Help

Sudo with hidden administrator account

Go to solution
Tonydig11
New Contributor III

Posted on ‎05-12-2022 08:59 AM

My current environment is currently set up so the end users are local admins and the Administrator account is hidden. I am testing our Jamf Connect deployment and demoting my users to standard. I have come across an issue that If I am working on a standard users machine I can't run sudo commands in terminal. Is there a workaround for this??

0 Kudos
Reply
2 ACCEPTED SOLUTIONS

Go to solution
howie_isaacks
Valued Contributor II

‎05-12-2022 09:39 AM - edited ‎05-12-2022 10:33 AM

When you demote a user from admin to standard it removes their sudo privileges. This is a good thing since you don't want a non-admin account to still have admin abilities. What I do in situations when I'm working while logged in as a standard account is run this command in terminal: su adminusername

"adminusername" is the short name of your admin account. You will be prompted to fill in this user's password. Once you do that, Terminal switches to running commands as this admin account. You will then have full sudo privileges. When you're done, type exit and then return to exit the admin user's Terminal session.

If you later want to promote someone's account to admin, you can use this script to do it. You need to add the user to the sudoers group after they become an admin.

 

 

#! /bin/bash

##Get the current user who is logged into this Mac.
currentuser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'`
echo $currentuser

##Promote the current user to admin
dscl . -append /groups/admin GroupMembership $currentuser

##Add the current user to the sudoers group
echo "$currentuser	ALL=(ALL) ALL" >> /etc/sudoers

 

 

View solution in original post

Reply

Go to solution
Tonydig11
New Contributor III

Posted on ‎05-12-2022 10:12 AM

Completely forgot about the su - AdminUserName command. I did this to solve my issue.

View solution in original post

Reply
4 REPLIES 4

Go to solution
howie_isaacks
Valued Contributor II

‎05-12-2022 09:39 AM - edited ‎05-12-2022 10:33 AM

When you demote a user from admin to standard it removes their sudo privileges. This is a good thing since you don't want a non-admin account to still have admin abilities. What I do in situations when I'm working while logged in as a standard account is run this command in terminal: su adminusername

"adminusername" is the short name of your admin account. You will be prompted to fill in this user's password. Once you do that, Terminal switches to running commands as this admin account. You will then have full sudo privileges. When you're done, type exit and then return to exit the admin user's Terminal session.

If you later want to promote someone's account to admin, you can use this script to do it. You need to add the user to the sudoers group after they become an admin.

 

 

#! /bin/bash

##Get the current user who is logged into this Mac.
currentuser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'`
echo $currentuser

##Promote the current user to admin
dscl . -append /groups/admin GroupMembership $currentuser

##Add the current user to the sudoers group
echo "$currentuser	ALL=(ALL) ALL" >> /etc/sudoers

 

 

Reply

Go to solution
Tonydig11
New Contributor III
In response to howie_isaacks

Posted on ‎05-12-2022 10:16 AM

This would not work 100% in my environment. Jamf Connect uses Azure AD. If a user gets promoted with a script it will revert back to what they are set up to be in Azure AD and that is a standard user. We will have a list of developers and such that will retain local admin rights.

0 Kudos
Reply

Go to solution
Tonydig11
New Contributor III

Posted on ‎05-12-2022 10:12 AM

Completely forgot about the su - AdminUserName command. I did this to solve my issue.

Reply

Go to solution
howie_isaacks
Valued Contributor II
In response to Tonydig11

Posted on ‎05-12-2022 10:28 AM

I'm happy I was able to help!

0 Kudos
Reply