Are you getting any output in the policy log that has the line echo "Removed user $user from admin group"? If so, then the command preceding that using dseditgroup would seem to be working. If you aren't seeing that in the policy log, then you'll need to deconstruct this to see why that command isn't removing the user from the local admin group.

I find when troubleshooting scripts like this, it's often best to have some verbose output, either by including echo statements in various places so I can see what the script is seeing, or using -x after the shebang of the script to get line by line feedback of what the script is doing when it's run.
Doing either of those should help you track down what's going on.

I have a smart group for users who have an admin on their computer that is not one of the local admins (multiple so we can have the one we are rotating from and the one we are rotating to when we rotate admin accounts)

And then this script runs, I believe, once a day on those computers.

#!/bin/sh

adminUser1="${4}"
adminUser2="${5}"

if [[ -z "$adminUser1" ]] || [[ -z "$adminUser2" ]] ; then
    echo "admin username variables missing."
    exit 1
fi

## this will demote the current user if they it is not either of the local admin accounts
loggedInUser=$( echo "show State:/Users/ConsoleUser" | scutil | awk '/Name :/ && ! /loginwindow/ { print $3 }' )

if [[ -z "$loggedInUser" ]] || [[  "$loggedInUser" == 'root' ]] || [[ "$loggedInUser" == "loginwindow" ]] ; then
    echo "Failed to gather loggedInUser correctly"
    exit 1
else
    echo "loggedInUser is $loggedInUser"
fi

if [[ "$loggedInUser" != "$adminUser1" ]] && [[ "$loggedInUser" != "$adminUser2" ]] ; then
IsUserAdmin=$(id -G "$loggedInUser" | grep 80)
    if [ -n "$IsUserAdmin" ]; then
      /usr/sbin/dseditgroup -o edit -n /Local/Default -d $loggedInUser -t "user" "admin"
      exit 0
    else
        echo "$loggedInUser is not a local admin"
    fi
fi

@mm2270 When i viewed the logs, it showed 0. It didn't display any of the echos. Its as if the adminUsers variable is empty. But I found a script that will demote the logged in user, it has the same desired effect.

@strayer Thanks for sharing this. I was planning on having a static group of users who would be exempt from the policy and scope everyone one else. Then have this one run once a day. I found a script similiar to yours that demotes the logged in user, which has the same desired effect im looking for:

#!/bin/sh
loggedInUser=$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ {print $3}')

/usr/sbin/dseditgroup -o edit -d "$loggedInUser" -t user admin

@Lier_bag We have used this script with pretty good luck:

!/bin/sh

adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-)

for user in $adminUsers
do if [ "$user" != "root" ] && [ "$user" != "<Your Root admin account>" ] && [ "$user" != "jamfadmin" ] && [ "$user" != "packagemaker" ] then dseditgroup -o edit -d $user -t user admin if [ $? = 0 ]; then echo "Removed user $user from admin group"; fi else echo "Admin user $user left alone" fi
done

We have another that works great, except it changes all Admin accounts to Standard accounts, including the hidden accounts. We also need to set the device to restart immediately. If you want the other script we use let me know.

I found dseditgroup command is not working in Monterey 12.4 version. Anyone had a solution ?

@PerPer We use this script that changes only the Student account but allows the Hidden Account to remain an admin.
Just tested on a new 12.4 OS install and it worked great.

#!/bin/sh

#adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-)

#for user in $adminUsers
#do
# if [ "$user" != "root" ] && [ "$user" != "Hidden User" ] && [ "$user" != "jamfadmin" ] && [ "$user" != "Your Pacakge creator machine name" ]
# then
# dseditgroup -o edit -d $user -t user admin
# if [ $? = 0 ]; then echo "Removed user $user from admin group"; fi
# else
# echo "Admin user $user left alone"
# fi
#done

#!/bin/bash
loggedInUser=$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ {print $3}')

/usr/sbin/dseditgroup -o edit -d "$loggedInUser" -t user admin

@rhooper Actually, my script is to convert  user as admin using : /usr/sbin/dseditgroup -o edit -a "$loggedInUser" -t user admin

Unfortunately, it did not work at all. Even I typed the same command in terminal , it still could not change.

I got it to work with the below script. Just tested that it works on Monteray as well.

#!/bin/bash

loggedInUser=$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ {print $3}')

/usr/sbin/dseditgroup -o edit -d "$loggedInUser" -t user admin

@Lier_bag Did you try to "add" on Monterey version 12.4 ?

/usr/sbin/dseditgroup -o edit -a "$loggedInUser" -t user admin

My bad, /usr/sbin/dseditgroup is working. now

@Lier_bag, did you just upload this to scripts and then add it to a policy, or add it directly to a policy under "Files and Processes" as an executable command? I just tried running it in Terminal on my personal local admin account and it failed

Would i need to make changes to deploy this sh