This removes all local admins from a machine’s Administrators group, except the built-in Administrator and “Domain Admins” if it’s on a domain.
$LocalDomain = $env:USERDOMAIN
$DomainAdmins = "$LocalDomain\Domain Admins"
$ComputerName = $env:COMPUTERNAME
$OEMAdministrator = "$ComputerName\Administrator"
Get-LocalGroupMember Administrators | ForEach-Object {
$UserName = $_.Name
"Found: $UserName"
If (($UserName -ne $DomainAdmins) -and ($UserName -ne $OEMAdministrator)) {
"Removing $UserName from local Administrators group."
Remove-LocalGroupMember -Group Administrators -Member $UserName
}
""
}