Help

Can't convert Admin users to Standard users

Lier_bag
New Contributor II

Posted on ‎06-07-2021 01:19 PM

Im trying to convert a large number of admin accounts to standard accounts. On jamf nation, multiple people have been sharing this script below, but when I run it, it does not change any users from Admin to standard. Below is what I ran:
with ###### being the local admin account on every device.

#!/bin/sh
adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-)

for user in $adminUsers
do
    if [ "$user" != "root" ]  && [ "$user" != "######" ]
    then 
        dseditgroup -o edit -d $user -t user admin
        if [ $? = 0 ]; then echo "Removed user $user from admin group"; fi
    else
        echo "Admin user $user left alone"
    fi
done

When it finishes, the logs show 0, but nothing changes. I can change each laptop individually with

#!/bin/sh
sudo dseditgroup -o edit -d $username -t user admin

but that isn't ideal. Am I doing something wrong? And I have seen the other posts about this topic and almost all share this same script with users saying it worked for them.

0 Kudos
Reply
14 REPLIES 14

mm2270
Legendary Contributor III

Posted on ‎06-07-2021 01:55 PM

Are you getting any output in the policy log that has the line echo "Removed user $user from admin group"? If so, then the command preceding that using dseditgroup would seem to be working. If you aren't seeing that in the policy log, then you'll need to deconstruct this to see why that command isn't removing the user from the local admin group.

I find when troubleshooting scripts like this, it's often best to have some verbose output, either by including echo statements in various places so I can see what the script is seeing, or using -x after the shebang of the script to get line by line feedback of what the script is doing when it's run.
Doing either of those should help you track down what's going on.

0 Kudos
Reply

AdamCraig
Contributor III

Posted on ‎06-07-2021 02:07 PM

I have a smart group for users who have an admin on their computer that is not one of the local admins (multiple so we can have the one we are rotating from and the one we are rotating to when we rotate admin accounts)

And then this script runs, I believe, once a day on those computers.

#!/bin/sh

adminUser1="${4}"
adminUser2="${5}"

if [[ -z "$adminUser1" ]] || [[ -z "$adminUser2" ]] ; then
    echo "admin username variables missing."
    exit 1
fi

## this will demote the current user if they it is not either of the local admin accounts
loggedInUser=$( echo "show State:/Users/ConsoleUser" | scutil | awk '/Name :/ && ! /loginwindow/ { print $3 }' )

if [[ -z "$loggedInUser" ]] || [[  "$loggedInUser" == 'root' ]] || [[ "$loggedInUser" == "loginwindow" ]] ; then
    echo "Failed to gather loggedInUser correctly"
    exit 1
else
    echo "loggedInUser is $loggedInUser"
fi

if [[ "$loggedInUser" != "$adminUser1" ]] && [[ "$loggedInUser" != "$adminUser2" ]] ; then
IsUserAdmin=$(id -G "$loggedInUser" | grep 80)
    if [ -n "$IsUserAdmin" ]; then
      /usr/sbin/dseditgroup -o edit -n /Local/Default -d $loggedInUser -t "user" "admin"
      exit 0
    else
        echo "$loggedInUser is not a local admin"
    fi
fi
Reply

Lier_bag
New Contributor II

Posted on ‎06-08-2021 09:18 AM

@mm2270 When i viewed the logs, it showed 0. It didn't display any of the echos. Its as if the adminUsers variable is empty. But I found a script that will demote the logged in user, it has the same desired effect.

0 Kudos
Reply

Lier_bag
New Contributor II

Posted on ‎06-08-2021 09:24 AM

@strayer Thanks for sharing this. I was planning on having a static group of users who would be exempt from the policy and scope everyone one else. Then have this one run once a day. I found a script similiar to yours that demotes the logged in user, which has the same desired effect im looking for:

#!/bin/sh
loggedInUser=$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ {print $3}')

/usr/sbin/dseditgroup -o edit -d "$loggedInUser" -t user admin
0 Kudos
Reply

rhooper
Contributor III

Posted on ‎06-08-2021 09:58 AM

@Lier_bag We have used this script with pretty good luck:

!/bin/sh

adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-)

for user in $adminUsers
do if [ "$user" != "root" ] && [ "$user" != "<Your Root admin account>" ] && [ "$user" != "jamfadmin" ] && [ "$user" != "packagemaker" ] then dseditgroup -o edit -d $user -t user admin if [ $? = 0 ]; then echo "Removed user $user from admin group"; fi else echo "Admin user $user left alone" fi
done

We have another that works great, except it changes all Admin accounts to Standard accounts, including the hidden accounts. We also need to set the device to restart immediately. If you want the other script we use let me know.

Reply

PerPer
New Contributor
In response to rhooper

Posted on ‎06-14-2022 03:02 AM

I found dseditgroup command is not working in Monterey 12.4 version. Anyone had a solution ?

0 Kudos
Reply

rhooper
Contributor III

Posted on ‎06-14-2022 03:46 AM

@PerPer We use this script that changes only the Student account but allows the Hidden Account to remain an admin.
Just tested on a new 12.4 OS install and it worked great.

#!/bin/sh

#adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-)

#for user in $adminUsers
#do
# if [ "$user" != "root" ] && [ "$user" != "Hidden User" ] && [ "$user" != "jamfadmin" ] && [ "$user" != "Your Pacakge creator machine name" ]
# then
# dseditgroup -o edit -d $user -t user admin
# if [ $? = 0 ]; then echo "Removed user $user from admin group"; fi
# else
# echo "Admin user $user left alone"
# fi
#done

#!/bin/bash
loggedInUser=$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ {print $3}')

/usr/sbin/dseditgroup -o edit -d "$loggedInUser" -t user admin

0 Kudos
Reply

PerPer
New Contributor
In response to rhooper

Posted on ‎06-14-2022 07:20 AM

@rhooper Actually, my script is to convert  user as admin using : /usr/sbin/dseditgroup -o edit -a "$loggedInUser" -t user admin

Unfortunately, it did not work at all. Even I typed the same command in terminal , it still could not change.

0 Kudos
Reply

Lier_bag
New Contributor II
In response to PerPer

Posted on ‎06-14-2022 07:25 AM

I got it to work with the below script. Just tested that it works on Monteray as well.

#!/bin/bash

loggedInUser=$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ {print $3}')

/usr/sbin/dseditgroup -o edit -d "$loggedInUser" -t user admin

0 Kudos
Reply

RuggleFest
New Contributor
In response to Lier_bag

Posted on ‎08-12-2022 02:13 PM

@Lier_bag, did you just upload this to scripts and then add it to a policy, or add it directly to a policy under "Files and Processes" as an executable command? I just tried running it in Terminal on my personal local admin account and it failed

0 Kudos
Reply

rhooper
Contributor III
In response to RuggleFest

Posted on ‎08-12-2022 02:25 PM

It is in a script and then applied to a policy. --
Randy Hooper
Technology Support Specialist
KIDS RSU2
email: rhooper@kidsrsu.org
(W) 207.622.6211 x 256

*“Life is either a daring adventure or nothing..."*
― Helen Keller
0 Kudos
Reply

HollowNug
New Contributor
In response to Lier_bag

Posted on ‎07-03-2024 08:58 AM

Would i need to make changes to deploy this sh 

0 Kudos
Reply

PerPer
New Contributor

Posted on ‎06-14-2022 07:30 AM

@Lier_bag Did you try to "add" on Monterey version 12.4 ?

/usr/sbin/dseditgroup -o edit -a "$loggedInUser" -t user admin

0 Kudos
Reply

PerPer
New Contributor

Posted on ‎06-14-2022 08:58 PM

My bad, /usr/sbin/dseditgroup is working. now

0 Kudos
Reply