Can't convert Admin users to Standard users

Lier_bag
New Contributor II

Im trying to convert a large number of admin accounts to standard accounts. On jamf nation, multiple people have been sharing this script below, but when I run it, it does not change any users from Admin to standard. Below is what I ran:
with ###### being the local admin account on every device.

#!/bin/sh
adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-)

for user in $adminUsers
do
    if [ "$user" != "root" ]  && [ "$user" != "######" ]
    then 
        dseditgroup -o edit -d $user -t user admin
        if [ $? = 0 ]; then echo "Removed user $user from admin group"; fi
    else
        echo "Admin user $user left alone"
    fi
done

When it finishes, the logs show 0, but nothing changes. I can change each laptop individually with

#!/bin/sh
sudo dseditgroup -o edit -d $username -t user admin

but that isn't ideal. Am I doing something wrong? And I have seen the other posts about this topic and almost all share this same script with users saying it worked for them.

5 REPLIES 5

mm2270
Legendary Contributor II

Are you getting any output in the policy log that has the line echo "Removed user $user from admin group"? If so, then the command preceding that using dseditgroup would seem to be working. If you aren't seeing that in the policy log, then you'll need to deconstruct this to see why that command isn't removing the user from the local admin group.

I find when troubleshooting scripts like this, it's often best to have some verbose output, either by including echo statements in various places so I can see what the script is seeing, or using -x after the shebang of the script to get line by line feedback of what the script is doing when it's run.
Doing either of those should help you track down what's going on.

AdamCraig
Contributor III

I have a smart group for users who have an admin on their computer that is not one of the local admins (multiple so we can have the one we are rotating from and the one we are rotating to when we rotate admin accounts)

And then this script runs, I believe, once a day on those computers.

#!/bin/sh

adminUser1="${4}"
adminUser2="${5}"

if [[ -z "$adminUser1" ]] || [[ -z "$adminUser2" ]] ; then
    echo "admin username variables missing."
    exit 1
fi

## this will demote the current user if they it is not either of the local admin accounts
loggedInUser=$( echo "show State:/Users/ConsoleUser" | scutil | awk '/Name :/ && ! /loginwindow/ { print $3 }' )

if [[ -z "$loggedInUser" ]] || [[  "$loggedInUser" == 'root' ]] || [[ "$loggedInUser" == "loginwindow" ]] ; then
    echo "Failed to gather loggedInUser correctly"
    exit 1
else
    echo "loggedInUser is $loggedInUser"
fi

if [[ "$loggedInUser" != "$adminUser1" ]] && [[ "$loggedInUser" != "$adminUser2" ]] ; then
IsUserAdmin=$(id -G "$loggedInUser" | grep 80)
    if [ -n "$IsUserAdmin" ]; then
      /usr/sbin/dseditgroup -o edit -n /Local/Default -d $loggedInUser -t "user" "admin"
      exit 0
    else
        echo "$loggedInUser is not a local admin"
    fi
fi

Lier_bag
New Contributor II

@mm2270 When i viewed the logs, it showed 0. It didn't display any of the echos. Its as if the adminUsers variable is empty. But I found a script that will demote the logged in user, it has the same desired effect.

Lier_bag
New Contributor II

@strayer Thanks for sharing this. I was planning on having a static group of users who would be exempt from the policy and scope everyone one else. Then have this one run once a day. I found a script similiar to yours that demotes the logged in user, which has the same desired effect im looking for:

#!/bin/sh
loggedInUser=$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ {print $3}')

/usr/sbin/dseditgroup -o edit -d "$loggedInUser" -t user admin

rhooper
Contributor III

@Lier_bag We have used this script with pretty good luck:

!/bin/sh

adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-)

for user in $adminUsers
do if [ "$user" != "root" ] && [ "$user" != "<Your Root admin account>" ] && [ "$user" != "jamfadmin" ] && [ "$user" != "packagemaker" ] then dseditgroup -o edit -d $user -t user admin if [ $? = 0 ]; then echo "Removed user $user from admin group"; fi else echo "Admin user $user left alone" fi
done

We have another that works great, except it changes all Admin accounts to Standard accounts, including the hidden accounts. We also need to set the device to restart immediately. If you want the other script we use let me know.