Article

(View Disclaimer)

With ZENworks Configuration Management scripting actions you can specify a vbs, python, perl or bat script to be dynamically created and run. Using this feature you can leverage scripts from any systems management community and leverage ZENworks Configuration Management as the delivery and enforcement method.

To configure a script bundle (see documentation for more details) Simply configure a directive bundle with a run script action in the Launch section. In order for the script to run a scripting engine needs to be defined, for this bundle I have chosen the windows scripting host wscript.exe, however any scripting engine can be used. In addition scripts can be either defined on the workstation, uploaded from the administration workstation or created from withing the ZENworks Control Center, for this bundle I have chosen to create the script in ZCC (see pic below).

Within the Script Content section enter the following script. After creating the script bundle associate it to launch on refresh, this will consistently enforce that the local administrators only have accounts specified in the Permited Administrators List Array (see below)

'** Define Variables
    Dim PermittedAdmins' As Array
    
'** Define Permited Administrators List
    PermittedAdmins = Array("Administrator", "tempadmin", "Domain Admins") '<--- Add to this Array any additional permited admins

'** Get Local Administrator Group
    Set AdminGroup = GetObject("WinNT://./Administrators, Group")

'** Search for Invalid Members & Remove Them
    For Each GroupMember in AdminGroup.Members
    
        Debug.WriteLine GroupMember.Name, GroupMember.Class, IsPermitedAdmin(GroupMember.Name)
    
        If Not IsPermitedAdmin(GroupMember.Name) Then
            AdminGroup.Remove GroupMember.ADsPath
        End If
    Next

'** Functions *****************************************************************
    Function IsPermitedAdmin(MemberName)' As Boolean
        Dim i' As Long
        
        For i = LBound(PermittedAdmins) To UBound(PermittedAdmins)
            If UCase(MemberName) = UCase(PermittedAdmins(i)) Then
                IsPermitedAdmin = True
                Exit Function
            End If
        Next
        
        IsPermitedAdmin = False
    End Function

I have included the bundle in an exported xml format. To import this bundle simply copy the xml file to the server and run the import command (ex. zman bc "Restrict Local Admin" restrictlocaladmin.xml /Buncles/Security)

Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).

It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.