Can't convert Admin users to Standard users

Lier_bag
New Contributor II

Im trying to convert a large number of admin accounts to standard accounts. On jamf nation, multiple people have been sharing this script below, but when I run it, it does not change any users from Admin to standard. Below is what I ran:
with ###### being the local admin account on every device.

#!/bin/sh
adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-)

for user in $adminUsers
do
    if [ "$user" != "root" ]  && [ "$user" != "######" ]
    then 
        dseditgroup -o edit -d $user -t user admin
        if [ $? = 0 ]; then echo "Removed user $user from admin group"; fi
    else
        echo "Admin user $user left alone"
    fi
done

When it finishes, the logs show 0, but nothing changes. I can change each laptop individually with

#!/bin/sh
sudo dseditgroup -o edit -d $username -t user admin

but that isn't ideal. Am I doing something wrong? And I have seen the other posts about this topic and almost all share this same script with users saying it worked for them.

13 REPLIES 13

mm2270
Legendary Contributor III

Are you getting any output in the policy log that has the line echo "Removed user $user from admin group"? If so, then the command preceding that using dseditgroup would seem to be working. If you aren't seeing that in the policy log, then you'll need to deconstruct this to see why that command isn't removing the user from the local admin group.

I find when troubleshooting scripts like this, it's often best to have some verbose output, either by including echo statements in various places so I can see what the script is seeing, or using -x after the shebang of the script to get line by line feedback of what the script is doing when it's run.
Doing either of those should help you track down what's going on.

AdamCraig
Contributor III

I have a smart group for users who have an admin on their computer that is not one of the local admins (multiple so we can have the one we are rotating from and the one we are rotating to when we rotate admin accounts)

And then this script runs, I believe, once a day on those computers.

#!/bin/sh

adminUser1="${4}"
adminUser2="${5}"

if [[ -z "$adminUser1" ]] || [[ -z "$adminUser2" ]] ; then
    echo "admin username variables missing."
    exit 1
fi

## this will demote the current user if they it is not either of the local admin accounts
loggedInUser=$( echo "show State:/Users/ConsoleUser" | scutil | awk '/Name :/ && ! /loginwindow/ { print $3 }' )

if [[ -z "$loggedInUser" ]] || [[  "$loggedInUser" == 'root' ]] || [[ "$loggedInUser" == "loginwindow" ]] ; then
    echo "Failed to gather loggedInUser correctly"
    exit 1
else
    echo "loggedInUser is $loggedInUser"
fi

if [[ "$loggedInUser" != "$adminUser1" ]] && [[ "$loggedInUser" != "$adminUser2" ]] ; then
IsUserAdmin=$(id -G "$loggedInUser" | grep 80)
    if [ -n "$IsUserAdmin" ]; then
      /usr/sbin/dseditgroup -o edit -n /Local/Default -d $loggedInUser -t "user" "admin"
      exit 0
    else
        echo "$loggedInUser is not a local admin"
    fi
fi

Lier_bag
New Contributor II

@mm2270 When i viewed the logs, it showed 0. It didn't display any of the echos. Its as if the adminUsers variable is empty. But I found a script that will demote the logged in user, it has the same desired effect.

Lier_bag
New Contributor II

@strayer Thanks for sharing this. I was planning on having a static group of users who would be exempt from the policy and scope everyone one else. Then have this one run once a day. I found a script similiar to yours that demotes the logged in user, which has the same desired effect im looking for:

#!/bin/sh
loggedInUser=$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ {print $3}')

/usr/sbin/dseditgroup -o edit -d "$loggedInUser" -t user admin

rhooper
Contributor III

@Lier_bag We have used this script with pretty good luck:

!/bin/sh

adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-)

for user in $adminUsers
do if [ "$user" != "root" ] && [ "$user" != "<Your Root admin account>" ] && [ "$user" != "jamfadmin" ] && [ "$user" != "packagemaker" ] then dseditgroup -o edit -d $user -t user admin if [ $? = 0 ]; then echo "Removed user $user from admin group"; fi else echo "Admin user $user left alone" fi
done

We have another that works great, except it changes all Admin accounts to Standard accounts, including the hidden accounts. We also need to set the device to restart immediately. If you want the other script we use let me know.

PerPer
New Contributor

I found dseditgroup command is not working in Monterey 12.4 version. Anyone had a solution ?

rhooper
Contributor III

@PerPer We use this script that changes only the Student account but allows the Hidden Account to remain an admin.
Just tested on a new 12.4 OS install and it worked great.

#!/bin/sh

#adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-)

#for user in $adminUsers
#do
# if [ "$user" != "root" ] && [ "$user" != "Hidden User" ] && [ "$user" != "jamfadmin" ] && [ "$user" != "Your Pacakge creator machine name" ]
# then
# dseditgroup -o edit -d $user -t user admin
# if [ $? = 0 ]; then echo "Removed user $user from admin group"; fi
# else
# echo "Admin user $user left alone"
# fi
#done

#!/bin/bash
loggedInUser=$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ {print $3}')

/usr/sbin/dseditgroup -o edit -d "$loggedInUser" -t user admin

PerPer
New Contributor

@rhooper Actually, my script is to convert  user as admin using : /usr/sbin/dseditgroup -o edit -a "$loggedInUser" -t user admin

Unfortunately, it did not work at all. Even I typed the same command in terminal , it still could not change.

Lier_bag
New Contributor II

I got it to work with the below script. Just tested that it works on Monteray as well.

#!/bin/bash

loggedInUser=$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ {print $3}')

/usr/sbin/dseditgroup -o edit -d "$loggedInUser" -t user admin

@Lier_bag, did you just upload this to scripts and then add it to a policy, or add it directly to a policy under "Files and Processes" as an executable command? I just tried running it in Terminal on my personal local admin account and it failed

It is in a script and then applied to a policy. --
Randy Hooper
Technology Support Specialist
KIDS RSU2
email: rhooper@kidsrsu.org
(W) 207.622.6211 x 256

*“Life is either a daring adventure or nothing..."*
― Helen Keller

PerPer
New Contributor

@Lier_bag Did you try to "add" on Monterey version 12.4 ?

/usr/sbin/dseditgroup -o edit -a "$loggedInUser" -t user admin

PerPer
New Contributor

My bad, /usr/sbin/dseditgroup is working. now