Local Admin Access

Sobchak
Contributor

I know you can use Jamf Pro to create a new local user account with or without admin access, but can you use Jamf Pro to modify an already existing local account's permissions?

3 REPLIES 3

mm2270
Legendary Contributor III

What do you mean by permissions? Do you mean demoting it to a standard user instead of admin? Or are you talking about just limiting it's admin privileges?

Sobchak
Contributor

Demoting an admin to standard or promoting a standard to admin. Need to do both on occasion.

mm2270
Legendary Contributor III

OK, then yes, totally possible to do with a script. There are a couple of methods to do it, but I believe the current supported way (still) is to use dseditgroup Something like this:

/usr/sbin/dseditgroup -o edit -a username admin

In the above, you are telling dseditgroup to do the operation (-o) edit to add (-a) the user username to the group admin
This makes the user named "username" an admin
To do the reverse - remove them from the admin group, you use operation delete (-d) like so:

/usr/sbin/dseditgroup -o edit -d username admin

This simply deletes "username" from the admin group.

Hope that helps.