Last active
January 31, 2023 22:43
-
-
Save Smalls1652/88a5f1bf835fa5e8437687f3171b33c4 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <#PSScriptInfo | |
| .VERSION | |
| 2023.01.00 | |
| .GUID | |
| af323a90-27a4-4e19-ad07-8cdb3a574364 | |
| .AUTHOR | |
| Tim Small | |
| .COMPANYNAME | |
| Smalls.Online | |
| .COPYRIGHT | |
| 2023 | |
| #> | |
| <# | |
| .SYNOPSIS | |
| Removes users from the local admins group. | |
| .DESCRIPTION | |
| Removes any user who is not a "local user" (Eg. A domain user) from the local "Administrators" group. | |
| .PARAMETER ExcludeExecutingUser | |
| Excludes the user who is excuting the script from being removed. | |
| .NOTES | |
| Any user who was already logged into the machine while the script is running, will not have their change in rights reflected until they log off the device. | |
| #> | |
| [CmdletBinding(SupportsShouldProcess)] | |
| param( | |
| [Parameter(Position = 0)] | |
| [switch]$ExcludeExecutingUser | |
| ) | |
| class UserItem { | |
| [System.Security.Principal.NTAccount]$NTAccount | |
| [string]$DomainName | |
| [string]$UserName | |
| [System.Security.Principal.SecurityIdentifier]$SID | |
| UserItem ([Microsoft.Management.Infrastructure.CimInstance]$inputItem) { | |
| # If the internal CimClassName is not "Win32_GroupUser", throw an error. | |
| if ($inputItem.CimClass.CimClassName -ne "Win32_GroupUser") { | |
| throw [System.Exception]::new("Invalid CimClass for input item.") | |
| } | |
| $this.DomainName = $inputItem.PartComponent.Domain | |
| $this.UserName = $inputItem.PartComponent.Name | |
| $this.NTAccount = [System.Security.Principal.NTAccount]::new($this.DomainName, $this.UserName) | |
| $this.SID = $this.NTAccount.Translate([System.Security.Principal.SecurityIdentifier]) | |
| } | |
| } | |
| # Get users in the local "Administrators" group. | |
| # We have to use the CIM class because of a known issue with 'Get-LocalGroupMember'. | |
| Write-Verbose "Getting users in the local 'Administrators' group." | |
| $localAdminsGroup = Get-LocalGroup -Name "Administrators" | |
| $localAdminsGroupMembers = Get-CimInstance -Namespace "root/cimv2" -Query "SELECT * FROM Win32_GroupUser WHERE GroupComponent = `"Win32_Group.Name='$($localAdminsGroup.Name)',Domain='$($env:COMPUTERNAME)'`"" -Verbose:$false | |
| # Filter out local users. | |
| Write-Verbose "Filtering out local users." | |
| $nonLocalUserAdmins = switch ($ExcludeExecutingUser) { | |
| $true { | |
| # If '-ExcludeExecutingUser' was provided, | |
| # then don't include the user executing the script. | |
| $localAdminsGroupMembers | Where-Object { $PSItem.PartComponent.Domain -ne $env:COMPUTERNAME -and $PSItem.PartComponent.Name -ne $env:USERNAME } | ForEach-Object { [UserItem]::new($PSItem) } | |
| break | |
| } | |
| Default { | |
| # If '-ExcludeExecutingUser' was not provided, | |
| # then include the user executing the script. | |
| $localAdminsGroupMembers | Where-Object { $PSItem.PartComponent.Domain -ne $env:COMPUTERNAME } | ForEach-Object { [UserItem]::new($PSItem) } | |
| break | |
| } | |
| } | |
| # Remove each found user from the local "Administrators" group. | |
| foreach ($userItem in $nonLocalUserAdmins) { | |
| if ($PSCmdlet.ShouldProcess($userItem.NTAccount.Value, "Remove from local 'Administrators' group")) { | |
| Remove-LocalGroupMember -Group $localAdminsGroup -Member $userItem.SID.Value | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment