Not sure if this is possible. We are rolling out MacBooks to students and are making their account a standard user by default. If a student manages to make their account an administrator, is there a way to check that and change it back? Say they figure out what the JAMF admin account password is. I have one computer I know of where the student has changed their account type, and created a second admin account. Any options here aside from re-imaging?
Solved
Policy to Change Account Type?
+12Best answer by mm2270
Sure.
Use dseditgroup to make any accounts on the Mac outside of known local admin accounts your using into standard users.
See this snippet from something I worked on a while ago-
#!/bin/sh
## Demote admin users to standard
## Get list of users for demotion
/bin/echo "Building list of local user accounts for demotion"
userList=$( /usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 >= 501 { print $1; }' | /usr/bin/grep -ve "admin|otheradmin|anotheradmin" )
## Remove admin privs from each user and add them into the _lpadmin group
for i in $userList; do
if [[ `/usr/sbin/dseditgroup -o checkmember -m $i admin | /usr/bin/awk '{ print $1 }'` = "yes" ]]; then
/bin/echo "User $i is currently an admin. Converting into Standard User"
/usr/sbin/dseditgroup -o edit -d $i -t user admin
/bin/echo "Adding $i into _lpadmin group"
/usr/sbin/dseditgroup -o edit -a $i -t user _lpadmin
else
echo "User $i is currently a Standard User. Leaving as is."
fi
doneIn the above, you need to replace the reverse grep (grep -ve) with your local admin accounts between the quote marks. Place a pipe betwen each name if you have multiple ones. if you only have one, no need for "-ve", just use grep -v "youradminname"
Note that this only sees accounts above UID 500, so it safely ignores all the System level accounts.
+9I would re-image it because there's no telling what else the kid did with local admin access. Do you use firmware passwords in your environment? If you don't, I would recommend enabling firmware passwords to prevent booting the computer in single-user mode.
+24Sure.
Use dseditgroup to make any accounts on the Mac outside of known local admin accounts your using into standard users.
See this snippet from something I worked on a while ago-
#!/bin/sh
## Demote admin users to standard
## Get list of users for demotion
/bin/echo "Building list of local user accounts for demotion"
userList=$( /usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 >= 501 { print $1; }' | /usr/bin/grep -ve "admin|otheradmin|anotheradmin" )
## Remove admin privs from each user and add them into the _lpadmin group
for i in $userList; do
if [[ `/usr/sbin/dseditgroup -o checkmember -m $i admin | /usr/bin/awk '{ print $1 }'` = "yes" ]]; then
/bin/echo "User $i is currently an admin. Converting into Standard User"
/usr/sbin/dseditgroup -o edit -d $i -t user admin
/bin/echo "Adding $i into _lpadmin group"
/usr/sbin/dseditgroup -o edit -a $i -t user _lpadmin
else
echo "User $i is currently a Standard User. Leaving as is."
fi
doneIn the above, you need to replace the reverse grep (grep -ve) with your local admin accounts between the quote marks. Place a pipe betwen each name if you have multiple ones. if you only have one, no need for "-ve", just use grep -v "youradminname"
Note that this only sees accounts above UID 500, so it safely ignores all the System level accounts.
+24Just to chime in again. bajones does make a good point. While the above will work to bring unauthorized admins back down to standard, its going to be hard to tell what other changes may have been made while the student had admin access
Secondly, if you even suspect that someone found out or guessed your Casper service account password, I would flip that to something else immediately with a policy. Might even be a good idea to flip it once a month or so just in case.
If you want to go really nuts, you can tell Casper to flip the password to something randomized on every Mac as frequently as you want. Even you won't know what the password is, but the JSS will keep track of it.
+12Yeah, we'll be looking at reimaging, but with the inventory logs we can look a little at what might have been installed. I've modded this script and it is working great. Of course, we'll also be changing the admin password. :)
+24I'm assuming there is a way to enable firmware passwords using Casper, but I'm not finding it.
+10Firmware passwords are essential if you want to make sure the user stays a non admin. They're not hacking the JSS password, it's just as simple as going into Single User Mode and then deleting /var/db/.AppleSetupDone to force the computer to make a fresh admin account.
+7Hi,
Thank you for your script @mm2270 ! Works very when lauched manually, though, I'm having trouble executing it through jamf.
The log says it completed, but show, no user where modified and there's no line returned, like the fisrt echo is not even appearing, it feels like the script simply ignores every commands. And I tried triggering it at login/logout/startup/selfservice. Always the same.
Does anyone have a hint ?
Edit : Nevermind, I just didn't put the script in my policy...........
+7Bumping this.
I tried using the script by @mm2270 provided (thank you), however even putting the admin users I want to preserve as admins in
grep -ve "admin|otheradmin" )
Has anyone else run into this?
+24Bumping this.
I tried using the script by @mm2270 provided (thank you), however even putting the admin users I want to preserve as admins in
grep -ve "admin|otheradmin" )
Has anyone else run into this?
@jlombardo Try changing it to:
/usr/bin/egrep -v "admin|otheradmin"I don't think grep -ve is well supported anymore. I've seen issues with it myself and have had to change out some of my scripts to use egrep as well. The script I posted above is from 2013.
+7@jlombardo Try changing it to:
/usr/bin/egrep -v "admin|otheradmin"I don't think grep -ve is well supported anymore. I've seen issues with it myself and have had to change out some of my scripts to use egrep as well. The script I posted above is from 2013.
Yea I know, a man can dream that it was still going to work right?
+7@jlombardo Try changing it to:
/usr/bin/egrep -v "admin|otheradmin"I don't think grep -ve is well supported anymore. I've seen issues with it myself and have had to change out some of my scripts to use egrep as well. The script I posted above is from 2013.
That worked like a charm, thanks for your efforts
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.