- Jamf Nation Community
- Products
- Jamf Pro
- Best way to demote user from local admin to standa...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Best way to demote user from local admin to standard on enrollment?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-06-2019 08:39 AM
Did a lot of searching and found a bunch of various contradictory scripts based on older versions of OSX and jamf, so I'm not sure what the best approach is.
Currently we're using jamf Connect, which during user driven enrollment has flags to demote the local user from Admin to Standard as well as add a predetermined Admin user to the workstation. We're debating whether or not to cut jamf Connect out of the picture (long story, we're not happy with it) but can't find an easy way to demote existing users to standard users and create that IT controlled local admin account on device enrollment with just Jamf Pro alone. You'd think this would be a pretty simple feature that could easily be done with policies but it doesn't look like it is.
Any assistance is apprecited.
Labels:
- Labels:
-
Enrollment
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-06-2019 10:41 AM
@quip_MDavison
We have been using this script for years.
it worked on last years OS, High sierra. We have not tried it this year's Mojave though.
!/bin/bash
localAccts=$(dscl . list /Users UniqueID | awk '$2>500{print $1}' | grep -v localadmin)
while read account; do
echo "Making sure $account is not in the local admin group"
dseditgroup -o edit -d $account admin
done < <(echo "$localAccts")
exit 0
Try it and see if it works. It does, however, demote all device accounts on the machine, so if you have a hidden Admin account it will also be demoted. But if something needs admin attention you could just add it to the exclusions list temporarily.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-30-2020 03:19 AM
Thanks @rhooper this still works like a charm! Tested on Catalina 10.15.4.
Just reformatted the script.
Replace "yourlocaladmin" with desired local admin account.
#!/bin/bash
#Description: Script to demote local admin accounts except yourlocaladmin.
#
localAccts=$(dscl . list /Users UniqueID | awk '$2>500{print $1}' | grep -v yourlocaladmin)
while read account; do
echo "Making sure $account is not in the local admin group"
dseditgroup -o edit -d $account admin
done < <(echo "$localAccts")
exit 0
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-30-2020 06:26 AM
This is what I use:
loggedInUser=$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ {print $3}')
/usr/sbin/dseditgroup -o edit -d "$loggedInUser" -t user adminfor more info visit: https://www.jamf.com/jamf-nation/discussions/35096/remove-local-administrator-level-access-for-currently-logged-in-user
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-28-2021 12:03 PM
what did you have to replace the frown face with?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-18-2021 08:30 AM
It's the following:
:
/
without a space
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-18-2021 08:45 AM
: / are the two characters without a space. If I type them together then 😕
😕