Enable admin priviges in self service

New Contributor

I am in need of a script to run to enable Admin Privileges when using self service. I had a script runny but it no longer seems to be working.

Thank you



I am not quite sure what you are asking for here. Self Service runs everything as an admin, so I think you might be asking for a script that gives the account running the script admin rights.

But you might check out Andrina's Git for a script to give users temporary admin rights. The slide deck and scripts are there.


Contributor II

Edited from Andrina's script - this is what we use as everyone has local admin


# Get username of current logged in user
USERNAME=who |grep console| awk '{print $1}'

# give current logged user admin rights
/usr/sbin/dseditgroup -o edit -a $USERNAME -t user admin
exit 0

New Contributor

Sorry about the confusion. I want the user to be able to go to self service and run a policy that gives them Admin privileges

Honored Contributor II
Honored Contributor II

That's the script @jonnydford posted. It will add the currently logged in user to the admin group. You just need to put the script into Casper and make a self service policy for it.

New Contributor III

Either you want them to be admin or you don't. If you are putting the user in to a group that can be admin I would then just make the policy run and not require user intervention. If you want all users to be admin just push it to all. If this is in a since a way to provide "temporary" administrative rights to the user for a period of time you can create a cocoa script that would add the user to the admin group then remove them after x minutes or policy execution that can be cached and run the next day or specific trigger.

Just a plug but Andrina's script mentioned above at github is awesome.

New Contributor III

- com.apple.atrun.plist is no longer loaded automatically.
- I say 5 minutes, but allow 10.
- Tested as of OS X Sierra


# Get username of current logged in user
# This method breaks if you allow multiple accounts logged in.
USERNAME=$(who|grep console|awk '{print $1}')

membership=$(dsmemberutil checkmembership -U $USERNAME -G admin)
if [ "$membership" == "user is not a member of the group" ];
        if ! launchctl list|grep -q com.apple.atrun; then launchctl load -w /System/Library/LaunchDaemons/com.apple.atrun.plist; fi
        /usr/sbin/dseditgroup -o edit -a $USERNAME -t user admin
        echo dseditgroup -o edit -d $USERNAME -t user admin|at now +10 minutes &>/dev/null
        /Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType hud -description "$USERNAME has been granted Administrative rights for 5 minutes." -title "Administrative rights" -button1 "OK" -icon /Library/User Pictures/Animals/Eagle.tif -timeout 5 &>/dev/null

New Contributor III

I'm getting ready to replace some laptops and found this post in my search for an easy way to give users admin rights. I'm testing the script jonnydford posted and it's running successfully, but I'm getting an error that it can't find the admin group.

I ran the dscacheutil -q group command and went through the list and found the admin group, so I'm not really sure why the script in Self Service is saying it can't find the admin group.

New Contributor III

@NightFlight when you say the "method breaks if you allow multiple accounts logged in." do you mean if multiple users are on the same machine and each user logs in while the other users have not logged out? or if there are multiple users that sign in and out, but different time?
the reason i ask is because i am getting this error (Script result: Usage: dsmemberutil checkmembership missing appropriate options
checkmembership [-uUx] value [-GX] value
). any help would be great.

New Contributor III

It doesn't support multiple console users logged in simultaneously. The command:

USERNAME=$(who|grep console|awk '{print $1}')

Is not multi-user aware. The script could be changed to iterate though the results, but we don't allow multiple logins in our environment.
Use the command 'set -x' after that line and the script will dump what it receives in the variable. It should expect one username only.