@quip_MDavison
We have been using this script for years.
it worked on last years OS, High sierra. We have not tried it this year's Mojave though.
!/bin/bash
localAccts=$(dscl . list /Users UniqueID | awk '$2>500{print $1}' | grep -v localadmin)
while read account; do
echo "Making sure $account is not in the local admin group"
dseditgroup -o edit -d $account admin
done < <(echo "$localAccts")
exit 0
Try it and see if it works. It does, however, demote all device accounts on the machine, so if you have a hidden Admin account it will also be demoted. But if something needs admin attention you could just add it to the exclusions list temporarily.
Thanks @rhooper this still works like a charm! Tested on Catalina 10.15.4.
Just reformatted the script.
Replace "yourlocaladmin" with desired local admin account.
#!/bin/bash
#Description: Script to demote local admin accounts except yourlocaladmin.
#
localAccts=$(dscl . list /Users UniqueID | awk '$2>500{print $1}' | grep -v yourlocaladmin)
while read account; do
echo "Making sure $account is not in the local admin group"
dseditgroup -o edit -d $account admin
done < <(echo "$localAccts")
exit 0
This is what I use:
loggedInUser=$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | awk '/Name 
&& ! /loginwindow/ {print $3}')
/usr/sbin/dseditgroup -o edit -d "$loggedInUser" -t user admin
for more info visit: https://www.jamf.com/jamf-nation/discussions/35096/remove-local-administrator-level-access-for-currently-logged-in-user
This is what I use:
loggedInUser=$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | awk '/Name && ! /loginwindow/ {print $3}')
/usr/sbin/dseditgroup -o edit -d "$loggedInUser" -t user admin
for more info visit: https://www.jamf.com/jamf-nation/discussions/35096/remove-local-administrator-level-access-for-currently-logged-in-user
what did you have to replace the frown face with?
: / are the two characters without a space. If I type them together then 😕😕
😕😕
