- Jamf Nation Community
- Products
- Jamf Pro
- Re: Is there a policy that prevents admins from re...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-11-2016 10:30 AM
Basically we have had a couple of users remove admin rights from our admin account on deployed Macs obviously causing issues. Is there a way I can prevent a user from going to user accounts on the Mac and removing admin rights from another admin account>
Solved! Go to Solution.
4 ACCEPTED SOLUTIONS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-11-2016 10:56 AM
You can restrict access to the system preference pane using a profile.
Alternatively, hide the admin account so they can't see it at all in system preferences.
If you keep the local admin account separate from the management account used by Casper, you can use Casper to give the local admin the rights back.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-11-2016 11:31 AM
You can run the command:
/usr/sbin/dseditgroup -o edit -a localadminname -t user admin
If you create a policy, in the Files and Processes payload, add it to the "Execute Command" section at the bottom.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-11-2016 11:34 AM
You could go a step further, create an extension attribute that picks up if the user is an admin or not:
#!/bin/sh
adminCheck=$(/usr/sbin/dseditgroup -o checkmember -m localadminname admin)
echo "<result>$checkAdmin</result>"
exit 0Then create a smart group that checks for "yes localadminname is a member of admin", targeting the policy to the group on an ongoing basis.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-11-2016 12:05 PM
How about just hide the local admin account from users &groups... You can also move the hidden admin's home directory to a place not visible from Finder.. I currently created a policy and running it, to hide the admin account, and it's working like a charm..
The only time the user will know an admin account is on there, is at the login window..
You can go here to get the commands to hide the admin account, and create a script from it..
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-11-2016 10:56 AM
You can restrict access to the system preference pane using a profile.
Alternatively, hide the admin account so they can't see it at all in system preferences.
If you keep the local admin account separate from the management account used by Casper, you can use Casper to give the local admin the rights back.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-11-2016 11:27 AM
Thank you for this. We do have a separate local admin account, this was the account I was actually referring to. How can I use Casper to give the local admins account rights back?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-11-2016 11:31 AM
You can run the command:
/usr/sbin/dseditgroup -o edit -a localadminname -t user admin
If you create a policy, in the Files and Processes payload, add it to the "Execute Command" section at the bottom.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-11-2016 11:34 AM
You could go a step further, create an extension attribute that picks up if the user is an admin or not:
#!/bin/sh
adminCheck=$(/usr/sbin/dseditgroup -o checkmember -m localadminname admin)
echo "<result>$checkAdmin</result>"
exit 0Then create a smart group that checks for "yes localadminname is a member of admin", targeting the policy to the group on an ongoing basis.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-11-2016 12:05 PM
How about just hide the local admin account from users &groups... You can also move the hidden admin's home directory to a place not visible from Finder.. I currently created a policy and running it, to hide the admin account, and it's working like a charm..
The only time the user will know an admin account is on there, is at the login window..
You can go here to get the commands to hide the admin account, and create a script from it..
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-11-2016 12:33 PM
Thanks everyone. I should be good with your suggestions!
