Jamf Nation Community

Here's the script I came up with for our environment; the policy is set to run at every login. I use the script parameters in the policy to define the groups I want to set as administrator ($4), lpadmin ($6), and what groups need to have admin rights removed ($5 and $7) if they were given admin rights at one time, but need to be removed later.

#!/bin/bash

user=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`
admin=$(/usr/sbin/dseditgroup -o checkmember -m $user admin)
lpadmin=$(/usr/sbin/dseditgroup -o checkmember -m $user _lpadmin)
adminGroups=$4
adminExceptionGroups=$5
lpadminGroups=$6
lpadminExceptionGroups=$7

setAdmin () {
    for authorizedgroup in $1
        do
            if (id -Gn $user | grep -q $authorizedgroup)
            then
                echo "$user is a member of authorized group $authorizedgroup"
                echo "Adding $user to the $2 group…"
                /usr/sbin/dseditgroup -o edit -a $user -t user $2
                echo "exiting…"
                exit
            fi
        done
}

removeAdmin () {
    for exceptions in $1
        do
            if (id -Gn $user | grep -q $exceptions); then
                if [[ $2 == *"yes"* ]]; then
                    echo "$user is in the exceptions list, and has $3 rights. Removing rights..."
                    /usr/sbin/dseditgroup -o edit -d $user -t user $3
                    echo "exiting..."
                    exit
                fi
            fi
        done
}

groupCheck () {
    if (id -G $user | grep -q "$1")
    then
        echo "$user is already in the $2 group. exiting..."
        exit
    fi
}

echo "Version 3.3.1"
# Version notes 3.3.1
# Modified variables referencing dseditgroup to use the full path '/usr/sbin/dseditgroup'

# Iterates through the groups listed in the policy's Exception parameter ($5) to see if the user logging in is a member.
# If there is a match the script checks to see if it has Admin rights. If it does, the rights are removed, and the script exits.
# If there isn't a match the script goes to the next section.
removeAdmin "$adminExceptionGroups" "$admin" "admin"

# Checks to see if the user logging in is already in the Admin group.
groupCheck " 80 " "local admin"

# Iterates through the groups listed in the policy's adminAuthorizedGroups parameter ($4) to see if the user logging in is a member.
# If the user is a member the user gets added to the Admin group. If not, the script exits.
setAdmin "$adminGroups" "admin"

# Iterates through the groups listed in the policy's Exception parameter ($7) to see if the user logging in is a member.
# If there is a match the script checks to see if it has Admin rights. If it does, the rights are removed, and the script exits.
# If there isn't a match the script goes to the next section.
removeAdmin "$lpadminExceptionGroups" "$lpadmin" "_lpadmin"

# Checks to see if the user logging in is already in the _lpadmin group.
groupCheck " 98 " "_lpadmin"

# Iterates through the groups listed in the policy's lpadminAuthorizedGroups parameter ($6) to see if the user logging in is a member.
# If the user is a member the user gets added to the _lpadmin group. If not, the script exits.
setAdmin "$lpadminGroups" "_lpadmin"

echo "$user is not a member of any authorized groups. exiting…"

exit 0

Example of what I use in the script parameters to account for the groups:

DOMAIN\Group_1 DOMAIN\Group_2