Ask:
Hello, Scripting Guy! How do I remove a group from a local Administrators group?
--SB
For:
Hello, SB. One of the Scripting Guys vaguely remembers the early days of a television show called Branded, in which the protagonist (played by Chack Connas) was accused of being a coward and dismissed from the American cavalry in disgrace. Almost all the Scripting Guys remember its beginning: The cavalry tore the badge off the soldier's uniform and broke its sword by 10 percent, then trotted out of the fort in disgrace.
Why do we have to remember this scene? There's no real reason, we just think it would be cool to hold a similar ritual whenever a user or group is removed from a local Administrators group. However, before this ideal implementation, you can use a script similar to the following to remove a group (in this case, an Active Directory group) from the local Administrators group:
Copy Code code as follows:
StrComputer = "atl-fs-01"
Set objadmins = GetObject ("winnt://" & StrComputer & "/administrators")
Set Objgroup = GetObject ("Winnt://fabrikam/finance")
Objadmins.remove (Objgroup.adspath)
Yes, it's very simple, isn't it? This script first assigns the computer's name (in this case, atl-fs-01) to a variable named StrComputer. We can then use this line of code to bind to the local Administrators group on that computer:
Set objadmins = GetObject ("winnt://" & StrComputer & "/administrators")
After getting an object reference to the Administrators group, our next task is to create another object reference, which is a reference to the group that will be deleted. The following line of code is used to complete the task:
Set Objgroup = GetObject ("Winnt://fabrikam/finance")
Note that we use the old-fashioned Windows NT naming convention when referencing group accounts: Fabrikam/finance. Why would that be? Simple: to operate on local users and groups, we have to use the WinNT provider. The WinNT provider does not understand Active Directory terminology and is confused with object paths similar to the following:
Cn=finance Users, Ou=finance, Dc=fabrikam, dc=com
Therefore, we have to step back with the old account name: Domain name/login name. But it doesn't matter: Fortunately, Active Directory also understands this naming convention. When we request an account fabrikam/finance, Active Directory knows all about our words.
Note: This question has been raised before, but it is worth proposing again: Yes, you can use the WinNT provider to access objects in Active Directory. Also, the object path is much simpler, which is true. But do not take the risk: Use the WinNT provider only when absolutely necessary. Why do you say that? Well, for example, for a user account, the LDAP provider typically used to collaborate with Active Directory supports more than 200 properties, while the WinNT provider supports only about 20 properties. LDAP providers are much more powerful and useful.
When we get an object reference to a group, all we have to do is call the Remove method and remove the group from the local Administrators group:
Objadmins.remove (Objgroup.adspath)
We still think it would be cool to rip off the pocket protection bag on the man's shirt and then break his book with his knee, but that's a goal.
Of course, the group you want to delete may not be an Active Directory group, but may be a local group. Is this going to be a problem? No, actually it's a little bit simpler. Simply bind to the group account on the local machine and then delete it:
StrComputer = "atl-fs-01"
Set objadmins = GetObject ("winnt://" & StrComputer & "/administrators")
Set Objgroup = GetObject ("Winnt://finance")
Objadmins.remove (Objgroup.adspath)
By the way, the process of removing another group from one group is exactly the same as deleting a user from a group: binding to the target group (in this case, the local Administrators group), binding to the object to be deleted, whether it is a group or a user, and then calling the Remove method, The ADsPath that will delete the account is passed as a unique parameter.
