From Jamf professional services, worth a look...@Andrina links to it on her Github page:

https://github.com/jamfprofessionalservices/MakeMeAdminPy

interesting thank you @donmontalvo

but I'm trying to find for something simple and easy.

@osxadmin There isn't really anything wrong with the script from what I can see. As far as I know, dseditgroup should still work on Sierra to add accounts to the admin group.
The script is only running through a Self Service policy correct? Anything relevant in the policy log to indicate the issue?
The only recommendation I can make is to include the dseditgroup full path. For example /usr/sbin/dseditgroup Maybe it's not resolving to the binary for some reason.

My version of the above works on 10.11 - 10.12.x, but I remember having some unexpected behavior if the username field in the machine's JSS record was blank or incorrect; was never enough of an issue for me to really dive into it but perhaps worth a look.

One other thing, using this promote-to-admin was challenging for me to instruct my users on what it did and didn't do; adding jamfHelper to further communicate the policy's actions was a big improvement.

#!/bin/sh



# define jamfhelper location



jhelp="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"



# dseditgroup to promote the currently logged in user to admin rights



if [[ `/usr/bin/dscl . read /Groups/admin GroupMembership | /usr/bin/grep -c $3` == 1 ]]

    then /bin/echo "$3 is in the admin group, exiting"

        exit 0

    else /bin/echo "$3 is not an admin, promoting.." 

fi    



/usr/sbin/dseditgroup -o edit -a $3 -t user admin



"$jhelp" -windowType utility -title "Admin rights" -description "You've been granted admin rights, please proceed with your installation." -button1 "OK"

@pete_c I forgot I posted this question, and when I remember I use your script and that worked for me...thank!

#!/bin/sh



# define jamfhelper location



jhelp="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"



# dseditgroup to promote the currently logged in user to admin rights



if [[ `/usr/bin/dscl . read /Groups/admin GroupMembership | /usr/bin/grep -c $3` == 1 ]]

    then /bin/echo "$3 is in the admin group, exiting"

        exit 0

    else /bin/echo "$3 is not an admin, promoting.." 

fi    



/usr/sbin/dseditgroup -o edit -a $3 -t user admin



"$jhelp" -windowType utility -title "Admin rights" -description "You've been granted admin rights, please proceed with your installation." -button1 "OK"

Hi Pete,

I understand most of this except the $3 == 1 part, I know the $3 is the user account but I don't get how the 1 determines if the user is an admin or not. If it was pulling from the group members wouldn't it also have to be $1?

Any explanation would be greatly appreciated!

So we're taking the entries from the admin group, using `grep` to only look for the username ($3), and using that true/false to determine the echo and exit - the username passed from $3 was already in the admin group, so we bail out, or the username from $3 wasn't, so let's proceed and Do Stuff.  The 1 here is just a 'true,' not a variable.

Thanks for the response and clearing that up 👍

#!/bin/sh



# define jamfhelper location



jhelp="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"



# dseditgroup to promote the currently logged in user to admin rights



if [[ `/usr/bin/dscl . read /Groups/admin GroupMembership | /usr/bin/grep -c $3` == 1 ]]

    then /bin/echo "$3 is in the admin group, exiting"

        exit 0

    else /bin/echo "$3 is not an admin, promoting.." 

fi    



/usr/sbin/dseditgroup -o edit -a $3 -t user admin



"$jhelp" -windowType utility -title "Admin rights" -description "You've been granted admin rights, please proceed with your installation." -button1 "OK"

this script is not working on mac os 11 and above, what needs to update to work on mac os 11 and above

What errors are generated? How was the account created?

Hi I am new to jamf pro and new to scripts thanks for your reply, there is no error, accounts are manually created. the script is successfully executed from self-services however when I checked in users & group  currently logged in user is standard only it was not changed hence it's not working. 

@sachinkpshindep If you have the Users & Groups panel open when changing a user's account level externally, e.g. be a script running from Self Service, the change will not reflect in the Users & Groups UI until you close and re-open that panel.

Thanks, @sdagley it's my bad, close & reopening of system preferences changes effected

Sorry for reposting.. So the above script is for giving permanent admin access, right? If not help me to understand how long the admin access will be with the standard user? Or kindly help to modify the script to allow standard user to be an admin for the amount of 5 mins or so? Thanks for understanding.

Yes, that script is only to check whether the current user is not an admin and add them to the admin group if so.

To demote the current user:

While there's probably a much more elegant way to create a LaunchDaemon to handle the promote/demote, I'd just keep it simple and create two Jamf scripts, set the promotion to Before and the demote to After, and add a `sleep` statement to the promotion script with the number of seconds you'd like admin rights to be active.

The advantage of having two scripts is that you can use them in other scenarios, such as checking for admin rights as part of a recurring policy and demoting admin users when found - doesn't just have to be ad hoc user support.