Adding a hidden admin account and leave others out of admin group

akhan_admin
New Contributor II

Hello All,

I am solely administrating MacOS in my organization and the one before me didnt care much about managing the shop. I am planning to take away admin right from everyone per our security protocols but there are so many accounts with different name.

I am planning to take away admin right from all the user account and create my one hidden admin account for myself.

I guess I will need to take everyone out of admin groups after creating my own account and prompt user to restart the PC while providing sometime and also giving them a restart warning.

Any suggestions or script would be helpful :)

Thank you,
Abdul Khan

5 REPLIES 5

ACurnow_LU
New Contributor II

Hey Abdul, I've come into a similar situation myself and was recently working on the very same thing. What I've done is make use of Jamf's Management Account as our hidden admin account (Resetting the password, enabling FileVault, etc.) and then removing the currently logged-in user from the Administrators group using the below:

loggedOnUser=$(ls -l /dev/console | awk '{ print $3 }')

echo "Making sure $loggedOnUser is not in the local admin group."
dseditgroup -o edit -d $loggedOnUser admin

Be aware that you MUST be wary of removing users from the Administrators group and should be very specific when doing so (Ie., pointing to the currently logged-in user), as it's very possible to screw up permissions by removing Apple system accounts.

merps
Contributor III

We're using this to make sure only the allowed admins are in the admin group:

adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-)

for user in $adminUsers
do
    if [ "$user" != "root" ]  && [ "$user" != "localadmin1" ] && [ "$user" != "localadmin2" ]
    then 
        dseditgroup -o edit -d $user -t user admin
        if [ $? = 0 ]; then log "Removed user $user from admin group"; fi
    else
        log "Admin user $user left alone"
    fi
done

You can either change the 'log' to 'echo' or keep it in for future auditing purposes. The log function looks like this, and goes near the top of your script:

logfile=/var/log/ORG_nameOfScript.log


log () {
        echo $1
        echo $(date "+%Y-%m-%d %H:%M:%S: ") $1 >> $logfile
}

akhan_admin
New Contributor II

@merps and @ACurnow_LU Thank you so much

merps, I guess localadmin1 and localadmin2 are the account created by you that you want to leave it as it is?

Have you guys every created a script to create hidden admin account? I know how to do it with Jamf agent/ CLI but I am still figuring out how to create it via bash script.

ACurnow_LU
New Contributor II

@akhan.admin In order to create a hidden account, the UID needs to be below 500 (Like the Jamf Management Account has a UID of 80 when created).

You could create the user account with a Jamf Policy and then immediately run a script to change the UID if it's above 500. A basic version of this would be:

#!/bin/sh

accountUID=$(dscl . -read /Users/LocalAdmin UniqueID)

if [ $accountUID -gt 500 ]; then
    echo "Hiding Local Admin account..."
    dscl . -change /Users/LocalAdmin $accountUID 85
elif [ $accountUID -lt 500 ]; then
    echo "Local Admin account is already hidden."
fi

akhan_admin
New Contributor II

Thanks. Will try it and let you know.