Skip to main content
Question

Best way to demote user from local admin to standard on enrollment?

  • November 6, 2019
  • 6 replies
  • 81 views
Q
Forum|alt.badge.img+6

Did a lot of searching and found a bunch of various contradictory scripts based on older versions of OSX and jamf, so I'm not sure what the best approach is.

Currently we're using jamf Connect, which during user driven enrollment has flags to demote the local user from Admin to Standard as well as add a predetermined Admin user to the workstation. We're debating whether or not to cut jamf Connect out of the picture (long story, we're not happy with it) but can't find an easy way to demote existing users to standard users and create that IT controlled local admin account on device enrollment with just Jamf Pro alone. You'd think this would be a pretty simple feature that could easily be done with policies but it doesn't look like it is.

Any assistance is apprecited.

    6 replies

    R
    Forum|alt.badge.img+10
    • rhooper
    • Valued Contributor
    • November 6, 2019

    @quip_MDavison We have been using this script for years.
    it worked on last years OS, High sierra. We have not tried it this year's Mojave though.

    !/bin/bash

    localAccts=$(dscl . list /Users UniqueID | awk '$2>500{print $1}' | grep -v localadmin)

    while read account; do echo "Making sure $account is not in the local admin group" dseditgroup -o edit -d $account admin
    done < <(echo "$localAccts")

    exit 0

    Try it and see if it works. It does, however, demote all device accounts on the machine, so if you have a hidden Admin account it will also be demoted. But if something needs admin attention you could just add it to the exclusions list temporarily.

    Surajit
    Surajit
    Forum|alt.badge.img+7
    • Surajit
    • Contributor
    • March 30, 2020

    Thanks @rhooper this still works like a charm! Tested on Catalina 10.15.4.
    Just reformatted the script.
    Replace "yourlocaladmin" with desired local admin account.

    #!/bin/bash
#Description: Script to demote local admin accounts except yourlocaladmin.
#
localAccts=$(dscl . list /Users UniqueID | awk '$2>500{print $1}' | grep -v yourlocaladmin)
while read account; do
echo "Making sure $account is not in the local admin group"
dseditgroup -o edit -d $account admin
done < <(echo "$localAccts")
exit 0
    atomczynski11
    Forum|alt.badge.img+18

    This is what I use:

    loggedInUser=$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ {print $3}')

/usr/sbin/dseditgroup -o edit -d "$loggedInUser" -t user admin

    for more info visit: https://www.jamf.com/jamf-nation/discussions/35096/remove-local-administrator-level-access-for-currently-logged-in-user

    U
    Forum|alt.badge.img+1

    This is what I use:

    loggedInUser=$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ {print $3}')

/usr/sbin/dseditgroup -o edit -d "$loggedInUser" -t user admin

    for more info visit: https://www.jamf.com/jamf-nation/discussions/35096/remove-local-administrator-level-access-for-currently-logged-in-user


    what did you have to replace the frown face with?

    atomczynski11
    Forum|alt.badge.img+18

    It's the following:

     

    :

    /

     

    without a space

    atomczynski11
    Forum|alt.badge.img+18

    : / are the two characters without a space. If I type them together then 😕😕

    😕😕
    Terms & ConditionsCookie settingsAccessibility statement