Skip to main content

Hi Nation members-



I'm having a bit of a problem trying to conceptualize this, and maybe one of you can help me. It was decried from on high that we will not be granting local admin privileges unless you are a member of a specific AD group.
I am using a small dseditgroup script to apply admin privileges on the machines, that part works.



The issue I am facing is I have some people who had the local administrator rights from the get-go being in violation of that policy, so I will need to make a script to check if they are a member of said group, then remove their admin privileges until they fill the proper forms and get added to the group.



I have a good idea of what I want to do, but I can't figure it out :(



Thanks

Can you post the existing dseditgroup script you have now? We can probably use it as a basis and help you tweak it to determine if the logged in user is part of that group and take the appropriate action(s).

It's a simple 1 liner,



dseditgroup -o edit -a macadmins -t group admin

Hey @rbingham917



We had to remove admin rights as well. This is the script I used:



adminUsers=$(dscl . read /Groups/admin GroupMembership | sed 's|GroupMembership:||;s|root||;s|ITadmin||;s|ITadmin||;s|ITadmin||' | tr -s " ")



for i in $adminUsers

    do

        dseditgroup -o edit -d "$i" -t user admin

        echo "$i demoted"

    done


The ITAdmins names you will want to replace with admin accounts you want to keep.



Hope that helps out



Shawn

Reply


Terms & ConditionsCookie settings