Demoting local admins

mdbrown
New Contributor II

We have student Mac's that are using AD account's. These accounts are being created as admin's & they need to be demoted to standard accounts. We also have a hidden admin account that needs to keep admin rights. I am not "fluent" in scripting. Would appreciate any help with putting together a script that can be pushed out via JSS. Mac's are running El Capitan 10.11.5

Thank you

6 REPLIES 6

PhillyPhoto
Valued Contributor

You may need to check the groups they're being added to in AD. If they're in one with admin rights in the AD bind section in your JSS config, it will give them admin rights by default. If you create a "Student" group for them and verify that it's not in the admins, you should be all set. I don't think there's a need to script something for AD groups.

roiegat
Contributor III

Here's code I used, you can substitute the XXXXX with the admin account you want to use. It basically looks at all accounts above 500 and removes them if they had admin access.

#!/bin/bash
####################################################################################################
#
# ABOUT THIS SCRIPT
#
# NAME
#   DemoteAdmin.sh -- Runs check on admin accounts and demote users with admin
#
# SYNOPSIS
#   sudo DemoteAdmin.sh
#
# DESCRIPTION
#   Runs check on admin accounts between and demotes users with admin
#
# AUTHOR
# Roie Gat
####################################################################################################


echo ""
echo "Starting DemoteAdmin.sh"
echo ""


#get list of admins
accounts=""
admins=$(dscl . -read /Groups/admin GroupMembership | sed 's/GroupMembership: //')

#for each username in admins, check it's UniqueID, if it's known to be greater than 500, remove it.
for user in $admins; do

    userID=$(dscl . -read /Users/$user UniqueID 2> /dev/null | sed 's/UniqueID: //')
    echo "ADMIN: $user UserID: $userID"
    if [[ ! -z "$userID" ]]; then

        if [[ $userID -gt 500 ]];then           
            #delete the user account via dscl
            if [[ ! $user == "XXXXXX" ]]; then

                echo "Found Extra account: $user"
                echo "Demoting: $user"
                sudo dscl . -delete /Groups/admin GroupMembership $user
            fi

        fi
    else
                echo "Found Out account: $user"
                echo "Demoting: $user"
                sudo dscl . -delete /Groups/admin GroupMembership $user


    fi


done

echo ""
echo "Ending DemoteAdmin.sh"
echo ""

Olivier
New Contributor II

I strongly discourage use of "dscl . -delete " to add/remove user from a group, as this may create inconsistencies in the Directory Service database, and other side effects with AD accounts (and no, it does not work better if you also add the user's GeneratedUID to GroupMembers key in admin group)

Prefer to use the official supported Apple-way : "dseditgroup -o edit -d yourUserID -t user admin" to delete a user from admin group.

If I am not wrong, jamf utility makes the same mistake when creating the Adobe firstrun user and adding it to local admin group, but as the user is deleted afterwards, it does not create any problems.

roiegat
Contributor III

@Olivier I did use that method initially, but it didn't seem to take effect immediately. It seemed like the computer had to be rebooted for it to kick in. Since most users don't reboot that often, we either would have to force the reboot, or find a solution that worked while they were logged in. Hence the method in the code.

This was used on 10.10 so things could have changed in 10.11.

franton
Valued Contributor III

Not just that but there's no upper limit on the UID's you are checking. This may affect AD bound machines where they get admin rights automatically from group membership.

roiegat
Contributor III

@franton Very true. We only ran this once on machines. This was before we had admin right set in AD membership. We actually have a bit more complex admin permissions that I can't really discuss. But the point is when the script was used, we wanted to remove admin from anyone who had it.