Its been a while since I had a play with this script but what I have discovered is the software that I used to find out who has admin rights seems to also detect power users as Administrators. Which I guess is actually a good thing, however I did not suspect to get quite as many hits as I did for power users.

 

I’ll link all my old posts on the subject below so you can compare notes but the script that I have created now needs to include:

 

net localgroup “power users” %username% /delete > “%userprofile%\pwrusr.txt”

 

and

 

Y:\BLAT\BLAT %userprofile%\pwrusr.TXT -to email@address.com -server <smtp server IP> -f mail@address.com

 

Of course if you don’t want to be notified when these scripts run then you wont need the blat portion of the script and if you really don’t care about knowing if the initial check script has run then I guess you could just push out a script in the order of:

 

@echo off

c:

cd “%userprofile%”

If exist delusr1.txt (exit) else goto :Script

:Script

rem for removing admin Privileges

net localgroup administrators %username% /delete > %userprofile%\delusr1.txt

net localgroup “power users” %username% /delete > %userprofile%\pwrusr.txt

exit

 

This would then run regardless and attempt to remove the locally logged in user from power users and administrators groups. This would need to be assigned to just standard users though as you do not want to assign the script to administrators in your directory (be it AD, ED or maybe OpenLDAP).

 

Again this script is just the way I have chosen to do it, I am no expert in script writing (I really do need to figure out Vbscript), so I’m sure there are better ways of doing this.

 

Admin Script pt1