Best way to demote user from local admin to standard on enrollment?

New Contributor III

Did a lot of searching and found a bunch of various contradictory scripts based on older versions of OSX and jamf, so I'm not sure what the best approach is.

Currently we're using jamf Connect, which during user driven enrollment has flags to demote the local user from Admin to Standard as well as add a predetermined Admin user to the workstation. We're debating whether or not to cut jamf Connect out of the picture (long story, we're not happy with it) but can't find an easy way to demote existing users to standard users and create that IT controlled local admin account on device enrollment with just Jamf Pro alone. You'd think this would be a pretty simple feature that could easily be done with policies but it doesn't look like it is.

Any assistance is apprecited.


Contributor III

@quip_MDavison We have been using this script for years.
it worked on last years OS, High sierra. We have not tried it this year's Mojave though.


localAccts=$(dscl . list /Users UniqueID | awk '$2>500{print $1}' | grep -v localadmin)

while read account; do echo "Making sure $account is not in the local admin group" dseditgroup -o edit -d $account admin
done < <(echo "$localAccts")

exit 0

Try it and see if it works. It does, however, demote all device accounts on the machine, so if you have a hidden Admin account it will also be demoted. But if something needs admin attention you could just add it to the exclusions list temporarily.

New Contributor III

Thanks @rhooper this still works like a charm! Tested on Catalina 10.15.4.
Just reformatted the script.
Replace "yourlocaladmin" with desired local admin account.

#Description: Script to demote local admin accounts except yourlocaladmin.
localAccts=$(dscl . list /Users UniqueID | awk '$2>500{print $1}' | grep -v yourlocaladmin)
while read account; do
echo "Making sure $account is not in the local admin group"
dseditgroup -o edit -d $account admin
done < <(echo "$localAccts")
exit 0

Valued Contributor

This is what I use:

loggedInUser=$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ {print $3}')

/usr/sbin/dseditgroup -o edit -d "$loggedInUser" -t user admin

for more info visit:

what did you have to replace the frown face with?

Valued Contributor

It's the following:





without a space

Valued Contributor

: / are the two characters without a space. If I type them together then 😕