Policy and/or Script to Allow user to administer computer

tytran
New Contributor

Looking to see if anyone has a policy or script that checks off the box to Allow user to administer this computer

7 REPLIES 7

Tribruin
Valued Contributor II

What are you trying to accomplish? Are you trying to promote your users to Admin permanently? Or just be able to give them elevated access for a short period of time? 


There are a number of scripts available that can promote and demote users.  If you want to time control the process, you can look at a script like: jamf/MakeMeAnAdmin: Provides temporary admin access for a standard user via Jamf Self Service (githu...

 

Alternatively, you could look at SAP/macOS-enterprise-privileges: For Mac users in an Enterprise environment, this app gives the User...

 

Looking to give the user permanent admin privileges.  I know I can just go in and check off the box to "Allow user to administer this computer" but would rather not have to do that manually.

mm2270
Legendary Contributor III

The script/command you'd use for this doesn't go in and "check" the box per se, but does grant admin rights. It would be something along these lines.

 

/usr/sbin/dseditgroup -o edit -a username -t user admin

 

Where "username" is the short name of the user account. This adds that account of type user into the local admin group, which in turn grants them local admin rights. Keep in mind the command must be run with sudo or as root (default with a script run from Jamf Pro)

SuSpense
New Contributor II

I created a policy, made a script, and I can't get it to execute properly...keep getting the following error (which I know relates to the Username but I am %100 positive the script matches the targeted Standar User): 

Script exit code: 200
Script result: Record was not found.

Are you familiar with the exit code at all? 

My issue is that we have a remote employee that needs admin rights and we won't have local access to it....I'm fully aware of the other methods everyone mentioned with 1-time elevated privileges but I don't have clearance to push another app yet. 

SuSpense
New Contributor II

In case anyone wants to do this via policy and script, be sure to set the target directory as /usr/local (which is why it was failing initially) in the policy for execution. I added some output to the script incase it fails: 

#!/bin/bash

echo "Working Directory: $(pwd)"
echo "Executing User: $(whoami)"
echo "Path: $PATH"

USERNAME="username"
echo "Adding $USERNAME to admin group..."
sudo dseditgroup -o edit -a $USERNAME -t user admin

if [ $? -ne 0 ]; then
echo "Failed to add $USERNAME to admin group"
exit 1
else
echo "$USERNAME added to admin group successfully"
exit 0
fi

 

adefallo
New Contributor II

One thing I’m in the process of implementing is Delinea (formerly Thycotic) Privilege Manager, which essentially allows users to elevate and install, update, uninstall applications, drivers, etc. without being an admin. This is something that has been recommended instead of making users full admin.

 

I know you wanted a script for adding these users as admins (which I would’ve done until I got this product), but I wanted to share that with you as well. 

If you utilize JAMF Connect, you should be able to set users as an “administrator” at their initial login.

Anonymous
Not applicable

There is a small tool called "Privileges". It is free and you could serve it via selfservice.app to either special computers or special users. Maybe it will help to solve your question. You will find the tool at GitHub here: https://github.com/SAP/macOS-enterprise-privileges