I should note that this will get you in the ballpark, not do exactly what you're looking for. Feel free to modify and re-post to the list.

j
---
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

What is your model of design? PHD, local accounts, do you have local admin accounts for IT use?

-Tom

At the moment we are using OD. Unfortunately apple doesn't really do enterprise support anymore (10.7 server) and next summer we are migrating to AD (hopefully)

So the logic is, I setup the laptops, software, casper, localadmin account, get it all sorted then delete the .AppleSetupDone file and hand it to the student. Then with the ICT coordinator they setup their account with their name etc.

So really we want to give them a laptop but not bind it to a directory and also manage it with casper, does that logic sound right? I am open to suggestions

Thanks

Well there are a lot of factors when doing this. For example, are your IT admin accounts hidden? Do you use any sort of UID schema for your users? Another example is that all local non hidden accounts with have a UID of greater than 500, and all network/PHD accounts have a UID of greater than 1000. Are all your user's home folders in /Users?

There are several ways to approach this, and this is my preferred method, and it deals with the design of all my local IT based accounts are hidden, with a UID of under 500 and their home folders are stashes away in /private/var. That way I know all local accounts that are for users have a UID of 501 - 999 and all OD accounts have a UID of 1001 to some really high number. This allows me to assume several things. I have also noticed that with AD typically all UIDs are greater than 1000 as well in the limited testing I have done with people over the Internet that run AD.

So, here is an example script of how I would demote/promote local users to admin or take away admin

#!/bin/bash

# generate a user list of all users with UID greater than 500

userList=$(/usr/bin/dscl . list /Users UniqueID | /usr/bin/awk '$2 > 500 { print $1 }')

# now loop and remove admin rights

for u in ${userList} ; do

/usr/bin/dscl . delete /Groups/admin GroupMembership ${u}

done exit 0

Please test before using

-Tom

Hey guys have a problem.. weird one best people to ask is the community brain! :-)

Ran your script Thomas on this user, newcomp as a test and that user still has admin privileges and is not in the admin group

Script
#!/bin/bash

# generate a user list of all users with UID greater than 500

userList=$(/usr/bin/dscl . list /Users UniqueID | /usr/bin/awk '$2 > 500 { print $1 }')

# now loop and remove admin rights

for u in ${userList} ; do

/usr/bin/dscl . delete /Groups/admin GroupMembership ${u}

done
exit 0

I am now testing... busy with just inventorying and getting the hardware ready!

I check via:

dseditgroup -o read admin

Output:

dsAttrTypeStandard:GroupMembership - root ladmin

Not an admin but still that user can do admin things..

Anything that I am missing?

Is there some other place that admin privileges live? I thought it was just a group?

Thanks guys


I fixed it

I had to use dseditgroup rather then dscl and it worked, maybe its a lion thing? Anyway it works now as expected.

With dscl it would remove the user from the admin group but the system would not reflect the changes and the user would still have admin privileges.

Not sure why

#!/bin/bash

# generate a user list of all users with UID greater than 500

userList=$(/usr/bin/dscl . list /Users UniqueID | /usr/bin/awk '$2 > 500 { print $1 }')

# now loop and remove admin rights

for u in ${userList} ; do

#updated with dseditgroup /usr/sbin/dseditgroup -o edit -d ${u} -t user admin

done

exit 0

Rob,

dseditgroup is probably the safer route to go anyway. I am just more comfortable with dscl because I learned with it way before I ever even touched dseditgroup.

I can test on a Lion machine and find out why it doesn't work, but regardless I am glad you got it working.

-Tom

Can I get some help with this script in getting it to run in Yosemite? It keeps bailing out on me.

@cohawkeye Given how old this thread is and that any existing posted scripts aren't using the script formatting tags, you may want to post the one you're using so we can see it. Please highlight it and click the script formatting button ( looks like >_ ) so it gets wrapped in the correct tags if possible.

Thanks @mm2270 I am really just trying to do Apple's Zero Touch DEP. I have most of it working, minus when my users log in, they are admins on the computer. This script seems to be my answer, minus I can't get it to work. I'm a scripting hack...I don't know if I'm even in the right shell.

!/bin/bash

generate a user list of all users with UID greater than 500

userList=$(/usr/bin/dscl . list /Users UniqueID | /usr/bin/awk '$2 > 500 { print $1 }')

now loop and remove admin rights

for u in ${userList} ; do
/usr/bin/dscl . delete /Groups/admin GroupMembership ${u}
done
exit 0

@cohawkeye You really should just look through some of the existing threads for example scripts that do this already. Try these to start:
https://jamfnation.jamfsoftware.com/discussion.html?id=14709
https://jamfnation.jamfsoftware.com/discussion.html?id=11437

Great @mm2270 ! I got one to work. Thanks!

We have over 900 1:1 devices and are running into issues with the laptops being able to add updates, add printers, and WiFI locations, etc. So we are looking to move the "Standard Account" and promote them to Admin Accounts. I was wondering if there is a script out there to do that?