correct way to remove admin rights

jarednichols
Honored Contributor

Hi-

I need a way to script the removal of a local account's admin rights. The way that came to mind is to use

dscl . -delete /Groups/admin GroupMembership <<username>>

  1. Does this look correct? 2. Is there a better/more correct way?

Thanks

j
---
Jared F. Nichols
Desktop Engineer, Infrastructure & Operations
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

1 REPLY 1

jarednichols
Honored Contributor

After some poking around, I found that it looks like this is the right way to do it. Here's the reason I asked...

We're going to be using Random Password Manager (RPM) to spin the root account passwords. I also want to remove all visible administrative users from the machine. So thus, the deployment of a machine with no admin privs looks like this:

  1. Fire up machine out of box, setup with account user will use.
  2. Install our core services package (contains security settings, virusscan, casper client and self service etc...)
  3. Reset root password, thus enabling it (through policy or interactively, not sure yet)
  4. Finish setting up machine
  5. Deprecate to Standard user using dscl. Even logged in as root through the GUI, OS X won't allow you to deprecate the only >500 UID admin account from Admin to Standard user. Thus the reason I asked the question.
  6. Enable RPM to spin the root account password.

I'm probably going to make a script for our deploy techs to handle the dscl command. Seeing how they'll be logged in as root (briefly) I don't want them messing anything up, especially with dscl. If anyone's interested, I'll post it to the list.

j
---
Jared F. Nichols
Desktop Engineer, Infrastructure & Operations
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436