+2We have student Mac's that are using AD account's. These accounts are being created as admin's & they need to be demoted to standard accounts. We also have a hidden admin account that needs to keep admin rights. I am not "fluent" in scripting. Would appreciate any help with putting together a script that can be pushed out via JSS. Mac's are running El Capitan 10.11.5
Thank you
You may need to check the groups they're being added to in AD. If they're in one with admin rights in the AD bind section in your JSS config, it will give them admin rights by default. If you create a "Student" group for them and verify that it's not in the admins, you should be all set. I don't think there's a need to script something for AD groups.
+16Here's code I used, you can substitute the XXXXX with the admin account you want to use. It basically looks at all accounts above 500 and removes them if they had admin access.
#!/bin/bash
####################################################################################################
#
# ABOUT THIS SCRIPT
#
# NAME
# DemoteAdmin.sh -- Runs check on admin accounts and demote users with admin
#
# SYNOPSIS
# sudo DemoteAdmin.sh
#
# DESCRIPTION
# Runs check on admin accounts between and demotes users with admin
#
# AUTHOR
# Roie Gat
####################################################################################################
echo ""
echo "Starting DemoteAdmin.sh"
echo ""
#get list of admins
accounts=""
admins=$(dscl . -read /Groups/admin GroupMembership | sed 's/GroupMembership: //')
#for each username in admins, check it's UniqueID, if it's known to be greater than 500, remove it.
for user in $admins; do
userID=$(dscl . -read /Users/$user UniqueID 2> /dev/null | sed 's/UniqueID: //')
echo "ADMIN: $user UserID: $userID"
if [[ ! -z "$userID" ]]; then
if [[ $userID -gt 500 ]];then
#delete the user account via dscl
if [[ ! $user == "XXXXXX" ]]; then
echo "Found Extra account: $user"
echo "Demoting: $user"
sudo dscl . -delete /Groups/admin GroupMembership $user
fi
fi
else
echo "Found Out account: $user"
echo "Demoting: $user"
sudo dscl . -delete /Groups/admin GroupMembership $user
fi
done
echo ""
echo "Ending DemoteAdmin.sh"
echo ""
+6I strongly discourage use of "dscl . -delete " to add/remove user from a group, as this may create inconsistencies in the Directory Service database, and other side effects with AD accounts (and no, it does not work better if you also add the user's GeneratedUID to GroupMembers key in admin group)
Prefer to use the official supported Apple-way : "dseditgroup -o edit -d yourUserID -t user admin" to delete a user from admin group.
If I am not wrong, jamf utility makes the same mistake when creating the Adobe firstrun user and adding it to local admin group, but as the user is deleted afterwards, it does not create any problems.
+16@Olivier I did use that method initially, but it didn't seem to take effect immediately. It seemed like the computer had to be rebooted for it to kick in. Since most users don't reboot that often, we either would have to force the reboot, or find a solution that worked while they were logged in. Hence the method in the code.
This was used on 10.10 so things could have changed in 10.11.
Not just that but there's no upper limit on the UID's you are checking. This may affect AD bound machines where they get admin rights automatically from group membership.
+16@franton Very true. We only ran this once on machines. This was before we had admin right set in AD membership. We actually have a bit more complex admin permissions that I can't really discuss. But the point is when the script was used, we wanted to remove admin from anyone who had it.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
