PowerShell/QuickLocalAdminRemoval.ps1 at main · jkingster/PowerShell · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
<#
.SYNOPSIS
This script removes local administrators from the "Administrators" group on a specified computer via PowerShell remoting (PS-Remote).

.DESCRIPTION
- Prompts the user to input a computer name.
- Establishes a remote PowerShell session to the specified computer using the provided credentials.
- Retrieves all members of the "Administrators" group on the target computer.
- Removes all administrators except those explicitly listed in the `$ignoredAdministrators` variable.
- Skips built-in accounts like "Administrator" for safety.

.PARAMETERS
$ignoredAdministrators
- An array of account names or groups that should be excluded from removal.
- This is defined within the scriptblock executed remotely on the target computer.

$CREDENTIAL_USERNAME
- Specifies the username to authenticate the remote session.
- The user must have local administrator privileges on the target computer.

.NOTES
- Ensure PowerShell remoting (WinRM) is configured and enabled on the target machine.
- The appropriate firewall rules must be in place to allow PS-Remote communication.
- This script requires sufficient permissions to modify group membership on the target machine.

.EXAMPLE
# Run the script
Start-RemovalProcess

# Enter the computer name when prompted to initiate the admin removal process.
# The `$ignoredAdministrators` array determines which accounts/groups are excluded from removal.
# Ensure `$CREDENTIAL_USERNAME` is set to a user with local administrator privileges on the target machine.
#>
$CREDENTIAL_USERNAME = ""

Function Read-ComputerName {
    $computerName = Read-Host -Prompt "Please enter the computer name for ps-remote"

    if ([string]::IsNullOrWhiteSpace($computerName)) {
        return $null
    }

    return $computerName
}

Function Invoke-PSSession {
    param(
        [string]$computerName,
        [PSCustomObject]$credential
    )

    $session = New-PSSession -ComputerName $computerName -Credential $credential
    if ($session -and $session.State -eq 'Opened') {
        return $session
    }

    return $null
}

Function Invoke-LocalAdminRemoval {
    param(
        [PSCustomObject]$session,
        [Array]$ignoredAdmins
    )

    if ($null -eq $session) {
        Write-Host "Could not start PS-Remote session with $($session.ComputerName)" -ForegroundColor Red
        return
    }

    Write-Host "Invoking Command Script Block..."
    Invoke-Command -Session $session -ScriptBlock {
        $ignoredAdministrators = @("Domain Admins", "Administrator") # This needs to be set here for the PS-remote hop.

        $administrators = Get-LocalGroupMember -Group "Administrators" | Select-Object -ExpandProperty Name

        if ($administrators.Count -le 0) {
            Write-Host "There are no objects under the Administrators group for this computer: $env:ComputerName" -ForegroundColor Yellow
            return
        }

        foreach ($administrator in $administrators) {
            # Normalize name
            $adminName = $administrator -replace '^.*\\', ''  # Remove domain or workgroup prefix

            # Skip ignored accounts
            if ($ignoredAdministrators -contains $adminName) {
                Write-Host "Ignoring Group: $($adminName)" -ForegroundColor Yellow
                continue
            }

            # Skip built-in accounts
            if ($adminName -eq 'Administrator') {
                Write-Host "Skipping built-in account: Administrator" -ForegroundColor Yellow
                continue
            }

            Write-Host "Removing Group: $($adminName)" -ForegroundColor Red
            Remove-LocalGroupMember -Group "Administrators" -Member $administrator
        }
    }
}

Function Start-RemovalProcess {
    Write-Host "Reading Input Computer Name..."
    $computerName = Read-ComputerName

    Write-Host "Attempting to establish PS-Remote session.."
    $session = Invoke-PSSession -computerName $computerName -credential $CREDENTIAL_USERNAME

    Write-Host "Invoking Local Admin Removal Process..."
    Invoke-LocalAdminRemoval -session $session -ignoredAdmins $IGNORED_ADMINISTRATORS

    # Check if session is still open, if so -> close it
    if ($session -and $session.State -eq 'Opened') {
        Write-Host "Exiting and removing PS-Session." -ForegroundColor Yellow
        Remove-PSSession -Session $session
    }
}

Start-RemovalProcess