Help

Issue demoting users

valentin_peralt
New Contributor III

Posted on ‎01-05-2021 09:57 AM

I used to have a pretty basic script that would revoke admin privileges to the logged in user but I noticed that it is no longer working. Here is what I've been using:

if [[ `/usr/bin/dscl . read /Groups/admin GroupMembership | /usr/bin/grep -c $3` == 0 ]]
    then /bin/echo "$3 is NOT the admin group, exiting"
        exit 0
    else /bin/echo "$3 is an admin, demoting.." 
fi    
/usr/sbin/dseditgroup -o edit -d $3 -t user admin

Here is what I am seeing in the logs since last week:

Executing Policy RevokeAdminRights
Running script RevokeAdminPriviledges...
Script exit code: 64
Script result: usage: grep [-abcDEFGHhIiJLlmnOoqRSsUVvwxZ] [-A num] [-B num] [-C[num]]
    [-e pattern] [-f file] [--binary-files=value] [--color=when]
    [--context[=num]] [--directories=action] [--label] [--line-buffered]
    [--null] [pattern] [file ...]
 is an admin, demoting..
Group not found.
Error running script: return code was 64.

Can anybody help me with this?

Labels:
0 Kudos
2 REPLIES 2

gabester
Contributor III

Posted on ‎01-05-2021 10:33 AM

Looking at the output it's pretty clear that somehow $3 (the logged in user) isn't getting passed. Is this script somehow running when user is NOT logged on? The key is the grep output, same as you'd get for running grep -c and the line " is an admin, demoting.."

I like to ensure my parameters are not empty with a leadin test like this

if [ -z "${3}" ]; then
  echo "user parameter was empty."
  userName=$(/bin/ls -la /dev/console | cut -d " " -f 4)
  if [ -z "$userName" ]; then
    echo "No user logged on."
  fi
else
  userName="${3}" # Why the brackets you ask? To properly use parameters 10 and 11 
fi

Can't give you a good answer for why $3 would be null when a user is logged on... but maybe try a different way to capture the user, a vague rattling in my memory suggests $3 is not always reliable - like if one user is logged on but a different user is logged into Self Service?

mm2270
Legendary Contributor III

Posted on ‎01-05-2021 02:08 PM

I hardly ever use the built in $3 to capture the logged in user, because I've found it to be unreliable myself. I agree with @gabester that you should try capturing the logged in user in the script and passing that instead.

The one I use for that is:

LOGGED_IN_USER=$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/{print $3}')