Skip to main content

Hello All,



I am solely administrating MacOS in my organization and the one before me didnt care much about managing the shop. I am planning to take away admin right from everyone per our security protocols but there are so many accounts with different name.



I am planning to take away admin right from all the user account and create my one hidden admin account for myself.



I guess I will need to take everyone out of admin groups after creating my own account and prompt user to restart the PC while providing sometime and also giving them a restart warning.



Any suggestions or script would be helpful 🙂



Thank you,
Abdul Khan

Hey Abdul, I've come into a similar situation myself and was recently working on the very same thing. What I've done is make use of Jamf's Management Account as our hidden admin account (Resetting the password, enabling FileVault, etc.) and then removing the currently logged-in user from the Administrators group using the below:



loggedOnUser=$(ls -l /dev/console | awk '{ print $3 }')



echo "Making sure $loggedOnUser is not in the local admin group."

dseditgroup -o edit -d $loggedOnUser admin


Be aware that you MUST be wary of removing users from the Administrators group and should be very specific when doing so (Ie., pointing to the currently logged-in user), as it's very possible to screw up permissions by removing Apple system accounts.

We're using this to make sure only the allowed admins are in the admin group:



adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-)



for user in $adminUsers

do

    if [ "$user" != "root" ]  && [ "$user" != "localadmin1" ] && [ "$user" != "localadmin2" ]

    then 

        dseditgroup -o edit -d $user -t user admin

        if [ $? = 0 ]; then log "Removed user $user from admin group"; fi

    else

        log "Admin user $user left alone"

    fi

done


You can either change the 'log' to 'echo' or keep it in for future auditing purposes. The log function looks like this, and goes near the top of your script:



logfile=/var/log/ORG_nameOfScript.log





log () {

        echo $1

        echo $(date "+%Y-%m-%d %H:%M:%S: ") $1 >> $logfile

}

@merps and @ACurnow_LU Thank you so much



merps,
I guess localadmin1 and localadmin2 are the account created by you that you want to leave it as it is?



Have you guys every created a script to create hidden admin account? I know how to do it with Jamf agent/ CLI but I am still figuring out how to create it via bash script.

@akhan.admin In order to create a hidden account, the UID needs to be below 500 (Like the Jamf Management Account has a UID of 80 when created).



You could create the user account with a Jamf Policy and then immediately run a script to change the UID if it's above 500. A basic version of this would be:



#!/bin/sh



accountUID=$(dscl . -read /Users/LocalAdmin UniqueID)



if [ $accountUID -gt 500 ]; then

    echo "Hiding Local Admin account..."

    dscl . -change /Users/LocalAdmin $accountUID 85

elif [ $accountUID -lt 500 ]; then

    echo "Local Admin account is already hidden."

fi

Thanks. Will try it and let you know.

Reply


Terms & ConditionsCookie settings