Script to remove Admin right on MAC.

Swapdevs
New Contributor II

Hello Teams, Kindly help me with a script to remove admin right on some of our MAC managed by JAMF.

1 ACCEPTED SOLUTION

DBrowning
Valued Contributor II

Replace USERNAME with the username of the user you'd like to remove from Admin.

dseditgroup -o edit -d USERNAME -t user admin

View solution in original post

9 REPLIES 9

DBrowning
Valued Contributor II

Replace USERNAME with the username of the user you'd like to remove from Admin.

dseditgroup -o edit -d USERNAME -t user admin

deep
New Contributor

hey, i get the error "username and password must be provided".

Swapdevs
New Contributor II

Thank you boss for this, however, I need this script to remove admin rights from all our MAC users.

DBrowning
Valued Contributor II

If you only have one user per machine, you can use this:

#!/bin/sh

LoggedInUser=$(scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )

dseditgroup -o edit -d $LoggedInUser -t user admin

Swapdevs
New Contributor II

Thank you very much, I really appreciate this.

mhasman
Valued Contributor

@DBrowning Thank you, Dennis!

What would be a command to change Standard user to Admin, please?

DBrowning
Valued Contributor II

Change the -d to -a

dseditgroup -o edit -a $LoggedInUser -t user admin

mhasman
Valued Contributor

Thank you sir!

daniel_ross
Contributor III

You could also use something like this to account for service accounts and also monitor if a user elevates rights on another account while promoted as an admin.

#!/bin/bash
#for SelfService to escalate user to gain admin privileges for 30 minutes.
currentUser=$(who | awk '/console/{print $1}')
#Notify user
osascript -e 'display dialog "You now have administrative rights for 30 minutes." buttons {"Ok"} default button 1'
#if the LaunchDaemon is running, unload it to "reset" the timer
#if it does not exist, create it!
if test -f /Library/LaunchDaemons/removeAdmin.plist; then
    launchctl unload /Library/LaunchDaemons/removeAdmin.plist
    else
        sudo defaults write /Library/LaunchDaemons/removeAdmin.plist Label -string "removeAdmin"
        sudo defaults write /Library/LaunchDaemons/removeAdmin.plist ProgramArguments -array -string /bin/sh -string "/Library/Application Support/JAMF/removeAdminRights.sh"
        sudo defaults write /Library/LaunchDaemons/removeAdmin.plist StartInterval -integer 1800
        sudo defaults write /Library/LaunchDaemons/removeAdmin.plist RunAtLoad -boolean yes
        sudo chown root:wheel /Library/LaunchDaemons/removeAdmin.plist
        sudo chmod 644 /Library/LaunchDaemons/removeAdmin.plist
fi
#load the daemon again! (or for the first time)
launchctl load /Library/LaunchDaemons/removeAdmin.plist
#just in case you're pc is slow
sleep 10
#give user Admin rights
/usr/sbin/dseditgroup -o edit -a $currentUser -t user admin
#Create the RemoveAdminScript to be ran in 30 mimutes (1800 secs)
cat << 'EOF' > /Library/Application\ Support/JAMF/removeAdminRights.sh
#initiate list of admins
admins=()
for username in $(dscl . list /Users UniqueID | grep -vw yourserviceadmin | grep -vw jamfmanagementaccount | awk '$2 > 500 { print $1 }'); do
    if [[ $(dsmemberutil checkmembership -U "${username}" -G admin) != *not* ]]; then
        admins+=("${username}")
    fi
done
#remove all admins
for admin in ${admins[@]}; do
    /usr/sbin/dseditgroup -o edit -d $admin -t user admin
done
EOF
exit 0

A few other admins and I combined this together.  Note you don't want to accidentally demote your management account so account for that and TEST, TEST, TEST before pushing out to everyone.  We have a group of users called test pilots and our change process looks like this:  Apple Endpoint Team Test Devices -> IT Team -> Security/TechOps -> Test Pilots (Mix of every dept in case the previous teams miss something) -> GA release.  usually, we do them in weekly intervals but sometimes have combined a few when they are less impacting apps/changes.