Is there a policy that prevents admins from removing admin accounts from a Mac?

dmitchell
Contributor

Basically we have had a couple of users remove admin rights from our admin account on deployed Macs obviously causing issues. Is there a way I can prevent a user from going to user accounts on the Mac and removing admin rights from another admin account>

4 ACCEPTED SOLUTIONS

davidacland
Honored Contributor II

You can restrict access to the system preference pane using a profile.

Alternatively, hide the admin account so they can't see it at all in system preferences.

If you keep the local admin account separate from the management account used by Casper, you can use Casper to give the local admin the rights back.

View solution in original post

davidacland
Honored Contributor II

You can run the command:

/usr/sbin/dseditgroup -o edit -a localadminname -t user admin

If you create a policy, in the Files and Processes payload, add it to the "Execute Command" section at the bottom.

View solution in original post

davidacland
Honored Contributor II

You could go a step further, create an extension attribute that picks up if the user is an admin or not:

#!/bin/sh

adminCheck=$(/usr/sbin/dseditgroup -o checkmember -m localadminname admin)

echo "<result>$checkAdmin</result>"

exit 0

Then create a smart group that checks for "yes localadminname is a member of admin", targeting the policy to the group on an ongoing basis.

View solution in original post

JustDeWon
Contributor III

How about just hide the local admin account from users &groups... You can also move the hidden admin's home directory to a place not visible from Finder.. I currently created a policy and running it, to hide the admin account, and it's working like a charm..

The only time the user will know an admin account is on there, is at the login window..

You can go here to get the commands to hide the admin account, and create a script from it..

View solution in original post

6 REPLIES 6

davidacland
Honored Contributor II

You can restrict access to the system preference pane using a profile.

Alternatively, hide the admin account so they can't see it at all in system preferences.

If you keep the local admin account separate from the management account used by Casper, you can use Casper to give the local admin the rights back.

dmitchell
Contributor

Thank you for this. We do have a separate local admin account, this was the account I was actually referring to. How can I use Casper to give the local admins account rights back?

davidacland
Honored Contributor II

You can run the command:

/usr/sbin/dseditgroup -o edit -a localadminname -t user admin

If you create a policy, in the Files and Processes payload, add it to the "Execute Command" section at the bottom.

davidacland
Honored Contributor II

You could go a step further, create an extension attribute that picks up if the user is an admin or not:

#!/bin/sh

adminCheck=$(/usr/sbin/dseditgroup -o checkmember -m localadminname admin)

echo "<result>$checkAdmin</result>"

exit 0

Then create a smart group that checks for "yes localadminname is a member of admin", targeting the policy to the group on an ongoing basis.

JustDeWon
Contributor III

How about just hide the local admin account from users &groups... You can also move the hidden admin's home directory to a place not visible from Finder.. I currently created a policy and running it, to hide the admin account, and it's working like a charm..

The only time the user will know an admin account is on there, is at the login window..

You can go here to get the commands to hide the admin account, and create a script from it..

dmitchell
Contributor

Thanks everyone. I should be good with your suggestions!