Standard user in computer - group-policy

I have 100 computers that connect to domain. In every computer the domain users defines as administrator in local computer.
I want that all users in computers that assign to domain, will be standard user not administrator.
How can I do it in group policy? Another way?

for /f "skip=1" %%a in ('wmic UserAccount get Name') do (
if not "%%a"=="" (
net localgroup Users "%%a" /add
net localgroup Administrators "%%a" /delete
)
)

Related

Robocopy script that takes ownership and gives it back

I am currently migrating from a Unix FS to a Windows FS and i need to copy user folders.
I have created a robocopy script that is very simple with a few kinks here and there.
My script:
#echo off
set /p username=Enter Username to start copying files:
echo %username%
takeown /f \UNIXFS\users$%username%* /r /D N
timeout /t 3
robocopy \UNIXFS\users$%username% \WINDOWSFS\Production$%username% /S /E /B /Z /ZB /MT:64 /V /TEE /ETA /TS /R:5 /W:1 /BYTES /X /DEBUG /LOG:C:\Robocopy%username%.log
timeout /t 3
icacls \WINDOWSFS\Production$%username%* /grant:r domain%username%:(OI)(CI)F /T
pause
I have an input section asking me which user i would like to start copying files from and too.
i take owner ship from the user as the current domain admin, copy the files and give the user full permissions on the folder.
But the ownership is still for the domain admin and not the user chosen by the inputted user.
Therefor i have created a separate single command line bat file that will take the ownership of the folder when i log in to the users account.
Take ownership script to run on for the migrated user:
takeown /F \WindowsFS\Production$%username%* /r /D Y
is there a way i can combine these two script as one and just run this as a single script.
I have tried to just combine them both together but the last takeown command like just give the user that runs the script ownership, when you have to do this for a lot of users you don't want to manually input or run the takeown script one by one on all machines.

How can i delete the contents of the spool\PRINTERS directory remotely via powershell without WinRM

I need to be able to pass credentials through, which i have local administrator credential for the remote machine.
I only need to target one machine at a time, which will be manually specified in a function and the IP will be assigned as a $Global:var
I can use WMI-GetObject and stop/start the printer spool service, but cannot figure out a way to delete the remote files while passing credentials without using invoke, which doesnt work as WinRM is not enabled (and cannot be by policy)
Thank you for any help you can offer.
I have a test setup i can test as much as needed
also let me know if this would suit SuperUser more than StackOverflow
In the end i could not find a solution in powershell itself, so i defaulted to a co-located Batch file to handle the windows file operations and called the batch file from powershell with
start-process -Wait "cmd.exe" "/c c:\powershell\clearspool.bat"
batch file is below
#ECHO off
rem Set up the remote server ip
set User=administrator
set /p Server=Enter Server IP:
set /p Password=Enter Admin Password:
rem Mount the remote path
net use \\%Server%\c$\Windows\System32\spool %Password% /USER:%User%
rem Delete a file
del /S /F \\%Server%\c$\Windows\System32\spool\PRINTERS
rem Unmount the remote path
net use \\%Server%\c$\Windows\System32\spool /delete

Rename/unjoin a computer from a domain, that isn't on the domain

Working on a script that will be run on a clone of a VM. When cloned out, the IP settings switch from static to DHCP and the name/domain remain the same as the source. Parts of my script require that the VM be on the domain to run, however, I can't just set an open IP on the NIC, since it will then update DNS with the new IP, disable the computer object in AD and break the trust relationship.
Normally, through windows, I join a workgroup [remove from domain] and the OS is happy, just wants a reboot. I can then set the IP on the NIC, change the name and set it to join back to the domain before another reboot. I then have 2 of the same machine, different names and IP addresses without any conflicts.
I am at an impasse at getting this accomplished with PowerShell though. I can't rename or join a workgroup unless I am on the domain. I thought workflows would be the answer, but after reading a little bit on it, I am not so sure anymore.
So this is more of a workflow Q than actual code and any feedback is appreciated.
wmi commandline works and gives me a starting point.
#echo off
start /B /W wmic.exe /interactive:off ComputerSystem Where "Name='%computername%'" Call UnJoinDomainOrWorkgroup FUnjoinOptions=0
start /B /W wmic.exe /interactive:off ComputerSystem Where "Name='%computername%'" Call JoinDomainOrWorkgroup name="WORKGROUP"
start /B /W wmic.exe /interactive:off ComputerSystem Where "Name='%computername%'" Call Rename name="standaloneComputer"
shutdown.exe /r /t 0 /f
I use the following procedure when dealing with cloned Windows VMs:
Start the clone with disconnected network interface(s).
Remove non-present network adapters.
Assign new IP address(es) to the remaining network adapter(s).
$wmi = Get-WmiObject Win32_NetworkAdapterConfiguration -Filter "IPEnabled='true'"
$wmi.EnableStatic('192.168.23.42', '255.255.255.0')
$wmi.SetGateways('192.168.23.1', 1)
$wmi.SetDNSServerSearchOrder(('192.168.23.13', '192.168.23.14'))
Rename the computer and remove it from the domain.
Reboot.
Reconnect the interface(s).
Join the renamed computer back to the domain.
Note: Make sure the clone has a local admin account that you can log in with while the domain is not accessible.

for /f is not working in .bat file but it works with command prompt in windows 2003

for /f "tokens=1-7 delims=,: " %a in ('query user ^| find /i "disc"') do logoff %b
This above code is used for logoff remote desktop users where state is "Disconnected" in windows 2003.It will work perfect when I run in command prompt. But it will not run when I made a .bat file or .cmd file in windows 2003.so may know where i am going wrong?
Inside batch files the percent signs used in the for replaceable parameters need to be escaped
for /f "tokens=1-7 delims=,: " %%a in ('query user ^| find /i "disc"') do logoff %%b
User585,
Yes, inorder to implement the for loop inside a bat/cmd session, you need to place the variable with
%%a
like this
for /f %%a in (.\hosts) do quser /server:\\%%a

Automatically logon user when another user logs out using PowerShell

I am building a Windows embedded kiosk application that automatically logs in a default user on boot and launches the kiosk application. Once this occurs, the user cannot interact with any windows features, only the kiosk application.
However, when an admin comes to work on the system, he can log out of the default windows user account and log into a windows admin account. When the admin manually logs out, I want to automatically log the default user back in, and launch the kiosk application.
I have been searching for a couple hours on how to accomplish this with no luck. I am thinking a Powershell logoff script or something similar, but have no idea how to implement it (I have not Powershell experience). Does anyone have an idea on how to accomplish this?
Note: I already know how to automatically log in the default user and launch the kiosk app on computer startup (using group policy editor). I am only asking how to do the same thing when the admin logs off.
Create a logoff script with the following registry keys. Doesn't have to be powershell, this code would work for a normal command line batch script. The username is "user" and the password is "user"
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUsername /t REG_SZ /d user /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d user /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v ForceAutoLogon /t REG_SZ /d 1 /f
If you have a "welcome message", you will still have to click OK to fully log in, though
Here is how you create a logoff script: http://technet.microsoft.com/en-us/magazine/dd630947.aspx
You can put a PS script in the Local group policy editor (logoff script). You have to
Make a script that checks which user is logged in.
And if it is the admin you can use the shutdown -s so it will restart the PC and auto login the user.
Then it's what you want, only an unnecessary reboot.
Be careful: if your script is wrong about the usercheck (= admin), you cannot log off the user and you can't go anymore to the admin anymore!