from another group, you can use Microsoft Active Directory Service Interfaces (ADSI). Follow these steps:
- Bind to the group that contains the group you want to remove (in this case, the local Administrators group).
- Call the Remove method of the IADsGroup interface, and pass it the ADsPath of the group you want to remove (in this case, the global group).
Listing 4 contains sample code that performs these steps. This code works on machines running Windows 2000 Professional or Windows NT Server 4.0 that aren't domain controllers (DCs).