Managing the members of the Administrators group on computers is a common IT security task. You can use Group Policy to control the membership of a computer's Administrators group by creating a Restricted Groups policy or configuring Group Policy Preferences (GPP) for Local Users and Groups. However, computers that aren't members of an Active Directory (AD) domain can't take advantage of these features. Alternatively, some IT system administrators might not have control over Group Policy Objects (GPOs) or the organizational unit (OU) structure where the computer accounts are located.
The most common way of adding accounts to or removing accounts from the Administrators group is by using the Net Localgroup command. You can list members of the group, add members (using the /Add parameter), and delete members (using the /Delete parameter). However, the Net Localgroup command has some limitations. For one, you must specify the Administrators group by name. This can be a problem if the group is renamed or you're using different language settings. Also, the Net Localgroup command doesn't have a way to remove all accounts from a group, except for certain accounts. Finally, the Net Localgroup command can't change the membership of the Administrators group on a remote computer. It works only on the current computer.
A Better Solution: EnforceLocalAdmin.vbs
To overcome these limitations, I wrote a VBScript script, EnforceLocalAdmin.vbs, that lets you enforce the membership of the Administrators group on one or more computers. I decided to write the script using VBScript rather than PowerShell to maximize performance.
The command-line syntax of the script is as follows:
[,...]" [/computer:"name[,...]"] [/domain] [/v]
The script's only required parameter is a comma-delimited list of one or more account names that are allowed to be members of the Administrators group. You need to list the account names following the format domain\name. If you want to include a local account, you simply need to specify the account name. You must enclose the entire list of account names in quotes (").
When you run the script, it will remove all the accounts from the Administrators group, except for the list of accounts listed on the command line. After the script removes the disallowed accounts, it adds the listed accounts to the Administrators group if they're not already members.
The script can also enforce Administrators group membership on remote computers. To do this, you use the /computer parameter and specify a comma-delimited list of computer names, enclosed in quotes.
If the computer is a member of an AD domain, the script ignores domain accounts when removing disallowed accounts. If you want to include domain accounts for removal, you need to specify the /domain parameter on the script's command line.
The script runs silently by default (i.e., it produces no output). You can specify the /v (verbose) parameter if you want to see the results of the script's actions. (This is mainly useful when testing.) The output will appear in the console window if you run the script using the cscript.exe or in a message box if you run the script using wscript.exe.
EnforceLocalAdmin.vbs determines the identity of the Administrators group using its SID (S-1-5-32-544), not the English name "Administrators". This is particularly important if you're running a non-English version of Windows or if someone has renamed the group. In addition, the script ignores the built-in Administrator account when removing accounts because Windows won't allow you to remove it. (Attempting to do so will return error 1371: "Cannot perform this operation on built-in accounts.")
Table 1 shows a list of sample script commands.
|Only the local Admin and DesktopSupport accounts will be members of the Administrators group on the current computer. Other local accounts will be removed from the group.|
|Only the local Admin and DesktopSupport accounts will be members of the Administrators group on computer1 and computer2. Other local accounts will be removed from the group.|
|Only the local Admin account and the Domain Admins account from the fabrikam domain will be members of the Administrators group on the current computer. Other local and domain accounts will be removed from the group.|
|Only the local Admin account and the Domain Admins account from the fabrikam domain will be members of the Administrators group on computer1 and computer2. Other local and domain accounts will be removed from the group.|
|* Line breaks are for readability only. Commands must be on a single line.|
Figure 1 shows an example of the script's output when running the script using cscript.exe and the /v parameter.
You can download the EnforceLocalAdmin.vbs script by clicking the Download the Code button near the top of the page. When using this script, keep in mind the following considerations:
You must run the script using elevated permissions because the script modifies the membership of the local Administrators group. This means you must use the Run as administrator option when opening the Command Prompt window you're going to use to run the script. Figure 2 shows this option on a Windows 7 system.
If you don't run the script using elevated permissions, it won't be able to update the membership of the Administrators group, as shown in Figure 3.
You should know how to translate error codes. When you run the script using the /v parameter, you might see error codes in the output, like those shown in Figure 3. You can find out the description of any of the script's error codes by using the Net Helpmsg command followed by the error code, as shown in Figure 4.
You must use the correct settings in Task Scheduler. If you decide to run the script using the Task Scheduler service, make sure that you run the script using an Administrator account or the SYSTEM account. You will also need to select the Run whether user is logged on or not option and the Run with highest privileges option, as shown in Figure 5.
- You need to be aware of the limitations of remote Administrators group management. For example, if your computer is in a workgroup and you want to use the /computer parameter, administrative account names and passwords must match between computers.
- You need to be aware of environment-specific limitations. For example, if you have disabled file and printer sharing for Microsoft networks in your network adapters' settings, the script won't be able to connect to computers over the network. Another example is that if you're using a Windows or third-party firewall, you need to configure it to allow the connections.
- You shouldn't use the script if management GPOs are already in place for the Administrators group. If the computer is a member of an AD domain and there's a GPO in place that uses a Restricted Groups policy or Local Users and Groups GPP to manage the Administrators group, this will conflict with the use of the EnforceLocalAdmin.vbs script. You can use the GPO settings or the script, but you shouldn't use both.
Manage Your Administrators Groups
If you don't have a domain or you don't have control over Group Policy or your OU structure, you are no longer without a solution for managing the members of the Administrators group on one or more computers. You can use the EnforceLocalAdmin.vbs script instead and ensure that only allowed accounts are members of the Administrators group.