This tutorial explains how you can use a scope action to control the members of the local Administrators group on your machines.
Have Goverlan review the members of the local Administrator's group on all machines and remove all members which are not 'Administrator', 'Domain Admins' or 'John Doe'.
You will notice that the Scope Action feature has a computer execute Action which allows you to remove one or more members for a specified local group (Execute Computer Action > Local Account Database > Remove Local Group Member).
This method allows you to insert wildcards in the Member UNC Name value. If you wanted to remove all members of the Administrators group except for any account which has the word Admin in it (like Administrator and Domain Admins), you could configure this parameters to be: !*admin*
However, this method falls short since we cannot specify that we do not want the John Doe account to be removed as well.
Create a new scope action, define its name and click on Next.
Under Scope, select the Computers object type and define the list of machines to process (see: Defining the Scope). Click on Next.
Note: When creating a scope action which performs irreversible actions (such as deleting objects), we highly recommend to do the first run on a pilot scope (a small set of non-critical machines). Once the results are validated, the scope can be changed to include the final set of objects.
Under Actions, double click on Add New to start the Action Module property window.
Under Execute the following Action(s), click on Add/Remove > Execute Computer Action > Local Account Database > Local Groups > Members > Delete Object
If we were to complete and run this scope action as is, the results would be disastrous. Goverlan would go to all of your machines and delete all members of every group in the local account database. We need to tell Goverlan to only focus on the Administrators group and to only remove specifics members. We do this by adding conditions.
Under Only if the following is true, click on Add/Remove > Set Computer Condition > Local Account Database > Local Groups > NT Account Name
Set the Condition to = (equal) and set the desired value to Administrators.
Under Only if the following is true, click on Add/Remove > Set Computer Condition > Local Account Database > Local Groups > Members > NT Account Name and set the Condition to NOT = and set the desired value to Administrator .
Repeat this operation twice to exclude Domain Admins and John Doe from the members which will be removed.
Note: Extra care should be taken when filtering out users since an Active Directory user name is usually different than its NT Account Name. If John Does is an AD Domain user, you need to use the following condition instead:
Local Account Database > Local Groups > Members > AD Account Name
Your Action Module should look like this:
Complete your scope action and run it.
Once the scope action has been executed, you should check which machines were processed successfully and which machines failed.
Right-click on the scope action object and select View Last Run's Failed Nodes.
Review the Scope Action Log for failed computers and the reason why they couldn't be processed.
If one or more machines failed to be processed in this run because they were temporarily unavailable, you can select to re-run the scope action only for these failed computers at a later time. To do so, select the scope action, right-click on the mouse and select Re-Run on Failed Objects.
You can also schedule the scope action to re-run periodically using the execution mode: Failed Objects Only - Merge Output Data (see: Scheduling a Scope Action). This method of execution only processes the machines which failed during the previous run.