Skip to main content
Question

Remove users from local admin

  • March 29, 2018
  • 3 replies
  • 16 views
T
Forum|alt.badge.img+1

Hello there. I just started using Jamf and I love it. Historically we have made all users a local admin on their machine. Now that we have Jamf in place, we want to remove those rights. But there are some dev users who will still need local admins so we set up a second log in for those users.

On the windows side of things, I created a GPO that checks an OU for a security group "computername_Admin" with a single user in that group which grants local admin rights on that one machine. Is there a way to do that same thing with Jamf?

Since all users are created as mobile users, the other idea was to create a script (which I am horrible at), that revokes admin rights from all mobile accounts, unless the account name has a ".la" at the end of it.

3 replies

T
Forum|alt.badge.img+5
  • tsossong
  • Contributor
  • March 29, 2018

In case you will bind the computers to AD via PreStage Enrollment or the Bind Policy you can set up the AD users as Non-Admins. But in this case you have export and migrate the existing userfolders. Maybe a slow transistion works for you. Let the users be local admins as long as you dont reinstall their machines. Tell the users in advance that with the next Systemrollout will loose their higher privilleges but with Jamf Pro everything will be easier for them. I did such transistions this way...if I have a problem with a client I will reinstall it (including Backup via CCC), perfom a new enrollment to Jamf Pro and with this a new bind to AD. Clean install, new versions of the software and mostly a happy user. On bigger Software updates like OS 11.3 I would setup appointments with groups of users to force the reinstallment a little bit. But that depends a little bit on the size of the company and the number of IT personell. For the developers you can create a hidden user with Jamf Pro (local). I would set it up as create on login and delete on log off - that makes sure no one else can login with this hidden account.

dsavageED
Forum|alt.badge.img+8
  • dsavageED
  • New Contributor
  • March 29, 2018

I have a script for granting admin rights based on AD group, this isn't the full code, but it should get you close to what you are looking for. One of the catches is that the user needs to have a kerberos ticket in order for a search against the AD, to aid in ensuring this is the case we configure and deploy NoMAD (https://nomad.menu). You could do an initial loop to revoke admin rights for all users and then use something like this code to add the admin rights for the chosen user based on the AD group membership.
.

User_Name=`ls -l /dev/console | awk '{print $3}'`

Computer_Name=`/usr/sbin/scutil --get ComputerName | tr '[:upper:]' '[:lower:]'`

User_UID=`id -u $User_Name`

# Change Auth_User to use python to call the klist command (launchctl asuser $User_UID klist -s) wasn't working natively in the shell.
Auth_User=$(python - <<EOF
import subprocess
import os
try:
    subprocess.check_call(['launchctl', 'asuser', str($User_UID), 'klist', '-s'])
    print "$User_Name@ED.AC.UK
"
except subprocess.CalledProcessError:
    print "False
"
EOF
)

if [ "$Auth_User" == "False" ];
then
    exit 255; # No Kerberos ticket.
fi

Admin_Users=( `launchctl asuser $User_UID ldapsearch -b"ou=Auth,ou=UoE,dc=ed,dc=ac,dc=uk" -H "ldap://${Domain_Controller}.ed.ac.uk" "(cn=${Computer_Name}_Admin)" member | grep "member:" | awk -F "CN=" '{print $2}' | awk -F "," '{print $1}' `)

Who_is_Admin=`dscl . -read /Groups/admin GroupMembership`

# Apply admin rights
for AD_User in ${Admin_Users[@]}
do
    # Is there a local account with the uun name
    UUN_Present=`dscl . -list /Users | grep $AD_User`
    # check the local username matches the UUN or that the UUN is present in the local node.
    if  [ "${User_Name}@ED.AC.UK" == "$Auth_User" ] || [ "$AD_User" == "$UUN_Present" ];
    then
        echo checking if admin rights need added
        Admin_Exists=`echo $Who_is_Admin | tr " " "
" | grep $AD_User` 
        if ! [ "$Admin_Exists" == "$AD_User" ];
        then
            /usr/sbin/dseditgroup -o edit -a $AD_User -t user admin
            echo adding admin rights for $AD_User 
        fi
    fi
done
V
Forum|alt.badge.img
  • vijil
  • New Contributor
  • December 5, 2024

I have a script for granting admin rights based on AD group, this isn't the full code, but it should get you close to what you are looking for. One of the catches is that the user needs to have a kerberos ticket in order for a search against the AD, to aid in ensuring this is the case we configure and deploy NoMAD (https://nomad.menu). You could do an initial loop to revoke admin rights for all users and then use something like this code to add the admin rights for the chosen user based on the AD group membership.
.

User_Name=`ls -l /dev/console | awk '{print $3}'`

Computer_Name=`/usr/sbin/scutil --get ComputerName | tr '[:upper:]' '[:lower:]'`

User_UID=`id -u $User_Name`

# Change Auth_User to use python to call the klist command (launchctl asuser $User_UID klist -s) wasn't working natively in the shell.
Auth_User=$(python - <<EOF
import subprocess
import os
try:
    subprocess.check_call(['launchctl', 'asuser', str($User_UID), 'klist', '-s'])
    print "$User_Name@ED.AC.UK
"
except subprocess.CalledProcessError:
    print "False
"
EOF
)

if [ "$Auth_User" == "False" ];
then
    exit 255; # No Kerberos ticket.
fi

Admin_Users=( `launchctl asuser $User_UID ldapsearch -b"ou=Auth,ou=UoE,dc=ed,dc=ac,dc=uk" -H "ldap://${Domain_Controller}.ed.ac.uk" "(cn=${Computer_Name}_Admin)" member | grep "member:" | awk -F "CN=" '{print $2}' | awk -F "," '{print $1}' `)

Who_is_Admin=`dscl . -read /Groups/admin GroupMembership`

# Apply admin rights
for AD_User in ${Admin_Users[@]}
do
    # Is there a local account with the uun name
    UUN_Present=`dscl . -list /Users | grep $AD_User`
    # check the local username matches the UUN or that the UUN is present in the local node.
    if  [ "${User_Name}@ED.AC.UK" == "$Auth_User" ] || [ "$AD_User" == "$UUN_Present" ];
    then
        echo checking if admin rights need added
        Admin_Exists=`echo $Who_is_Admin | tr " " "
" | grep $AD_User` 
        if ! [ "$Admin_Exists" == "$AD_User" ];
        then
            /usr/sbin/dseditgroup -o edit -a $AD_User -t user admin
            echo adding admin rights for $AD_User 
        fi
    fi
done

Could you please the steps to do test

Terms & ConditionsCookie settingsAccessibility statement