Skip to main content

Scenario:
When Mac laptops are imaged and joined to the domain in our corporate environment the desktop support teams have the option of giving the domain user local admin rights on their Mac device. Unfortunately, more often than not, they do so.



The Mac image comes with a generic local admin account that all devices have and needs to be kept in place. These rights need to be preserved.



New policy has come from the top, all local admin rights for domain users are to be removed from all domain devices.



I have been recently given the role of Casper Admin with zero experience in Casper or OSX after an engineer left.



Questions:
How do we remove these rights from each device centrally through Casper JSS? Is there a way to do so? If this has to be some sort of script, what exactly should it be and how would it be distributed to devices as they come online and continue to check the devices to ensure that there are no new local rights given?



Any help is definitely appreciated and certainly required...

Hello @MTurnerFMRCO This seems like one of those topics that pops up quite often around here. Before I go into anything, have you already done some searches here on 'remove admin privileges' or something like that? If not, I encourage you to do that as I'm pretty certain you will get a lot of hits on the topic.



Now, as to what you've been tasked to do, let me make sure I understand. You have a standard local administrator account on all Macs that needs to be in place, but in some cases regular user accounts are being created (accidentally) as admins, not regular users. And you need to find a way to remove these rights from any accounts except the one local admin one, correct?
If so, you would likely need to use a scripted process to loop over all local accounts on the Mac, excluding the one local admin account you know should be there, and then use something like dseditgroup to remove the administrative rights from the accounts.
If this all sounds good, something like the below should be a start. I know I'm duplicating what's already been posted like a 100 times on other threads, but...



#!/bin/bash



localAccts=$(dscl . list /Users UniqueID | awk '$2>500{print $1}' | grep -v localadmin)



while read account; do

    echo "Making sure $account is not in the local admin group"

    dseditgroup -o edit -d $account admin

done < <(echo "$localAccts")



exit


You would need to edit the above by changing the "localadmin" to whatever local administrator name you know should be left as an admin. This will locate only accounts with UIDs higher than 500, so basically everything from UID 501 and up. If an account on the Mac happens to have a lower UID, this script will not locate it, so just keep that in mind. Should go without saying, but obviously test this thoroughly or any other script anyone posts, before implementing it to be sure its not damaging anything.



As for the second issue of detecting unauthorized admin accounts, take a look at this thread.
https://jamfnation.jamfsoftware.com/featureRequest.html?id=2065
There are many possible solutions to this, but on that thread you'll see a few Extension Attributes you can put in your JSS to capture the status of accounts, as in admin or standard, domain or local, etc.



Thanks for this, the script works great. However, the linked article is now 404 (probably because the forum software has changed).

Is this what you meant: https://community.jamf.com/t5/jamf-pro/find-unauthorized-admins/td-p/100151 ?

Terms & ConditionsCookie settings