#Load [ADSI]"Administrators"
$Computer = $env:COMPUTERNAME
$AdminGroup = 'Administrators'
$ADSI = [ADSI]("WinNT://$Computer")
$ADSIGroup = $ADSI.Children.Find($AdminGroup, 'Group')
#LimtUsers
[System.Collections.ArrayList]$limtUsers = "AACA-SCCMClientAdmin", "AACDomain Admins", "AACUSG-AAC-LocalAdmins", "Administrator"
#FirstTime to Get Administrators Users list
[System.Collections.ArrayList]$GetAGUsers = Net localgroup Administrators | ? {$_} | select -skip 4
$GetAGUsers.Remove( $GetAGUsers[-1] )
#Select DenyUsers by compare $LimUesrs
$DenyUsers = Compare-Object -ReferenceObject $GetAGUsers -DifferenceObject $limtUsers | ? { $_.SideIndicator -eq '<='} | select -ExpandProperty InputObject
#Delete DenyUsers in Administrators
if ($DenyUsers.count -ge 1) {
foreach ( $DenyUser in $DenyUsers) {
if ($DenyUser.Length -gt 20) {
$DenyUserString = ($DenyUser -replace "\", "/").toString()
$ADSIGroup.Remove(("WinNT://$DenyUserString"))
}
else {
Net LocalGroup Administrators $DenyUser /DELETE | Out-Null
}
}
}
#SecoundTime to Get Administrators Users list
[System.Collections.ArrayList]$NewAGUsers = Net localgroup Administrators | ? {$_} | select -skip 4
$NewAGUsers.Remove( $NewAGUsers[-1] )
#Select LackUsers by compare $LimUsers
$LackUsers = Compare-Object -ReferenceObject $NewAGUsers -DifferenceObject $limtUsers| ? { $_.SideIndicator -eq '=>'} | select -ExpandProperty InputObject
#Add LackUsers to Administrators
if ( $LackUsers.Count -ge 1) {
foreach ($Lackuser in $LackUsers ) {
Net LocalGroup Administrators $Lackuser /ADD | Out-Null
}
}
#LastTime to Get Administrators Users list
[System.Collections.ArrayList]$NowAGUsers = Net localgroup Administrators | ? {$_} | select -skip 4
$NowAGUsers.Remove( $NowAGUsers[-1] )
#Check Result
if (!(Compare-Object -ReferenceObject $NowAGUsers -DifferenceObject $limtUsers)) {
if (!(Test-Path HKLM:SoftwareSCCM_Deploy)) {
New-Item -type Directory HKLM:SoftwareSCCM_Deploy | Out-Null
}New-Item HKLM:SoftwareSCCM_DeployRemoveUntrustedAdmin -itemType String -value "Success" | Out-Null
}else{
exit}