Jamf Nation Community

johnlp · ‎06-07-2018

So we have Macbooks with dual accounts 501 is "company admin" and 502 is "assigned user" currently with admin rights thats needs to be changed to standard. I used this script and it worked like a champ:

!/bin/bash

while read useraccount; do /usr/sbin/dseditgroup -o edit -d $useraccount -t user admin
done < <(dscl . list /Users UniqueID | awk '$2 >= 502 {print $1}')

exit

Problem is that in some cases the UID is flipped and 502 is the "company admin" and s a result I (the admin) locked myself out of a few macs.

What would be the best way to script this so that it changes the active user logged in at the time without regard to the UID? I've tried several variations and come up with nothing productive.

ShaunRMiller83 · ‎06-08-2018

Give this a try.. it seems the syntax was off slightly.

This will make the current logged in user go from admin to standard

#!/bin/sh

currentUser=$(ls -l /dev/console | awk '{ print $3 }')

      if [ $currentUser != "sifi" ]; then
        IsUserAdmin=$(id -G $currentUser| grep 80)
            if [ -n "$IsUserAdmin" ]; then
              /usr/sbin/dseditgroup -o edit -n /Local/Default -d $currentUser -t "user" "admin"
              exit 0
            else
                echo "$currentuser is not a local admin"
            fi
      fi

Update: This will make all users except for Sifi go from admin to standard

#!/bin/sh

    IFS=$'
'
        declare -a localusers=($(dscl . list /Users UniqueID | grep -v sifi | awk '$2 >= 500 && $2 < 1000 {print $1}'))
    unset IFS

    for i in "${localusers[@]}"
        do          
                /usr/sbin/dseditgroup -o edit -n /Local/Default -d $i -t "user" "admin"
        done

View solution in original post

Chuey · ‎06-07-2018

How familiar are you with Perl? I use perl to do this and check against the name of the account. this could help in your scenario where the account UIDs are flipped. . . if you were checking against account name it should be 100% every time.

ShaunRMiller83 · ‎06-07-2018

The first script will look for any users equal or above a UID 501 except for "Company Admin" and below a UID of 1000 so local user's only.

I have that set in an array called localuser. Then have a for loop go through the remaining users and remove the access.

#!/bin/sh

    IFS=$'
'
        declare -a localusers=($(dscl . list /Users UniqueID | grep -v company admin | awk '$2 >= 501 && $2 < 1000 {print $1}'))
    unset IFS

    for i in "${localusers[@]}"
        do          
            /usr/sbin/dseditgroup -o edit -d $i -t user admin

        done

The second will target the specific user on the system. I have added an if statement within the for loop looking just for that username.

#!/bin/sh

    IFS=$'
'
        declare -a localusers=($(dscl . list /Users UniqueID | grep -v company admin | awk '$2 >= 501 && $2 < 1000 {print $1}'))
    unset IFS

    for i in "${localusers[@]}"
        do          
            if [ $i == assigned user]; then
                /usr/sbin/dseditgroup -o edit -d $i -t user admin
            else
                echo "Not the droids we were looking for"
            fi      
        done

Update: I reread your original post and what you are looking for. I think this additional script hits closer to your goal.

#!/bin/sh

currentUser=$(ls -l /dev/console | awk '{ print $3 }')

      if [ $currentUser == "assigned user" ]; then
          /usr/sbin/dseditgroup -o edit -d $currentUser -t user admin
          exit 0
      else
          echo "Not the droids we were looking for"
          exit 1
      fi

I'm by no means scripting expert but I have used these or similar scripts with good success. I'm sure there are other ways to handle that task.

Last thing (Insert the TEST, TEST, TEST, TEST and TEST dialog here)

Hope these help Shaun

johnlp · ‎06-08-2018

THAT looks exactly what i am looking for. I will try it and let you know the results but yes I want the script to target the user logged in at the time "current-user" but never target the "admin-user" account when it logs in. There are only two accounts per machine. :)

----------UPDATE-------------
I'm finding machines with other accounts as well so that I do not waste time, all I want to do is make any and all users other than "SIFI" (thats the only admin account that there needs to be) to be made a standard accounts only.

johnlp · ‎06-08-2018

Using @ShaunRMiller83 script...This is what I am trying right now. The expected results would be any user currently logged in to a macbook other than user sifi should be demoted to standard.

!/bin/sh

currentUser=$(ls -l /dev/console | awk '{ print $3 }')

if [ $currentUser != "sifi" ]; then /usr/sbin/dseditgroup -o edit -d $currentUser -t user admin exit 0 else echo "Not the droids we were looking for" exit 1

fi

I get no errors however it does not demote any users.

ShaunRMiller83 · ‎06-08-2018