Network Administrator Account on Macs switched to Standard Account

KMak84
Contributor

We have just discovered that our macs admin account has switched to standard user.
We do have domain admin allowed to administer the macs but still does not work when we try to unlock the padlock using our AD Accounts.

We have done a single user mode but not ideal has we have a-lot more macs to resolve.
The machines are not responding to Casper most likely due network admin account now switched to standard user on the local machines

The machines are bound to AD. Is there another method of switching it back to its original account.

There was a policy run possibly due to the picture attached but not 100% certain

Any help would e0ed5152a3bd451c9fee95065d79eac8
be appreciated

3 REPLIES 3

mm2270
Legendary Contributor III

@k84 You wrote:

The machines are not responding to Casper most likely due network admin account now switched to standard user on the local machines

I'm not sure if the demotion of a local admin account, Jamf management or otherwise would cause the machines to stop responding like you described. Are you seeing any policies being run on these Macs at all? If so, the recurring check-in trigger may still be working, and if so, you have perhaps an option to fix the local account. The recurring check-in trigger gets run by a LaunchDaemon, so it actually does not need a local admin level account to work. It runs as root.
You should be able to create a policy that uses a script to promote the local account back to admin with something like

dseditgroup -o edit -a <account_name> admin

This adds the account specified in <account_name> to the local admin group. This is assuming your local admin group didn't get messed up, which is possible. If the local admin group got deleted for some reason, then it might explain why your previously admin level account is now a standard one.
You can check on one of the affected machines to see if the admin group exists with

ddcl . list /Groups

admin should be listed somewhere in the output.
If you don't see it listed there, then that's the problem, which is a slightly trickier one, but might still be resolvable.

Nix4Life
Valued Contributor

agree with @mm2270. We also did observer in 10.13 and forward, the domain admins have to be specified in the following format:

"yourdomainyourdomainadminoradmingroup", with quotes

KMak84
Contributor

@mm2270

Good news so the local admin account has been elevated back to admin after creating a policy with the above script.

Tested on 5 machines that were affected & all have come back as elevated privileges.

This has saved me a-lot of headache.

Thanks