Sudo with hidden administrator account

Tonydig11
New Contributor III

My current environment is currently set up so the end users are local admins and the Administrator account is hidden. I am testing our Jamf Connect deployment and demoting my users to standard. I have come across an issue that If I am working on a standard users machine I can't run sudo commands in terminal. Is there a workaround for this??

2 ACCEPTED SOLUTIONS

howie_isaacks
Valued Contributor II

When you demote a user from admin to standard it removes their sudo privileges. This is a good thing since you don't want a non-admin account to still have admin abilities. What I do in situations when I'm working while logged in as a standard account is run this command in terminal: su adminusername

"adminusername" is the short name of your admin account. You will be prompted to fill in this user's password. Once you do that, Terminal switches to running commands as this admin account. You will then have full sudo privileges. When you're done, type exit and then return to exit the admin user's Terminal session.

If you later want to promote someone's account to admin, you can use this script to do it. You need to add the user to the sudoers group after they become an admin.

 

 

#! /bin/bash

##Get the current user who is logged into this Mac.
currentuser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'`
echo $currentuser

##Promote the current user to admin
dscl . -append /groups/admin GroupMembership $currentuser

##Add the current user to the sudoers group
echo "$currentuser	ALL=(ALL) ALL" >> /etc/sudoers

 

 

View solution in original post

Tonydig11
New Contributor III

Completely forgot about the su - AdminUserName command. I did this to solve my issue.

View solution in original post

4 REPLIES 4

howie_isaacks
Valued Contributor II

When you demote a user from admin to standard it removes their sudo privileges. This is a good thing since you don't want a non-admin account to still have admin abilities. What I do in situations when I'm working while logged in as a standard account is run this command in terminal: su adminusername

"adminusername" is the short name of your admin account. You will be prompted to fill in this user's password. Once you do that, Terminal switches to running commands as this admin account. You will then have full sudo privileges. When you're done, type exit and then return to exit the admin user's Terminal session.

If you later want to promote someone's account to admin, you can use this script to do it. You need to add the user to the sudoers group after they become an admin.

 

 

#! /bin/bash

##Get the current user who is logged into this Mac.
currentuser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'`
echo $currentuser

##Promote the current user to admin
dscl . -append /groups/admin GroupMembership $currentuser

##Add the current user to the sudoers group
echo "$currentuser	ALL=(ALL) ALL" >> /etc/sudoers

 

 

This would not work 100% in my environment. Jamf Connect uses Azure AD. If a user gets promoted with a script it will revert back to what they are set up to be in Azure AD and that is a standard user. We will have a list of developers and such that will retain local admin rights.

Tonydig11
New Contributor III

Completely forgot about the su - AdminUserName command. I did this to solve my issue.

howie_isaacks
Valued Contributor II

I'm happy I was able to help!