Skip to main content
Solved

help with script to give local admin rights to log in user.

O
Forum|alt.badge.img+7

we have a policy to restrict access to "Users & Groups" under system preferences, but we do allow the user to be local admin, and I used to be able to use the following script so users can give themself local admin right from self service, but it stopped working.
we are using MacOS 10.12.x (x=3,4,5,6) and 10.11.x (x=5 and 6) and JSS 9.96

does anyone have a different way of creating a self service policy so the users can make themself local admins ?

thank you in advance for your help.

#!/bin/sh
if [ -z $3 ]; 
    then 
        currentUser=`stat -f '%Su' /dev/console` 
    else 
        currentUser=$3 
fi 

# Add the current user to the local admin group on the Mac

dseditgroup -o edit -a $currentUser -t user admin

if [ "$?" == "0" ];
    then
        echo "Successfully added $currentUser to admin group"
    else
        echo "ERROR: Unable to add $currentUser to admin group"
        exit 1
fi

exit 0

Best answer by pete_c

My version of the above works on 10.11 - 10.12.x, but I remember having some unexpected behavior if the username field in the machine's JSS record was blank or incorrect; was never enough of an issue for me to really dive into it but perhaps worth a look.

One other thing, using this promote-to-admin was challenging for me to instruct my users on what it did and didn't do; adding jamfHelper to further communicate the policy's actions was a big improvement.

#!/bin/sh

# define jamfhelper location

jhelp="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"

# dseditgroup to promote the currently logged in user to admin rights

if [[ `/usr/bin/dscl . read /Groups/admin GroupMembership | /usr/bin/grep -c $3` == 1 ]]
    then /bin/echo "$3 is in the admin group, exiting"
        exit 0
    else /bin/echo "$3 is not an admin, promoting.." 
fi    

/usr/sbin/dseditgroup -o edit -a $3 -t user admin

"$jhelp" -windowType utility -title "Admin rights" -description "You've been granted admin rights, please proceed with your installation." -button1 "OK"
View original
Did this topic help you find an answer to your question?

15 replies

donmontalvo
Forum|alt.badge.img+36
  • donmontalvo
  • Legendary Contributor
  • 4293 replies
  • July 21, 2017

From Jamf professional services, worth a look...@Andrina links to it on her Github page:

https://github.com/jamfprofessionalservices/MakeMeAdminPy

--https://donmontalvo.com
O
Forum|alt.badge.img+7
  • osxadmin
  • Author
  • Valued Contributor
  • 81 replies
  • July 21, 2017

interesting thank you @donmontalvo

but I'm trying to find for something simple and easy.

mm2270
Forum|alt.badge.img+16
  • mm2270
  • Legendary Contributor
  • 7880 replies
  • July 21, 2017

@osxadmin There isn't really anything wrong with the script from what I can see. As far as I know, dseditgroup should still work on Sierra to add accounts to the admin group.
The script is only running through a Self Service policy correct? Anything relevant in the policy log to indicate the issue?
The only recommendation I can make is to include the dseditgroup full path. For example /usr/sbin/dseditgroup Maybe it's not resolving to the binary for some reason.

pete_c
Forum|alt.badge.img+16
  • pete_c
  • Honored Contributor
  • 251 replies
  • Answer
  • July 22, 2017

My version of the above works on 10.11 - 10.12.x, but I remember having some unexpected behavior if the username field in the machine's JSS record was blank or incorrect; was never enough of an issue for me to really dive into it but perhaps worth a look.

One other thing, using this promote-to-admin was challenging for me to instruct my users on what it did and didn't do; adding jamfHelper to further communicate the policy's actions was a big improvement.

#!/bin/sh

# define jamfhelper location

jhelp="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"

# dseditgroup to promote the currently logged in user to admin rights

if [[ `/usr/bin/dscl . read /Groups/admin GroupMembership | /usr/bin/grep -c $3` == 1 ]]
    then /bin/echo "$3 is in the admin group, exiting"
        exit 0
    else /bin/echo "$3 is not an admin, promoting.." 
fi    

/usr/sbin/dseditgroup -o edit -a $3 -t user admin

"$jhelp" -windowType utility -title "Admin rights" -description "You've been granted admin rights, please proceed with your installation." -button1 "OK"
D
msample
O
4 people like this
  • D
    dugnl
  • msample
    msample
  • O
    osxadmin
  • A
    Adas_21
O
Forum|alt.badge.img+7
  • osxadmin
  • Author
  • Valued Contributor
  • 81 replies
  • November 8, 2017

@pete_c I forgot I posted this question, and when I remember I use your script and that worked for me...thank!

pete_c
1 person likes this
  • pete_c
    pete_c
A
Forum|alt.badge.img+1
  • Adas_21
  • New Contributor
  • 2 replies
  • January 25, 2022
pete_c wrote:

My version of the above works on 10.11 - 10.12.x, but I remember having some unexpected behavior if the username field in the machine's JSS record was blank or incorrect; was never enough of an issue for me to really dive into it but perhaps worth a look.

One other thing, using this promote-to-admin was challenging for me to instruct my users on what it did and didn't do; adding jamfHelper to further communicate the policy's actions was a big improvement.

#!/bin/sh

# define jamfhelper location

jhelp="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"

# dseditgroup to promote the currently logged in user to admin rights

if [[ `/usr/bin/dscl . read /Groups/admin GroupMembership | /usr/bin/grep -c $3` == 1 ]]
    then /bin/echo "$3 is in the admin group, exiting"
        exit 0
    else /bin/echo "$3 is not an admin, promoting.." 
fi    

/usr/sbin/dseditgroup -o edit -a $3 -t user admin

"$jhelp" -windowType utility -title "Admin rights" -description "You've been granted admin rights, please proceed with your installation." -button1 "OK"

Hi Pete,

I understand most of this except the $3 == 1 part, I know the $3 is the user account but I don't get how the 1 determines if the user is an admin or not. If it was pulling from the group members wouldn't it also have to be $1?

Any explanation would be greatly appreciated!

pete_c
Forum|alt.badge.img+16
  • pete_c
  • Honored Contributor
  • 251 replies
  • January 26, 2022
Adas_21 wrote:

Hi Pete,

I understand most of this except the $3 == 1 part, I know the $3 is the user account but I don't get how the 1 determines if the user is an admin or not. If it was pulling from the group members wouldn't it also have to be $1?

Any explanation would be greatly appreciated!


So we're taking the entries from the admin group, using `grep` to only look for the username ($3), and using that true/false to determine the echo and exit - the username passed from $3 was already in the admin group, so we bail out, or the username from $3 wasn't, so let's proceed and Do Stuff™.  The 1 here is just a 'true,' not a variable.

A
1 person likes this
  • A
    Adas_21
A
Forum|alt.badge.img+1
  • Adas_21
  • New Contributor
  • 2 replies
  • January 26, 2022
pete_c wrote:

So we're taking the entries from the admin group, using `grep` to only look for the username ($3), and using that true/false to determine the echo and exit - the username passed from $3 was already in the admin group, so we bail out, or the username from $3 wasn't, so let's proceed and Do Stuff™.  The 1 here is just a 'true,' not a variable.


Thanks for the response and clearing that up 👍

S
Forum|alt.badge.img+1
pete_c wrote:

My version of the above works on 10.11 - 10.12.x, but I remember having some unexpected behavior if the username field in the machine's JSS record was blank or incorrect; was never enough of an issue for me to really dive into it but perhaps worth a look.

One other thing, using this promote-to-admin was challenging for me to instruct my users on what it did and didn't do; adding jamfHelper to further communicate the policy's actions was a big improvement.

#!/bin/sh

# define jamfhelper location

jhelp="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"

# dseditgroup to promote the currently logged in user to admin rights

if [[ `/usr/bin/dscl . read /Groups/admin GroupMembership | /usr/bin/grep -c $3` == 1 ]]
    then /bin/echo "$3 is in the admin group, exiting"
        exit 0
    else /bin/echo "$3 is not an admin, promoting.." 
fi    

/usr/sbin/dseditgroup -o edit -a $3 -t user admin

"$jhelp" -windowType utility -title "Admin rights" -description "You've been granted admin rights, please proceed with your installation." -button1 "OK"

this script is not working on mac os 11 and above, what needs to update to work on mac os 11 and above

pete_c
Forum|alt.badge.img+16
  • pete_c
  • Honored Contributor
  • 251 replies
  • September 11, 2022
sachinkpshinde wrote:

this script is not working on mac os 11 and above, what needs to update to work on mac os 11 and above


What errors are generated? How was the account created?

S
Forum|alt.badge.img+3
pete_c wrote:

What errors are generated? How was the account created?


Hi I am new to jamf pro and new to scripts thanks for your reply, there is no error, accounts are manually created. the script is successfully executed from self-services however when I checked in users & group  currently logged in user is standard only it was not changed hence it's not working. 

sdagley
Forum|alt.badge.img+25
  • sdagley
  • Jamf Heroes
  • 3536 replies
  • September 11, 2022
sachinkpshindep wrote:

Hi I am new to jamf pro and new to scripts thanks for your reply, there is no error, accounts are manually created. the script is successfully executed from self-services however when I checked in users & group  currently logged in user is standard only it was not changed hence it's not working. 


@sachinkpshindep If you have the Users & Groups panel open when changing a user's account level externally, e.g. be a script running from Self Service, the change will not reflect in the Users & Groups UI until you close and re-open that panel.

anickless
S
2 people like this
  • anickless
    anickless
  • S
    sachinkpshindep
S
Forum|alt.badge.img+3
sdagley wrote:

@sachinkpshindep If you have the Users & Groups panel open when changing a user's account level externally, e.g. be a script running from Self Service, the change will not reflect in the Users & Groups UI until you close and re-open that panel.


Thanks, @sdagley it's my bad, close & reopening of system preferences changes effected

S
Forum|alt.badge.img+5
  • sk25
  • Contributor
  • 64 replies
  • December 11, 2022

Sorry for reposting.. So the above script is for giving permanent admin access, right? If not help me to understand how long the admin access will be with the standard user? Or kindly help to modify the script to allow standard user to be an admin for the amount of 5 mins or so? Thanks for understanding.

pete_c
Forum|alt.badge.img+16
  • pete_c
  • Honored Contributor
  • 251 replies
  • December 11, 2022

Yes, that script is only to check whether the current user is not an admin and add them to the admin group if so.

To demote the current user:

#!/bin/sh # dseditgroup to demote the currently logged in user to standard account /usr/sbin/dseditgroup -o edit -d $3 -t user admin

While there's probably a much more elegant way to create a LaunchDaemon to handle the promote/demote, I'd just keep it simple and create two Jamf scripts, set the promotion to Before and the demote to After, and add a `sleep` statement to the promotion script with the number of seconds you'd like admin rights to be active.

 

The advantage of having two scripts is that you can use them in other scenarios, such as checking for admin rights as part of a recurring policy and demoting admin users when found - doesn't just have to be ad hoc user support.

S
1 person likes this
  • S
    sk25

Reply


Most helpful members this week

Terms & ConditionsCookie settingsAccessibility statement

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings