Basically we have had a couple of users remove admin rights from our admin account on deployed Macs obviously causing issues. Is there a way I can prevent a user from going to user accounts on the Mac and removing admin rights from another admin account>
Solved
Is there a policy that prevents admins from removing admin accounts from a Mac?
+9Best answer by davidacland
You can restrict access to the system preference pane using a profile.
Alternatively, hide the admin account so they can't see it at all in system preferences.
If you keep the local admin account separate from the management account used by Casper, you can use Casper to give the local admin the rights back.
+18You can restrict access to the system preference pane using a profile.
Alternatively, hide the admin account so they can't see it at all in system preferences.
If you keep the local admin account separate from the management account used by Casper, you can use Casper to give the local admin the rights back.
+9Thank you for this. We do have a separate local admin account, this was the account I was actually referring to. How can I use Casper to give the local admins account rights back?
+18You can run the command:
/usr/sbin/dseditgroup -o edit -a localadminname -t user admin
If you create a policy, in the Files and Processes payload, add it to the "Execute Command" section at the bottom.
+18You could go a step further, create an extension attribute that picks up if the user is an admin or not:
#!/bin/sh
adminCheck=$(/usr/sbin/dseditgroup -o checkmember -m localadminname admin)
echo "<result>$checkAdmin</result>"
exit 0Then create a smart group that checks for "yes localadminname is a member of admin", targeting the policy to the group on an ongoing basis.
+11How about just hide the local admin account from users &groups... You can also move the hidden admin's home directory to a place not visible from Finder.. I currently created a policy and running it, to hide the admin account, and it's working like a charm..
The only time the user will know an admin account is on there, is at the login window..
You can go here to get the commands to hide the admin account, and create a script from it..
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.