Delete multiple members from the local "Administrators" group

system · December 29, 2012, 1:20am

(imported topic written by RubenB.)

Hi,

We are in the middle of an audit and have been asked to remove unauthorized local administrators. I have been able to remove indidual accounts by running the following:

Relevance - Exist members whose (it as string as lowercase = “domain name\account name”) of local group “Administrators”

Action - RunDetached {pathname of system folder}\net.exe localgroup “Administrators” “domain name\account name” /delete

My questions is how do I go about removing multiple accounts at the same time? I am new to writing fixlets but can see the tremendous potential.

Is there a way to create a “whitelist” of approved local accounts and remove everything else that does not belong to it? How about using a compliance document?

Thanks in advance for your help.

Sincerely,

Ruben

system · December 29, 2012, 2:51am

(imported comment written by SystemAdmin)

Once you get used to the if’s of’s and item’s you will get a lot more flexibility. I am by far not the most efficient relevance writer but it should work:

You should be able to just add items separated by a semicolon as below and it will report “true” if there is a user in there that is not included in your hardcoded list.

Relevance:

q: exists (if (item 0 of it = item 1 of it) then (true) else (nothing)) of ((members of local group “Administrators” as string),(“WIN-SMD2P7N3F49\Administrator”;“WIN-SMD2P7N3F49\user1”;“WIN-SMD2P7N3F49\user2”))

A: True

T: 4.390 ms

I: singular boolean

Action:

Your best bet will probably be to build a batch file and execute that using “createfile”. I didn’t see that you could feed net.exe multiple account names in a single line.

The action will look something like this:

createfile until __EOF

@echo off

{relevance_to_create_a_batch_file_with_one_net.exe_command_per_line__see_below_for_example}

__EOF

move __createfile mybaatch.bat

rundettached cmd.exe /C mybatch.bat

Here is the relevance I would use to build my relevance substitution in the action script:

q: ( (pathname of system folder) & “\net.exe localgroup Administrators " & it & " /delete”) of (members whose (it as string != “WIN-SMD2P7N3F49\Administrator” and it as string != “WIN-SMD2P7N3F49\user1” and it as string != “WIN-SMD2P7N3F49\user2”) of local group “Administrators” as string)

A: C:\Windows\system32\net.exe localgroup Administrators WIN-SMD2P7N3F49\jjones /delete

A: C:\Windows\system32\net.exe localgroup Administrators WIN-SMD2P7N3F49\bigfix /delete

T: 4.205 ms

I: plural string

//if you need to have the double quotes around the account name and group you will have to use %22

q: ( (pathname of system folder) & “\net.exe localgroup %22Administrators%22 %22” & it & “%22 /delete”) of (members whose (it as string != “WIN-SMD2P7N3F49\Administrator” and it as string != “WIN-SMD2P7N3F49\user1” and it as string != “WIN-SMD2P7N3F49\user2”) of local group “Administrators” as string)

A: C:\Windows\system32\net.exe localgroup “Administrators” “WIN-SMD2P7N3F49\jjones” /delete

A: C:\Windows\system32\net.exe localgroup “Administrators” “WIN-SMD2P7N3F49\bigfix” /delete

T: 4.676 ms

I: plural string

So your action might look something like this:

createfile until __EOF

@echo off

{( (pathname of system folder) & “\net.exe localgroup %22Administrators%22 %22” & it & “%22 /delete”) of (members whose (it as string != “WIN-SMD2P7N3F49\Administrator” and it as string != “WIN-SMD2P7N3F49\user1” and it as string != “WIN-SMD2P7N3F49\user2”) of local group “Administrators” as string)}

__EOF

move __createfile mybaatch.bat

rundettached cmd.exe /C mybatch.bat

WARNING: I have not actually tested the execution of this. Just creating the relevance.

NOTE: A good way to help troubleshoot if it fails is:

Add a line that copies your “mybatch.bat” locally so you can see what is being written into it. (run it manually and see what happens)
add ---- 2&> “some_log.txt” — at the end of the cmd.exe to capture possilbleerrors.

GOOD LUCK!

shakoor · September 11, 2020, 12:46pm

I tried the above action script
( (pathname of system folder) & “\net.exe localgroup Administrators " & it & " /delete”) of (members whose (it as string != “WIN-SMD2P7N3F49\Administrator” and it as string != “WIN-SMD2P7N3F49\user1” and it as string != “WIN-SMD2P7N3F49\user2”) of local group “Administrators” as string)

It didn’t work for me. Anyone tried? Please reply.

brolly33 · September 11, 2020, 2:59pm

I suspect it is because of the hard coded computer name in the original. Try ends with instead.

createfile until __EOF
@echo off
{( (pathname of system folder) & "\net.exe localgroup %22Administrators%22 %22" & it & "%22 /delete") of (members whose (it as string does not end with  "\Administrator" and it as string does not end with  "\user1" and it as string does not end with "\user2") of local group "Administrators" as string)}
__EOF
move __createfile mybaatch.bat
rundettached cmd.exe /C mybatch.bat

JasonWalker · September 11, 2020, 3:28pm

I’m going to be in calls a while and can’t fix this now, but we’ll need some newlines in there for multiple results to put each command on its own line

shakoor · September 11, 2020, 5:06pm

Thanks @brolly33 I tried your script. It didn’t work. I will try again after making some changes.
@JasonWalker thank you for your response. Share your idea please when you get a chance. I want to remove all the accounts from local administrators group except the whitelisted.

brolly33 · September 14, 2020, 3:59pm

@JasonWalker , Good call. There is also a typo mybaatch.bat vs mybatch.bat Also at least one case sensitivity issue.

@shakoor Try:

@echo off
{concatenation "%0a%0d" of ( (pathname of system folder) & "\net.exe localgroup %22Administrators%22 %22" & it & "%22 /delete") of (members whose (it as string as lowercase does not end with "\administrator" and it as string as lowercase does not end with "\iamallowed" and it as string as lowercase does not end with "\user2") of local group "Administrators" as string)}
__EOF
move __createfile mybatch.bat
wait cmd.exe /C mybatch.bat

Tested on my BigFix 10 on Windows 2016 endpoint.

shakoor · September 14, 2020, 9:19pm

Thank you so much@brolly33 the script worked but just one issue. I added 3 users as whitelisted the script run successfully but it keeps only Administrator user in the group and remove all others. I changed the sequence of users and also tried with 2 users but it only keeps administrator. Any idea please.

shakoor · September 15, 2020, 3:12pm

@brolly33 I checked the batch file created by bigfix, here it is.
@echo off
C:\Windows\system32\net.exe localgroup “Administrators” “Administrator” /delete
C:\Windows\system32\net.exe localgroup “Administrators” “user1” /delete
C:\Windows\system32\net.exe localgroup “Administrators” “user2” /delete

Actually the operator “not equal to” or “does not end with” doesn’t work. It adds all the users in the group and delete them. Because we can’t delete the default administrator user from the group so I can see only administrator in the group.

JasonWalker · September 15, 2020, 4:29pm

Can you post the current version of the ActionScript you are trying now? Not looks like a mistake in your whose() clause but hard to be sure.

shakoor · September 15, 2020, 5:12pm

@JasonWalker The Bigfix version is 9.5.11.191. I used the same script as @brolly33 sent earlier.

createfile until __EOF
@echo off
{( (pathname of system folder) & “\net.exe localgroup %22Administrators%22 %22” & it & “%22 /delete”) of (members whose (it as string does not end with “\Administrator” and it as string does not end with “\user1” and it as string does not end with “\user2”) of local group “Administrators” as string)}
__EOF
move __createfile mybaatch.bat
rundettached cmd.exe /C mybatch.bat

JasonWalker · September 15, 2020, 5:23pm

That actionscript won’t create that batch file. Are you sure you’re using the latest one?

That’s the older version of the actionscript, that would have put all the batch commands on a single line.

Try brolly33’s later version, and be sure when you add your exceptions you’re entering the names in all-lowercase as he is casting the actual members with ‘as string as lowercase’ in the comparison.

shakoor · September 15, 2020, 5:56pm

Thank you so much @JasonWalker and @brolly33. The script worked for me. Appreciated.

shakoor · September 17, 2020, 2:34pm

@JasonWalker I found one more issue. Here is the script that worked for me.

createfile until __EOF**
@echo off
{concatenation “%0a%0d” of ( (pathname of system folder) & “\net.exe localgroup %22Administrators%22 %22” & it & “%22 /delete”) of (members whose (it as string as lowercase does not end with “\administrator” and it as string as lowercase does not end with “\user1” ) of local group “Administrators” as string)}**
__EOF
move __createfile mybatch.bat
wait cmd.exe /C mybatch.bat

If I run it first time on computer, it worked fine. If I run it second time on the same computer it failed until I remove the _createfile and mybatch.bat from C:\Program Files (x86)\BigFix Enterprise\BES Client__BESData\actionsite.

Here is the error I get in logs.
Command failed (Move of ‘C:\Program Files (x86)\BigFix Enterprise\BES Client__BESData\actionsite__createfile’ to ‘C:\Program Files (x86)\BigFix Enterprise\BES Client__BESData\actionsite\mybatch.bat’ failed (0 - File error “class FileFoundError” on “C:\Program Files (x86)\BigFix Enterprise\BES Client__BESData\actionsite\mybatch.bat”)) move __createfile mybatch.bat

Please, advise.

trn · September 17, 2020, 2:57pm

See https://developer.bigfix.com/action-script/reference/file/copy.html.
The second sentence of the first paragraph explains your issue.

shakoor · September 17, 2020, 4:41pm

Thank you. I added the delete commands at the end of script.