help with script to give local admin rights to log in user.

osxadmin
Contributor II

we have a policy to restrict access to "Users & Groups" under system preferences, but we do allow the user to be local admin, and I used to be able to use the following script so users can give themself local admin right from self service, but it stopped working.
we are using MacOS 10.12.x (x=3,4,5,6) and 10.11.x (x=5 and 6) and JSS 9.96

does anyone have a different way of creating a self service policy so the users can make themself local admins ?

thank you in advance for your help.

#!/bin/sh
if [ -z $3 ]; 
    then 
        currentUser=`stat -f '%Su' /dev/console` 
    else 
        currentUser=$3 
fi 

# Add the current user to the local admin group on the Mac

dseditgroup -o edit -a $currentUser -t user admin

if [ "$?" == "0" ];
    then
        echo "Successfully added $currentUser to admin group"
    else
        echo "ERROR: Unable to add $currentUser to admin group"
        exit 1
fi

exit 0
1 ACCEPTED SOLUTION

pete_c
Contributor III

My version of the above works on 10.11 - 10.12.x, but I remember having some unexpected behavior if the username field in the machine's JSS record was blank or incorrect; was never enough of an issue for me to really dive into it but perhaps worth a look.

One other thing, using this promote-to-admin was challenging for me to instruct my users on what it did and didn't do; adding jamfHelper to further communicate the policy's actions was a big improvement.

#!/bin/sh

# define jamfhelper location

jhelp="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"

# dseditgroup to promote the currently logged in user to admin rights

if [[ `/usr/bin/dscl . read /Groups/admin GroupMembership | /usr/bin/grep -c $3` == 1 ]]
    then /bin/echo "$3 is in the admin group, exiting"
        exit 0
    else /bin/echo "$3 is not an admin, promoting.." 
fi    

/usr/sbin/dseditgroup -o edit -a $3 -t user admin

"$jhelp" -windowType utility -title "Admin rights" -description "You've been granted admin rights, please proceed with your installation." -button1 "OK"

View solution in original post

15 REPLIES 15

donmontalvo
Esteemed Contributor III

From Jamf professional services, worth a look...@Andrina links to it on her Github page:

https://github.com/jamfprofessionalservices/MakeMeAdminPy

--
https://donmontalvo.com

osxadmin
Contributor II

interesting thank you @donmontalvo

but I'm trying to find for something simple and easy.

mm2270
Legendary Contributor III

@osxadmin There isn't really anything wrong with the script from what I can see. As far as I know, dseditgroup should still work on Sierra to add accounts to the admin group.
The script is only running through a Self Service policy correct? Anything relevant in the policy log to indicate the issue?
The only recommendation I can make is to include the dseditgroup full path. For example /usr/sbin/dseditgroup Maybe it's not resolving to the binary for some reason.

pete_c
Contributor III

My version of the above works on 10.11 - 10.12.x, but I remember having some unexpected behavior if the username field in the machine's JSS record was blank or incorrect; was never enough of an issue for me to really dive into it but perhaps worth a look.

One other thing, using this promote-to-admin was challenging for me to instruct my users on what it did and didn't do; adding jamfHelper to further communicate the policy's actions was a big improvement.

#!/bin/sh

# define jamfhelper location

jhelp="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"

# dseditgroup to promote the currently logged in user to admin rights

if [[ `/usr/bin/dscl . read /Groups/admin GroupMembership | /usr/bin/grep -c $3` == 1 ]]
    then /bin/echo "$3 is in the admin group, exiting"
        exit 0
    else /bin/echo "$3 is not an admin, promoting.." 
fi    

/usr/sbin/dseditgroup -o edit -a $3 -t user admin

"$jhelp" -windowType utility -title "Admin rights" -description "You've been granted admin rights, please proceed with your installation." -button1 "OK"

Adas_21
New Contributor

Hi Pete,

I understand most of this except the $3 == 1 part, I know the $3 is the user account but I don't get how the 1 determines if the user is an admin or not. If it was pulling from the group members wouldn't it also have to be $1?

Any explanation would be greatly appreciated!

pete_c
Contributor III

So we're taking the entries from the admin group, using `grep` to only look for the username ($3), and using that true/false to determine the echo and exit - the username passed from $3 was already in the admin group, so we bail out, or the username from $3 wasn't, so let's proceed and Do Stuff™.  The 1 here is just a 'true,' not a variable.

Adas_21
New Contributor

Thanks for the response and clearing that up 👍

this script is not working on mac os 11 and above, what needs to update to work on mac os 11 and above

What errors are generated? How was the account created?

Hi I am new to jamf pro and new to scripts thanks for your reply, there is no error, accounts are manually created. the script is successfully executed from self-services however when I checked in users & group  currently logged in user is standard only it was not changed hence it's not working. 

sdagley
Esteemed Contributor II

@sachinkpshindep If you have the Users & Groups panel open when changing a user's account level externally, e.g. be a script running from Self Service, the change will not reflect in the Users & Groups UI until you close and re-open that panel.

Thanks, @sdagley it's my bad, close & reopening of system preferences changes effected

osxadmin
Contributor II

@pete_c I forgot I posted this question, and when I remember I use your script and that worked for me...thank!

sk25
Contributor

Sorry for reposting.. So the above script is for giving permanent admin access, right? If not help me to understand how long the admin access will be with the standard user? Or kindly help to modify the script to allow standard user to be an admin for the amount of 5 mins or so? Thanks for understanding.

pete_c
Contributor III

Yes, that script is only to check whether the current user is not an admin and add them to the admin group if so.

To demote the current user:

#!/bin/sh

# dseditgroup to demote the currently logged in user to standard account

/usr/sbin/dseditgroup -o edit -d $3 -t user admin

While there's probably a much more elegant way to create a LaunchDaemon to handle the promote/demote, I'd just keep it simple and create two Jamf scripts, set the promotion to Before and the demote to After, and add a `sleep` statement to the promotion script with the number of seconds you'd like admin rights to be active.

 

The advantage of having two scripts is that you can use them in other scenarios, such as checking for admin rights as part of a recurring policy and demoting admin users when found - doesn't just have to be ad hoc user support.