We use AD in our enviornment, but we have many local users with admin rights. Now that our use of Casper has become more robust. We want to take the local admin users and turn them into standard users. Any suggestions as to the best way to do this?
Solved
Changing local admin accounts to standard admin accounts
+3Best answer by mm2270
Sorry for not explaining that. It has to be either run as root, or you need to provide an admin account name and password in the command. Type 'man dseditgroup' in Terminal to see some of the parameters. Specifically these:
-u username authenticate with admin username
-P password authentication password
I would suggest not putting a plain admin user account name/password into any scripts and instead use sudo while testing. So in your case, try:
sudo /usr/sbin/dseditgroup -o edit -d Test admin
and enter your admin account on the Mac when prompted.
Since you'll likely be running this via Casper, the root access will be taken care of by the service account the Mac is managed with when its executed, i.e, no need to use sudo or enter an admin name/password in your script.
+24Straight from Greg's Neagle's blog, this should work-
/usr/sbin/dseditgroup -o edit -d username -t user admin
See here for the full info:
http://managingosx.wordpress.com/2010/01/14/add-a-user-to-the-admin-group-via-command-line-3-0/
It can also be done with dscl, but apparently the preferred method is now to use dseditgroup.
Beyond the technical aspect, which isn't very hard once you know the commands, your biggest problem may be education as to why you're taking admin rights away from users who have become accustomed to having it. We're embarking on a similar project where I am currently, but we're looking to make changes to /etc/auhorization and ACL's to allow users to still do some administrative stuff, within limits. Also moving as much as possible into Self Service will soften the blow.
+35Mike,
I'm doing the same. I've a script that edits /etc/authorization to allow non-admins access to a variety of things.
Only thing I can't figure, is how to give non-admins iCloud rights.
+24Ben,
iCloud is disabled (via MCX) in our environment, so I haven't needed to look into that. I've examined the entire /etc/authorization file in Lion from top to bottom and don't recall seeing anything related to iCloud in there, so I'm not sure where that would be stored. I would think it should be in a system.preferences <key> but sadly not all of them have settings that can be controlled in the /etc/auth file.
+3Working out the details about how to "manage" the change with our users with a combination of better Self Service Management and ACL's.
On the another note. I ran the script on a test account and it and it tell me "Username and password must be provided". What I am doing wrong? Still a novice using terminal, but I've been burying myself in it to get better. Any advice?
This is what I put in with a Test account called "Test"
/usr/sbin/dseditgroup -o edit -d Test admin
+24Sorry for not explaining that. It has to be either run as root, or you need to provide an admin account name and password in the command. Type 'man dseditgroup' in Terminal to see some of the parameters. Specifically these:
-u username authenticate with admin username
-P password authentication password
I would suggest not putting a plain admin user account name/password into any scripts and instead use sudo while testing. So in your case, try:
sudo /usr/sbin/dseditgroup -o edit -d Test admin
and enter your admin account on the Mac when prompted.
Since you'll likely be running this via Casper, the root access will be taken care of by the service account the Mac is managed with when its executed, i.e, no need to use sudo or enter an admin name/password in your script.
+24Actually just noticed something wrong in your command. It should be:
sudo /usr/sbin/dseditgroup -o edit -d test -t user admin
The "username" needs to be the short name as it shows up on the home folder, so no caps. The "user" in the command tells it is -t(ype) user and "admin" is the group you are removing it from.
I was able to get this script to work for me via a Policy:
#!/bin/sh
loggedInUser=$( echo "show State:/Users/ConsoleUser" | scutil | awk '/Name :/ && ! /loginwindow/ { print $3 }' )
/usr/sbin/dseditgroup -q -u [enter admin account password already on mac] -P [enter password of admin account] -o edit -n /Local/Default -a $loggedInUser -t "user" "admin"
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.