42 lines
1.2 KiB
PowerShell
42 lines
1.2 KiB
PowerShell
<#
|
|
.SYNOPSIS
|
|
Disables all local admins if joined to domain or AzureAD
|
|
|
|
.DESCRIPTION
|
|
Checks to see if computer is either joined to a AD domain or Azure AD. If it is, it disables all local admin accounts. If not joined to domain/AzureAD, leaves local admin accounts in place
|
|
|
|
.OUTPUTS
|
|
Results are printed to the console.
|
|
|
|
.NOTES
|
|
Change Log
|
|
5/12/2021 V1.0 Initial release
|
|
|
|
Contributed by: https://github.com/dinger1986
|
|
#>
|
|
|
|
$ErrorActionPreference = 'silentlycontinue'
|
|
|
|
if (get-localuser | Where-Object Enabled) {
|
|
if (dsregcmd /status | Where-Object { $_ -match 'DomainJoined : YES' } | ForEach-Object { $_.Trim() }) {
|
|
Write-Output "Removing Local Admins"
|
|
get-localuser | Where-Object Enabled | Disable-LocalUser
|
|
get-localuser | Select name, Enabled
|
|
}
|
|
|
|
elseif (dsregcmd /status | Where-Object { $_ -match 'AzureAdJoined : YES' } | ForEach-Object { $_.Trim() }) {
|
|
Write-Output "Removing Local Admins"
|
|
get-localuser | Where-Object Enabled | Disable-LocalUser
|
|
get-localuser | Select name, Enabled
|
|
}
|
|
|
|
else {
|
|
Write-Output "Machine not on Domain so leaving local admins"
|
|
get-localuser | Select name, Enabled
|
|
}
|
|
|
|
}
|
|
|
|
else {
|
|
Write-Output "No local Users"
|
|
} |