# Batch file to remove admin rights from domain computers (Windows 7)



## night-fury (Nov 27, 2014)

hey guys,

i am in need to create a batch file that can *add/remove* admin rights from remote computers in my network. So far, i have been able to put together two file.....the first accepts the input which is the hostname OR IP address and the calls the second batch file to do the job....to remove admin rights. but facing a couple of issues which I was hoping you can help me with.

I am looking for a file which can

probably combine the below two to a single one (if possible)
can delete all domain users from the 'Administrators' group without removing the 'Domain Admins' group

can you look at the code and help me tweak it.

batch file to remove admin rights
@Echo off
cd C:\pstools
set /p input= (enter hostname or IP address of the system to connect to): 
psexec.exe \\%input% -u .\administrator -p password123# "C:\batch\*1.bat*"
pause

the file *(1.bat)* that is called by the above file to add/remove admin users
@Echo off
set /p "input=(domain username): "

if /i "%~1"=="add" goto :add1
if /i "%~1"=="del" goto :del
goto :EOF

:del
(
"c:\windows\system32\net localgroup administrators" "domain\%input%" /delete
for /F %i in ('net localgroup administrators') do net localgroup administrators %i /delete
)
goto :EOF

:add1
(
c:\windows\system32\net localgroup administrators "domain\%input%" /add
)
goto :EOF
pause


----------



## lochlomonder (Jul 24, 2015)

If you have a domain structure, why not look at doing it through a GPO? That way, you can add users to security groups, have local admin rights assigned to the group, and you can manage them on that basis.


----------



## night-fury (Nov 27, 2014)

lochlomonder said:


> If you have a domain structure, why not look at doing it through a GPO? That way, you can add users to security groups, have local admin rights assigned to the group, and you can manage them on that basis.


you are right. This has already been proposed but due to some policies and procedures it will take time to get implemented. meanwhile, I wanted this script to work so that it can ease the work a bit till then.

any help on this will be much appreciated.


----------



## lochlomonder (Jul 24, 2015)

> This has already been proposed but due to some policies and procedures it will take time to get implemented.


I don't know the inner workings of your business, nor is it any of my concern in the first place, but going the GPO route takes literally minutes to implement. When I was doing it in my workplace, I would create security groups for assigning admin rights to the workstations, add the users getting the rights, set up the GPOs, and then assign them to the requisite OUs.


----------



## night-fury (Nov 27, 2014)

lochlomonder said:


> I don't know the inner workings of your business, nor is it any of my concern in the first place, but going the GPO route takes literally minutes to implement. When I was doing it in my workplace, I would create security groups for assigning admin rights to the workstations, add the users getting the rights, set up the GPOs, and then assign them to the requisite OUs.


i was not talkin about the process to configure this.....we need to have the change implementation processed and approved before making a change to the AD/OU structure. hope this clear things.

Anyone who can help me with the batch file...please do give sm pointers


----------

