Policy to Change Account Type?

musat
Contributor III

Not sure if this is possible. We are rolling out MacBooks to students and are making their account a standard user by default. If a student manages to make their account an administrator, is there a way to check that and change it back? Say they figure out what the JAMF admin account password is. I have one computer I know of where the student has changed their account type, and created a second admin account. Any options here aside from re-imaging?

2 ACCEPTED SOLUTIONS

mm2270
Legendary Contributor III

Sure.

Use dseditgroup to make any accounts on the Mac outside of known local admin accounts your using into standard users.
See this snippet from something I worked on a while ago-

#!/bin/sh

## Demote admin users to standard

## Get list of users for demotion
/bin/echo "Building list of local user accounts for demotion"
userList=$( /usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 >= 501 { print $1; }' | /usr/bin/grep -ve "admin|otheradmin|anotheradmin" )

## Remove admin privs from each user and add them into the _lpadmin group
for i in $userList; do
    if [[ `/usr/sbin/dseditgroup -o checkmember -m $i admin | /usr/bin/awk '{ print $1 }'` = "yes" ]]; then
    /bin/echo "User $i is currently an admin. Converting into Standard User"
    /usr/sbin/dseditgroup -o edit -d $i -t user admin
    /bin/echo "Adding $i into _lpadmin group"
    /usr/sbin/dseditgroup -o edit -a $i -t user _lpadmin
        else
            echo "User $i is currently a Standard User. Leaving as is."
    fi
done

In the above, you need to replace the reverse grep (grep -ve) with your local admin accounts between the quote marks. Place a pipe betwen each name if you have multiple ones. if you only have one, no need for "-ve", just use grep -v "youradminname"

Note that this only sees accounts above UID 500, so it safely ignores all the System level accounts.

View solution in original post

mm2270
Legendary Contributor III
I'm assuming there is a way to enable firmware passwords using Casper, but I'm not finding it.

https://jamfnation.jamfsoftware.com/article.html?id=58

View solution in original post

12 REPLIES 12

bajones
Contributor II

I would re-image it because there's no telling what else the kid did with local admin access. Do you use firmware passwords in your environment? If you don't, I would recommend enabling firmware passwords to prevent booting the computer in single-user mode.

mm2270
Legendary Contributor III

Sure.

Use dseditgroup to make any accounts on the Mac outside of known local admin accounts your using into standard users.
See this snippet from something I worked on a while ago-

#!/bin/sh

## Demote admin users to standard

## Get list of users for demotion
/bin/echo "Building list of local user accounts for demotion"
userList=$( /usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 >= 501 { print $1; }' | /usr/bin/grep -ve "admin|otheradmin|anotheradmin" )

## Remove admin privs from each user and add them into the _lpadmin group
for i in $userList; do
    if [[ `/usr/sbin/dseditgroup -o checkmember -m $i admin | /usr/bin/awk '{ print $1 }'` = "yes" ]]; then
    /bin/echo "User $i is currently an admin. Converting into Standard User"
    /usr/sbin/dseditgroup -o edit -d $i -t user admin
    /bin/echo "Adding $i into _lpadmin group"
    /usr/sbin/dseditgroup -o edit -a $i -t user _lpadmin
        else
            echo "User $i is currently a Standard User. Leaving as is."
    fi
done

In the above, you need to replace the reverse grep (grep -ve) with your local admin accounts between the quote marks. Place a pipe betwen each name if you have multiple ones. if you only have one, no need for "-ve", just use grep -v "youradminname"

Note that this only sees accounts above UID 500, so it safely ignores all the System level accounts.

mm2270
Legendary Contributor III

Just to chime in again. bajones does make a good point. While the above will work to bring unauthorized admins back down to standard, its going to be hard to tell what other changes may have been made while the student had admin access
Secondly, if you even suspect that someone found out or guessed your Casper service account password, I would flip that to something else immediately with a policy. Might even be a good idea to flip it once a month or so just in case.
If you want to go really nuts, you can tell Casper to flip the password to something randomized on every Mac as frequently as you want. Even you won't know what the password is, but the JSS will keep track of it.

musat
Contributor III

Yeah, we'll be looking at reimaging, but with the inventory logs we can look a little at what might have been installed. I've modded this script and it is working great. Of course, we'll also be changing the admin password. :)

musat
Contributor III

I'm assuming there is a way to enable firmware passwords using Casper, but I'm not finding it.

mm2270
Legendary Contributor III
I'm assuming there is a way to enable firmware passwords using Casper, but I'm not finding it.

https://jamfnation.jamfsoftware.com/article.html?id=58

hkim
Contributor II

Firmware passwords are essential if you want to make sure the user stays a non admin. They're not hacking the JSS password, it's just as simple as going into Single User Mode and then deleting /var/db/.AppleSetupDone to force the computer to make a fresh admin account.

fdeltesta
Contributor

Hi,

Thank you for your script @mm2270 ! Works very when lauched manually, though, I'm having trouble executing it through jamf.

The log says it completed, but show, no user where modified and there's no line returned, like the fisrt echo is not even appearing, it feels like the script simply ignores every commands. And I tried triggering it at login/logout/startup/selfservice. Always the same.

Does anyone have a hint ?

Edit : Nevermind, I just didn't put the script in my policy...........

jlombardo
Contributor

Bumping this.

I tried using the script by @mm2270 provided (thank you), however even putting the admin users I want to preserve as admins in 

grep -ve "admin|otheradmin" )

 Has anyone else run into this?

mm2270
Legendary Contributor III

@jlombardo Try changing it to:

/usr/bin/egrep -v "admin|otheradmin"

I don't think grep -ve is well supported anymore. I've seen issues with it myself and have had to change out some of my scripts to use egrep as well. The script I posted above is from 2013.

Yea I know, a man can dream that it was still going to work right?

That worked like a charm, thanks for your efforts