Category filter
Script to change admin user to non-admin user in Windows
Administrator privilege grants complete and unrestricted access to a device, allowing the implementation of system-wide changes. These privileges cannot be granted to users without proper discretion. Removing a user from the Administrators group and adding them to the Users group in a Windows device, remotely, will revoke their admin privileges, making them a standard non-admin user. In this article, both Batch and PowerShell scripts are provided to change an admin user to a non-admin user. These scripts can be executed using the Execute Custom Script remote action from Hexnode UEM.
The script is supported for execution on the following Windows versions:
- Windows 10 v1803+
- Windows 10 v1703 to Windows 10 v1709 (if .NET Framework v4.7.1+ is installed on the device)
- Windows 11 (Pro, Enterprise, Education)
The sample scripts provided below are adapted from third-party open-source sites.
In both the scripts below, replace “Username” with the actual username of the admin user who must be made a standard user.
Batch file script to change an admin user to a non-admin user
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
@ECHO OFF REM --- User Demotion Commands (Silent Execution) --- NET LOCALGROUP Users "Username" /ADD >nul 2>&1 NET LOCALGROUP Administrators "Username" /DELETE >nul 2>&1 REM --- Output: List the current status of groups --- ECHO. ECHO --- Administrators Group Members (Post-Change) --- NET LOCALGROUP Administrators ECHO. ECHO --- Users Group Members (Post-Change) --- NET LOCALGROUP Users ECHO. ECHO Demotion process completed for Username. |
PowerShell script to change an admin user to a non-admin user
|
1 2 3 4 5 6 7 8 9 |
#Step 1: Add the user to the Users group Add-LocalGroupMember -Group “Users” -Member “Username” #Step 2: Remove the user from the Administrators group: Remove-LocalGroupMember -Group “Administrators” -Member “Username” #Step 3: (Optional) Verify the change Get-LocalGroupMember -Group “Administrators” Get-LocalGroupMember -Group “Users” |
After executing the .ps1 file from Hexnode, if you come across an output such as “command is not recognized” in the Action History, add this to the beginning of the file, followed by steps 1 and 2.
|
1 2 3 4 5 6 7 8 |
if (($pshome -like “*syswow64*” - and ((Get-WmiObject Win32_OperatingSystem).OSArchitecture -like “64*”)) { write-warning “Restarting script under 64 bit powershell” #relaunch this script under 64 bit shell & (join-path ($pshome -replace “syswow64”, “sysnative”)\powershell.exe) -file $myinvocation.mycommand.Definition @args #This will exit the original PowerShell process. This will only be done in case of an x86 process on a x64 OS. exit } |
This PowerShell script checks if the script is running in a 32-bit PowerShell process on a 64-bit operating system. If the condition is met, it displays a warning message “Restarting script under 64-bit PowerShell”, restarts the script under a 64-bit PowerShell process using the sysnative path, and then exits the original 32-bit PowerShell process. This is done to ensure the script runs in a 64-bit environment when necessary.
- Executing commands that modify user groups and permissions can have significant consequences, so it’s important to use such scripts with caution, especially systems where user roles and permissions are critical.
- It is recommended to manually validate the script execution on a system before executing the action in bulk.
- Hexnode will not be responsible for any damage/loss to the system on the behavior of the script.
