hi,
at my organization, we are wanting to downgrade all user accounts from administrator level to standard level per our new security policies. eventually, we will add MakeMeAnAdmin in order for users to temporarily gain access to admin level privileges. what is the best way to downgrade users on a large scale via jamf pro rather than visiting each computer one by one to change them to standard accounts?
thanks!
Not certain if this still works, but this is how we would do it before the PreStage gave you the option to make the setup assistant user a standard user:
/usr/sbin/dseditgroup -o edit -d [UserName] -t user admin
Getting the username might be the trick. You could pass the value from Jamf as a variable, or find the username of the 501 user, or the username of the user currently logged in:
loggedInUser=$(stat -f %Su /dev/console)
this may help you out @asuneson jcarr is correct with the basics to what to use here if you wanted to make it yourself though.
CLI is best and pretty straight forward. Though, you really want to have your temp admin process in place BEFORE yanking admin access. If you don't be ready for the tickets where users need you to pass admin access for them.
Something like this should work. You can just use JAMFs $3 to define the user. However I don't like for scripts to be dependent on JAMF so I manually define who the user is in the script.
#!/bin/bash
ActiveUser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }' | tr "[a-z]" "[A-Z]"`
/usr/sbin/dseditgroup -o edit -d $ActiveUser -t user admin
If you want to target not logged in users, it gets a bit more complicated. You will need to read the admin group, and use command substitution to run the command above for each person in the admin group, and make sure to exclude your local admin.
CLI is best and pretty straight forward. Though, you really want to have your temp admin process in place BEFORE yanking admin access. If you don't be ready for the tickets where users need you to pass admin access for them.
Something like this should work. You can just use JAMFs $3 to define the user. However I don't like for scripts to be dependent on JAMF so I manually define who the user is in the script.
#!/bin/bash
ActiveUser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }' | tr "[a-z]" "[A-Z]"`
/usr/sbin/dseditgroup -o edit -d $ActiveUser -t user admin
If you want to target not logged in users, it gets a bit more complicated. You will need to read the admin group, and use command substitution to run the command above for each person in the admin group, and make sure to exclude your local admin.
This works on Sonoma. Thank you so much.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.