You can't remove admin right while a user is logged in using a script. I use a script that will remove admin rights on all users, unless I exclude them, but I can only run the script on logout.
#!/bin/sh
adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-)
for user in $adminUsers
do
if [ "$user" != "root" ] && [ "$user" != "Administrator" ] && [ "$user" != "administrator" ] && [ "$user" != "jss_mgmt" ]
then
dseditgroup -o edit -d $user -t user admin
if [ $? = 0 ]; then echo "Removed user $user from admin group"; fi
else
echo "Admin user $user left alone"
fi
done
@scubastove I use below script to demote all users to standard from admin except jamf mgmt account. Our jamf mgmt account is admin. Hence the script will demote all users except "admin"
!/bin/bash
Parameters
mgmtAccount="admin" # Required; Example: so_and_so_admin
Variables
userList=$(/usr/bin/dscl . read /Groups/admin GroupMembership | /usr/bin/cut -d " " -f 2-)
Exit out if we don't have our parameters set
[[ -z "$mgmtAccount" ]] && echo "No management account specified to ignore; exiting." && exit 1
Loop through each user and demote them, skipping root and the Jamf Pro management account specified
for userName in $userList; do
if [[ "$userName" != "root" ]] && [[ "$userName" != "$mgmtAccount" ]]; then
/usr/sbin/dseditgroup -o edit -d "$userName" admin
echo "Account "$userName" had admin privileges removed."
fi
done
exit 0
@scubastove I use below script to demote all users to standard from admin except jamf mgmt account. Our jamf mgmt account is admin. Hence the script will demote all users except "admin"
!/bin/bash
Parameters
mgmtAccount="admin" # Required; Example: so_and_so_admin
Variables
userList=$(/usr/bin/dscl . read /Groups/admin GroupMembership | /usr/bin/cut -d " " -f 2-)
Exit out if we don't have our parameters set
[[ -z "$mgmtAccount" ]] && echo "No management account specified to ignore; exiting." && exit 1
Loop through each user and demote them, skipping root and the Jamf Pro management account specified
for userName in $userList; do if [[ "$userName" != "root" ]] && [[ "$userName" != "$mgmtAccount" ]]; then /usr/sbin/dseditgroup -o edit -d "$userName" admin echo "Account "$userName" had admin privileges removed." fi
done
exit 0
Correct me if I am wrong, if I change -d to -a, it should change user from standard to admin, right?
But it doesn't work.
Any suggestions?
You can't remove admin right while a user is logged in using a script. I use a script that will remove admin rights on all users, unless I exclude them, but I can only run the script on logout.
#!/bin/sh
adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-)
for user in $adminUsers
do
if [ "$user" != "root" ] && [ "$user" != "Administrator" ] && [ "$user" != "administrator" ] && [ "$user" != "jss_mgmt" ]
then
dseditgroup -o edit -d $user -t user admin
if [ $? = 0 ]; then echo "Removed user $user from admin group"; fi
else
echo "Admin user $user left alone"
fi
done
I am using this script and it only removes the admin rights for the logged in user while he is logged in. The hidden PreStage user account is untouched from this script and always admin
#!/bin/sh
LoggedInUser=$(scutil <<< "show State:/Users/ConsoleUser" | awk '/Name
&& ! /loginwindow/ { print $3 }' )
dseditgroup -o edit -d $LoggedInUser -t user admin
Source: Solved: Re: Script to remove Admin right on MAC. - Jamf Nation Community - 260457
and Kudos to DBrowning for this script
I am using this script and it only removes the admin rights for the logged in user while he is logged in. The hidden PreStage user account is untouched from this script and always admin
#!/bin/sh
LoggedInUser=$(scutil <<< "show State:/Users/ConsoleUser" | awk '/Name
&& ! /loginwindow/ { print $3 }' )
dseditgroup -o edit -d $LoggedInUser -t user admin
Source: Solved: Re: Script to remove Admin right on MAC. - Jamf Nation Community - 260457
and Kudos to DBrowning for this script
until now i do not see also some impact on the mgmt account from UIE