Posted on 10-27-2011 06:34 AM
Want to write a login script that will remove any admin accounts and demote them to a standard user.
I started but knowing this list someone already here probably has written one.
We are deploying a 1to1 to 100 kids and what I wanted to do is have the kids create their account via the welcome assistant and once that is complete demote that new user to just a standard user. I have the deployment all working just need to get that script working.
Thanks
Posted on 10-27-2011 06:44 AM
You are correct. Attached.
j
Posted on 10-27-2011 06:51 AM
I should note that this will get you in the ballpark, not do exactly what you're looking for. Feel free to modify and re-post to the list.
j
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436
Posted on 10-27-2011 06:55 AM
What is your model of design? PHD, local accounts, do you have local admin accounts for IT use?
-Tom
Posted on 10-27-2011 07:01 AM
At the moment we are using OD. Unfortunately apple doesn't really do enterprise support anymore (10.7 server) and next summer we are migrating to AD (hopefully)
So the logic is, I setup the laptops, software, casper, localadmin account, get it all sorted then delete the .AppleSetupDone file and hand it to the student. Then with the ICT coordinator they setup their account with their name etc.
So really we want to give them a laptop but not bind it to a directory and also manage it with casper, does that logic sound right? I am open to suggestions
Thanks
Posted on 10-27-2011 08:12 AM
Well there are a lot of factors when doing this. For example, are your IT admin accounts hidden? Do you use any sort of UID schema for your users? Another example is that all local non hidden accounts with have a UID of greater than 500, and all network/PHD accounts have a UID of greater than 1000. Are all your user's home folders in /Users?
There are several ways to approach this, and this is my preferred method, and it deals with the design of all my local IT based accounts are hidden, with a UID of under 500 and their home folders are stashes away in /private/var. That way I know all local accounts that are for users have a UID of 501 - 999 and all OD accounts have a UID of 1001 to some really high number. This allows me to assume several things. I have also noticed that with AD typically all UIDs are greater than 1000 as well in the limited testing I have done with people over the Internet that run AD.
So, here is an example script of how I would demote/promote local users to admin or take away admin
#!/bin/bash
# generate a user list of all users with UID greater than 500
userList=$(/usr/bin/dscl . list /Users UniqueID | /usr/bin/awk '$2 > 500 { print $1 }')
# now loop and remove admin rights
for u in ${userList} ; do
/usr/bin/dscl . delete /Groups/admin GroupMembership ${u}
done exit 0
Please test before using
-Tom
Posted on 11-03-2011 02:21 AM
Hey guys have a problem.. weird one best people to ask is the community brain! :-)
Ran your script Thomas on this user, newcomp as a test and that user still has admin privileges and is not in the admin group
Script
#!/bin/bash
# generate a user list of all users with UID greater than 500
userList=$(/usr/bin/dscl . list /Users UniqueID | /usr/bin/awk '$2 > 500 { print $1 }')
# now loop and remove admin rights
for u in ${userList} ; do
/usr/bin/dscl . delete /Groups/admin GroupMembership ${u}
done
exit 0
I am now testing... busy with just inventorying and getting the hardware ready!
I check via:
dseditgroup -o read admin
Output:
dsAttrTypeStandard:GroupMembership - root ladmin
Not an admin but still that user can do admin things..
Anything that I am missing?
Is there some other place that admin privileges live? I thought it was just a group?
Thanks guys
![external image link](attachments/162bd73ec6f44a35beb70f57f4b5bc8c)
Posted on 11-03-2011 05:27 AM
I fixed it
I had to use dseditgroup rather then dscl and it worked, maybe its a lion thing? Anyway it works now as expected.
With dscl it would remove the user from the admin group but the system would not reflect the changes and the user would still have admin privileges.
Not sure why
#!/bin/bash
# generate a user list of all users with UID greater than 500
userList=$(/usr/bin/dscl . list /Users UniqueID | /usr/bin/awk '$2 > 500 { print $1 }')
# now loop and remove admin rights
for u in ${userList} ; do
#updated with dseditgroup /usr/sbin/dseditgroup -o edit -d ${u} -t user admin
done
exit 0
Posted on 11-03-2011 06:19 AM
Rob,
dseditgroup is probably the safer route to go anyway. I am just more comfortable with dscl because I learned with it way before I ever even touched dseditgroup.
I can test on a Lion machine and find out why it doesn't work, but regardless I am glad you got it working.
-Tom
Posted on 06-08-2015 06:27 AM
Can I get some help with this script in getting it to run in Yosemite? It keeps bailing out on me.
Posted on 06-08-2015 07:41 AM
@cohawkeye Given how old this thread is and that any existing posted scripts aren't using the script formatting tags, you may want to post the one you're using so we can see it. Please highlight it and click the script formatting button ( looks like >_ ) so it gets wrapped in the correct tags if possible.
Posted on 06-08-2015 08:06 AM
Thanks @mm2270 I am really just trying to do Apple's Zero Touch DEP. I have most of it working, minus when my users log in, they are admins on the computer. This script seems to be my answer, minus I can't get it to work. I'm a scripting hack...I don't know if I'm even in the right shell.
userList=$(/usr/bin/dscl . list /Users UniqueID | /usr/bin/awk '$2 > 500 { print $1 }')
for u in ${userList} ; do
/usr/bin/dscl . delete /Groups/admin GroupMembership ${u}
done
exit 0
Posted on 06-08-2015 08:24 AM
@cohawkeye You really should just look through some of the existing threads for example scripts that do this already. Try these to start:
https://jamfnation.jamfsoftware.com/discussion.html?id=14709
https://jamfnation.jamfsoftware.com/discussion.html?id=11437
Posted on 06-08-2015 09:37 AM
Great @mm2270 ! I got one to work. Thanks!
Posted on 10-04-2016 12:08 PM
We have over 900 1:1 devices and are running into issues with the laptops being able to add updates, add printers, and WiFI locations, etc. So we are looking to move the "Standard Account" and promote them to Admin Accounts. I was wondering if there is a script out there to do that?