Q:
Hello, script expert! How do I delete a group from the local Administrators Group?
-- SB
A:
Hello, SB. A script expert vaguely remembers a TV program named Branded in the early years. The protagonist (played by Chuck connas) in the program was accused of being a coward and dismissed from the U.S. Cavalry without any color. Almost all script experts remember the beginning of the script: the cavalry tore off the shoulder of the soldier's uniform and broke its sword. Then, it took shame to walk out of the fortress.
Why remember this scene? There is no real reason. We just think it would be cool to hold a similar ceremony whenever a user or group is removed from the local Administrators Group. However, before such an ideal implementation, you can use a script similar to the following to delete a group (in this example, an Active Directory group) from the local Administrators Group:
Copy codeThe Code is as follows: strComputer = "atl-fs-01"
Set objAdmins = GetObject ("WinNT: //" & strComputer & "/Administrators ")
Set objGroup = GetObject ("WinNT: // fabrikam/finance ")
ObjAdmins. Remove (objGroup. ADsPath)
Yes, it's very simple, isn't it? This script first assigns the name of the computer (in this example, the atl-fs-01) to the variable named strComputer. Then, we can bind the following line of code to the local Administrators Group on the computer:
Set objAdmins = GetObject ("WinNT: //" & strComputer & "/Administrators ")
After obtaining an object reference to the Administrators group, our next task is to create another object reference, which is a reference to the group to be deleted. The following code is used to complete the task:
Set objGroup = GetObject ("WinNT: // fabrikam/finance ")
Note that the old Windows NT naming convention fabrikam/finance is used to reference group accounts. Why? Simple: to operate on local users and groups, we have to use the WinNT provider. The WinNT provider does not understand the terms of Active Directory and is confused about similar object paths:
Cn = Finance Users, ou = Finance, dc = fabrikam, dc = com
Therefore, we have to move back to the old account name: domain name/login name. But it does not matter: Fortunately, Active Directory also understands this naming convention. When we request the account fabrikam/finance, Active Directory knows exactly what we say.
Note: this problem has been raised before, but it is worth mentioning again: Yes, you can use the WinNT provider to access objects in Active Directory. In addition, the object path is much simpler, which is correct. But do not take risks: Use the WinNT provider only if absolutely necessary. Why? Well, for example, for user accounts, the LDAP provider typically used in collaboration with Active Directory supports more than 200 attributes, while the WinNT Provider supports only about 20 attributes. LDAP providers are much more powerful and useful.
After obtaining the object reference to the group, all we need to do is call the Remove Method to delete the group from the local Administrators Group:
ObjAdmins. Remove (objGroup. ADsPath)
We still think it would be cool to tear off the pocket protective bag on the shirt and break his stapler with his knee, but this can be done.
Of course, the group you want to delete may not be an Active Directory group, but may be a local group. Will this become a problem? No. It's actually a little simpler. You only need to bind the group account to the local machine and delete it:
StrComputer = "atl-fs-01"
Set objAdmins = GetObject ("WinNT: //" & strComputer & "/Administrators ")
Set objGroup = GetObject ("WinNT: // finance ")
ObjAdmins. Remove (objGroup. ADsPath)
By the way, the process of deleting another group from one group is exactly the same as that of deleting a user from one group: binding to the target group (in this example, the local Administrators Group ), bind to the object to be deleted (no matter whether it is a group or a user), and then call the Remove Method to pass the ADsPath of the account to be deleted as a unique parameter.