iksrv.work - RemoveLocalAdm

Details: Written by: po3dno; Category: C#; Created: 20 October 2021; Hits: 813
using System;
using System.Management;
using System.Text.RegularExpressions;
using System.DirectoryServices;

namespace RemoveLocalAdm_PC
{
    class Program
    {
        static void Main(string[] args)
        {
            string PC = System.Environment.MachineName;
            string groupName = "local_administrator_" + PC;
            string sid = "544";

            ManagementObjectSearcher searchGroup = new ManagementObjectSearcher(@"SELECT name FROM Win32_Group where LocalAccount = true and sid = 'S-1-5-32-544'");
            ManagementObjectCollection adminGroup = searchGroup.Get();
            string gr = null;

            /*
            foreach (ManagementObject group in adminGroup)
            {
                gr = group["Name"].ToString();
                //Console.WriteLine(group["Name"].ToString());
                continue;
            }
            */

            if (gr != null)
            {
                ManagementObjectSearcher search = new ManagementObjectSearcher("SELECT * FROM Win32_GroupUser where (groupcomponent='win32_group.name=\"" + gr + "\",domain=\"" + PC + "\"')");
                ManagementObjectCollection userList = search.Get();

                foreach (ManagementObject user in userList)
                {
                    string pattern = ".+cimv2:win32_(.+).Domain=\"(.+)\",Name=\"(.+)\"";
                    Regex rgx = new Regex(pattern, RegexOptions.IgnoreCase);

                    Match m = Regex.Match(user["PartComponent"].ToString(), pattern, RegexOptions.IgnoreCase);

                    /*
                    if (m.Success)
                    {
                        //Console.WriteLine(m.Groups[1].Value + ' ' + m.Groups[2].Value + ' ' + m.Groups[3].Value);
                    }
                    */

                    DirectoryEntry localGroup = new DirectoryEntry(String.Format("WinNT://{0}/{1},group", Environment.MachineName, gr));
                    DirectoryEntry removeobj = new DirectoryEntry(String.Format("WinNT://{0}/{1}", m.Groups[2].Value, m.Groups[3].Value));

                    Console.WriteLine(String.Format("WinNT://{0}/{1}", m.Groups[2].Value, m.Groups[3].Value));

                    if (m.Groups[2].Value == PC && (m.Groups[3].Value == "Администратор" || m.Groups[3].Value == "Administrator")) { continue; }
                    if (m.Groups[2].Value == "DOMAIN" && m.Groups[3].Value == "Workstation_admins") { continue; }
                    if (m.Groups[2].Value == "DOMAIN" && m.Groups[3].Value == groupName) { continue; }

                    try
                    {
                        localGroup.Invoke("Remove", new object[] { removeobj.Path });
                        localGroup.CommitChanges();
                    }
                    catch (Exception e)
                    {
                        Console.WriteLine("Try remove from group from: {0} group or user: {1}..." + Environment.NewLine + e.ToString(), gr, m.Groups[2].Value + @"\" + m.Groups[3].Value);
                    }

                }
            }


            //Console.ReadLine();
        }
    }
}
RemoveLocalAdm_PC

Login Form
