Remove Users From Local Group

What the local group user removal Worklet does

This Automox Worklet™ removes user accounts from local Windows security groups based on an exclusion list you define. The Worklet targets a specified local group (such as Administrators, Remote Desktop Users, or custom security groups) and automatically removes any accounts that are not on the approved exclusion list.

The Worklet uses the net localgroup command to enumerate group members and the net localgroup /delete command to remove non-compliant accounts. This approach gives you fine-grained control over group membership while preventing accidental removal of critical service accounts.

Why manage local group memberships

Unauthorized users in privileged groups like Administrators pose significant security risks. Former employees, contractor accounts, and test accounts often remain in local groups long after they should be removed, granting unintended access to sensitive system functions.

Automating group membership cleanup reduces manual overhead for IT operations teams and maintains consistent enforcement of your access control policies. Regular enforcement of group membership helps you maintain compliance with security frameworks like CIS Benchmarks and NIST 800-53 controls that require least-privilege access.

The Worklet supports both workstations and servers, making it suitable for comprehensive endpoint access management across your infrastructure.

How local group user removal works

1. Evaluation phase: The Worklet executes the net localgroup command to retrieve all members of the target group. It then filters the output to extract individual account names, excluding header lines and system formatting. The Worklet counts any members that are not on the exclusion list you specified. If non-compliant members exist, the Worklet reports the endpoint as non-compliant and proceeds to remediation.

2. Remediation phase: The Worklet iterates through the group members again and removes each account that is not in the exclusion list using the net localgroup "[GroupName]" /delete [UserName] command. After removal, the Worklet re-enumerates the group to verify that all unauthorized accounts have been successfully deleted. The Worklet exits with status 0 (compliant) only after confirming that all non-excluded members have been removed.

Local group membership cleanup requirements

• Windows 7 or later (Server 2008 R2 or later for Windows Server)

• Administrator or system-level permissions to modify group memberships

• PowerShell execution policy must allow script execution

• Clear definition of the target local group name (e.g., "Administrators", "Remote Desktop Users", "Backup Operators")

• Exclusion list of accounts that must remain in the group (service accounts, support accounts, administrative accounts)

• Account names formatted with proper quoting and comma separation in the $excludeUsers parameter

Expected endpoint group membership state

After remediation completes successfully, the target local group contains only approved accounts from your exclusion list. All unauthorized users, former employee accounts, and test accounts have been removed and cannot access resources or functions associated with that group.

You can verify compliance by reviewing the group membership on individual endpoints or by monitoring the Automox console for compliance status. Subsequent Worklet runs will confirm the group maintains the correct membership, verifying your endpoints remain compliant with your access control policies.

How to validate remove users from local group changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for remove users from local group.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as Where-Object, Write-Output.

4. Validate remediation effects from script operations such as Where-Object, Write-Output, then rerun evaluation for compliance.