Good morning, I have recently built a tool which removes domain users from the local administrators group using a text file for input of the machine name and user name.  Yesterday, I was asked to remove a dead account that only shows up as a SID in the local administrators group of ~1400 machines.  I tried using my program with a couple of minor modifications (my current tool uses SCCM to run net localgroups .... /delete, but I noticed none of the 15 test machines I used to create my initial collection had the account removed.

Some caveats, I can not use PSExec, it's frowned upon in our network environment. 

My VB and powershell skills are minimal (we use wise scripting for almost everything).

Please help

Thanks, Rick 

Hi Rick,

Prewritten scripts can be found in the repository here:

http://gallery.technet.microsoft.com/scriptcenter

There are many that handle local group membership.

This is an SCCM issue so you need to post in the SCCM forum.

since this is on a domain, can you just use group policy and restricted groups?  you provide a specific list of group members, and GP should enforce it by ensuring no other users or groups are in that group.  

Computer Config, policies, windows settings, security settings, restricted groups

$group.Remove("WinNT://S-1-5-21-35135249072896")

You can always specify the object by its full string SID.