Jamf Nation Community

Edited from Andrina's script - this is what we use as everyone has local admin

#!/bin/sh

# Get username of current logged in user
USERNAME=who |grep console| awk '{print $1}'

# give current logged user admin rights
/usr/sbin/dseditgroup -o edit -a $USERNAME -t user admin
exit 0

Sorry about the confusion. I want the user to be able to go to self service and run a policy that gives them Admin privileges

That's the script @jonnydford posted. It will add the currently logged in user to the admin group. You just need to put the script into Casper and make a self service policy for it.

Either you want them to be admin or you don't. If you are putting the user in to a group that can be admin I would then just make the policy run and not require user intervention. If you want all users to be admin just push it to all. If this is in a since a way to provide "temporary" administrative rights to the user for a period of time you can create a cocoa script that would add the user to the admin group then remove them after x minutes or policy execution that can be cached and run the next day or specific trigger.

Just a plug but Andrina's script mentioned above at github is awesome.

Notes:
- com.apple.atrun.plist is no longer loaded automatically.
- I say 5 minutes, but allow 10.
- Tested as of OS X Sierra

#!/bin/bash

# Get username of current logged in user
# This method breaks if you allow multiple accounts logged in.
USERNAME=$(who|grep console|awk '{print $1}')

membership=$(dsmemberutil checkmembership -U $USERNAME -G admin)
if [ "$membership" == "user is not a member of the group" ];
then
        if ! launchctl list|grep -q com.apple.atrun; then launchctl load -w /System/Library/LaunchDaemons/com.apple.atrun.plist; fi
        /usr/sbin/dseditgroup -o edit -a $USERNAME -t user admin
        echo dseditgroup -o edit -d $USERNAME -t user admin|at now +10 minutes &>/dev/null
        /Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType hud -description "$USERNAME has been granted Administrative rights for 5 minutes." -title "Administrative rights" -button1 "OK" -icon /Library/User Pictures/Animals/Eagle.tif -timeout 5 &>/dev/null
fi

I'm getting ready to replace some laptops and found this post in my search for an easy way to give users admin rights. I'm testing the script jonnydford posted and it's running successfully, but I'm getting an error that it can't find the admin group.

I ran the dscacheutil -q group command and went through the list and found the admin group, so I'm not really sure why the script in Self Service is saying it can't find the admin group.

@NightFlight when you say the "method breaks if you allow multiple accounts logged in." do you mean if multiple users are on the same machine and each user logs in while the other users have not logged out? or if there are multiple users that sign in and out, but different time?
the reason i ask is because i am getting this error (Script result: Usage: dsmemberutil checkmembership missing appropriate options
checkmembership [-uUx] value [-GX] value). any help would be great.

It doesn't support multiple console users logged in simultaneously. The command:

USERNAME=$(who|grep console|awk '{print $1}')

Is not multi-user aware. The script could be changed to iterate though the results, but we don't allow multiple logins in our environment.
Use the command 'set -x' after that line and the script will dump what it receives in the variable. It should expect one username only.