- Jamf Nation Community
- Products
- Jamf Pro
- Re: Demoting local admins
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Demoting local admins
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-15-2016 09:01 AM
We have student Mac's that are using AD account's. These accounts are being created as admin's & they need to be demoted to standard accounts. We also have a hidden admin account that needs to keep admin rights. I am not "fluent" in scripting. Would appreciate any help with putting together a script that can be pushed out via JSS. Mac's are running El Capitan 10.11.5
Thank you
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-15-2016 09:17 AM
You may need to check the groups they're being added to in AD. If they're in one with admin rights in the AD bind section in your JSS config, it will give them admin rights by default. If you create a "Student" group for them and verify that it's not in the admins, you should be all set. I don't think there's a need to script something for AD groups.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-15-2016 09:18 AM
Here's code I used, you can substitute the XXXXX with the admin account you want to use. It basically looks at all accounts above 500 and removes them if they had admin access.
#!/bin/bash
####################################################################################################
#
# ABOUT THIS SCRIPT
#
# NAME
# DemoteAdmin.sh -- Runs check on admin accounts and demote users with admin
#
# SYNOPSIS
# sudo DemoteAdmin.sh
#
# DESCRIPTION
# Runs check on admin accounts between and demotes users with admin
#
# AUTHOR
# Roie Gat
####################################################################################################
echo ""
echo "Starting DemoteAdmin.sh"
echo ""
#get list of admins
accounts=""
admins=$(dscl . -read /Groups/admin GroupMembership | sed 's/GroupMembership: //')
#for each username in admins, check it's UniqueID, if it's known to be greater than 500, remove it.
for user in $admins; do
userID=$(dscl . -read /Users/$user UniqueID 2> /dev/null | sed 's/UniqueID: //')
echo "ADMIN: $user UserID: $userID"
if [[ ! -z "$userID" ]]; then
if [[ $userID -gt 500 ]];then
#delete the user account via dscl
if [[ ! $user == "XXXXXX" ]]; then
echo "Found Extra account: $user"
echo "Demoting: $user"
sudo dscl . -delete /Groups/admin GroupMembership $user
fi
fi
else
echo "Found Out account: $user"
echo "Demoting: $user"
sudo dscl . -delete /Groups/admin GroupMembership $user
fi
done
echo ""
echo "Ending DemoteAdmin.sh"
echo ""
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-16-2016 08:29 AM
I strongly discourage use of "dscl . -delete " to add/remove user from a group, as this may create inconsistencies in the Directory Service database, and other side effects with AD accounts (and no, it does not work better if you also add the user's GeneratedUID to GroupMembers key in admin group)
Prefer to use the official supported Apple-way : "dseditgroup -o edit -d yourUserID -t user admin" to delete a user from admin group.
If I am not wrong, jamf utility makes the same mistake when creating the Adobe firstrun user and adding it to local admin group, but as the user is deleted afterwards, it does not create any problems.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-16-2016 08:41 AM
@Olivier I did use that method initially, but it didn't seem to take effect immediately. It seemed like the computer had to be rebooted for it to kick in. Since most users don't reboot that often, we either would have to force the reboot, or find a solution that worked while they were logged in. Hence the method in the code.
This was used on 10.10 so things could have changed in 10.11.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-16-2016 08:54 AM
Not just that but there's no upper limit on the UID's you are checking. This may affect AD bound machines where they get admin rights automatically from group membership.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-16-2016 09:33 AM
@franton Very true. We only ran this once on machines. This was before we had admin right set in AD membership. We actually have a bit more complex admin permissions that I can't really discuss. But the point is when the script was used, we wanted to remove admin from anyone who had it.
