Help

change user accounts from administrator level to standard

asuneson
New Contributor

Posted on ‎01-10-2023 01:01 PM

hi,

at my organization, we are wanting to downgrade all user accounts from administrator level to standard level per our new security policies. eventually, we will add MakeMeAnAdmin in order for users to temporarily gain access to admin level privileges. what is the best way to downgrade users on a large scale via jamf pro rather than visiting each computer one by one to change them to standard accounts?

thanks!

0 Kudos
4 REPLIES 4

jcarr
Release Candidate Programs Tester

Posted on ‎01-10-2023 01:11 PM

Not certain if this still works, but this is how we would do it before the PreStage gave you the option to make the setup assistant user a standard user:

/usr/sbin/dseditgroup -o edit -d [UserName] -t user admin

 

Getting the username might be the trick.  You could pass the value from Jamf as a variable, or find the username of the 501 user, or the username of the user currently logged in:

loggedInUser=$(stat -f %Su /dev/console)

 

TheAngryYeti
Contributor
Contributor

Posted on ‎01-10-2023 01:59 PM

this may help you out @asuneson jcarr is correct with the basics to what to use here if you wanted to make it yourself though.

AJPinto
Honored Contributor II

Posted on ‎01-11-2023 08:28 AM

CLI is best and pretty straight forward. Though, you really want to have your temp admin process in place BEFORE yanking admin access. If you don't be ready for the tickets where users need you to pass admin access for them. 

 

 

Something like this should work. You can just use JAMFs $3 to define the user. However I don't like for scripts to be dependent on JAMF so I manually define who the user is in the script. 

#!/bin/bash

ActiveUser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }' | tr "[a-z]" "[A-Z]"`

/usr/sbin/dseditgroup -o edit -d $ActiveUser -t user admin

 

 

If you want to target not logged in users, it gets a bit more complicated. You will need to read the admin group, and use command substitution to run the command above for each person in the admin group, and make sure to exclude your local admin. 

jamfnc
New Contributor III
In response to AJPinto

Posted on ‎02-27-2024 04:08 PM

This works on Sonoma. Thank you so much.

0 Kudos