ninja-one/remove-local-admins.ps1
|
begin { # Check for required PowerShell version (7+) if (!($PSVersionTable.PSVersion.Major -ge 7)) { try { # Install PowerShell 7 if missing if (!(Test-Path "$env:SystemDrive\Program Files\PowerShell\7")) { Write-Output 'Installing PowerShell version 7...' Invoke-Expression "& { $( Invoke-RestMethod https://aka.ms/install-powershell.ps1 ) } -UseMSI -Quiet" } # Refresh PATH $env:Path = [System.Environment]::GetEnvironmentVariable('Path', 'Machine') + ';' + [System.Environment]::GetEnvironmentVariable('Path', 'User') # Restart script in PowerShell 7 pwsh -File "`"$PSCommandPath`"" @PSBoundParameters } catch { Write-Output 'PowerShell 7 was not installed. Update PowerShell and try again: $_' throw $Error } finally { exit $LASTEXITCODE } } else { $PSStyle.OutputRendering = 'PlainText' } } process { $GroupName = "Administrators" # Create a $GoodAdmins list $GoodAdmins = @("IT") # Get local admins group using ADSI try { $group = [ADSI]"WinNT://./Administrators" $members = @($group.Invoke("Members")) foreach ($member in $members) { $name = $member.GetType().InvokeMember("Name", 'GetProperty', $null, $member, $null) $class = $member.GetType().InvokeMember("Class", 'GetProperty', $null, $member, $null) if ($class -eq 'User') { if ($name -eq "Administrator") { Write-Host "Disabling built-in Administrator account..." try { $adminUser = [ADSI]"WinNT://./Administrator" $adminUser.UserFlags.Value = $adminUser.UserFlags.Value -bor 0x2 # Set disabled flag $adminUser.SetInfo() Write-Host "Successfully disabled Administrator account" } catch { Write-Warning "Failed to disable Administrator account: $_" } } elseif ($GoodAdmins -contains $name) { Write-Host "Keeping admin: $name" } else { Write-Host "Removing admin: $name" Remove-LocalGroupMember -Group $GroupName -Member $name } } } exit 0 } catch { Write-Error "Failed to process administrators group: $_" exit 1 } } end { } |