Posted on 02-12-2013 01:30 PM
Not sure if this is possible. We are rolling out MacBooks to students and are making their account a standard user by default. If a student manages to make their account an administrator, is there a way to check that and change it back? Say they figure out what the JAMF admin account password is. I have one computer I know of where the student has changed their account type, and created a second admin account. Any options here aside from re-imaging?
Solved! Go to Solution.
Posted on 02-12-2013 01:50 PM
Sure.
Use dseditgroup to make any accounts on the Mac outside of known local admin accounts your using into standard users.
See this snippet from something I worked on a while ago-
#!/bin/sh
## Demote admin users to standard
## Get list of users for demotion
/bin/echo "Building list of local user accounts for demotion"
userList=$( /usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 >= 501 { print $1; }' | /usr/bin/grep -ve "admin|otheradmin|anotheradmin" )
## Remove admin privs from each user and add them into the _lpadmin group
for i in $userList; do
if [[ `/usr/sbin/dseditgroup -o checkmember -m $i admin | /usr/bin/awk '{ print $1 }'` = "yes" ]]; then
/bin/echo "User $i is currently an admin. Converting into Standard User"
/usr/sbin/dseditgroup -o edit -d $i -t user admin
/bin/echo "Adding $i into _lpadmin group"
/usr/sbin/dseditgroup -o edit -a $i -t user _lpadmin
else
echo "User $i is currently a Standard User. Leaving as is."
fi
done
In the above, you need to replace the reverse grep (grep -ve) with your local admin accounts between the quote marks. Place a pipe betwen each name if you have multiple ones. if you only have one, no need for "-ve", just use grep -v "youradminname"
Note that this only sees accounts above UID 500, so it safely ignores all the System level accounts.
Posted on 02-13-2013 07:30 AM
I'm assuming there is a way to enable firmware passwords using Casper, but I'm not finding it.
Posted on 02-12-2013 01:47 PM
I would re-image it because there's no telling what else the kid did with local admin access. Do you use firmware passwords in your environment? If you don't, I would recommend enabling firmware passwords to prevent booting the computer in single-user mode.
Posted on 02-12-2013 01:50 PM
Sure.
Use dseditgroup to make any accounts on the Mac outside of known local admin accounts your using into standard users.
See this snippet from something I worked on a while ago-
#!/bin/sh
## Demote admin users to standard
## Get list of users for demotion
/bin/echo "Building list of local user accounts for demotion"
userList=$( /usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 >= 501 { print $1; }' | /usr/bin/grep -ve "admin|otheradmin|anotheradmin" )
## Remove admin privs from each user and add them into the _lpadmin group
for i in $userList; do
if [[ `/usr/sbin/dseditgroup -o checkmember -m $i admin | /usr/bin/awk '{ print $1 }'` = "yes" ]]; then
/bin/echo "User $i is currently an admin. Converting into Standard User"
/usr/sbin/dseditgroup -o edit -d $i -t user admin
/bin/echo "Adding $i into _lpadmin group"
/usr/sbin/dseditgroup -o edit -a $i -t user _lpadmin
else
echo "User $i is currently a Standard User. Leaving as is."
fi
done
In the above, you need to replace the reverse grep (grep -ve) with your local admin accounts between the quote marks. Place a pipe betwen each name if you have multiple ones. if you only have one, no need for "-ve", just use grep -v "youradminname"
Note that this only sees accounts above UID 500, so it safely ignores all the System level accounts.
Posted on 02-12-2013 02:02 PM
Just to chime in again. bajones does make a good point. While the above will work to bring unauthorized admins back down to standard, its going to be hard to tell what other changes may have been made while the student had admin access
Secondly, if you even suspect that someone found out or guessed your Casper service account password, I would flip that to something else immediately with a policy. Might even be a good idea to flip it once a month or so just in case.
If you want to go really nuts, you can tell Casper to flip the password to something randomized on every Mac as frequently as you want. Even you won't know what the password is, but the JSS will keep track of it.
Posted on 02-13-2013 07:13 AM
Yeah, we'll be looking at reimaging, but with the inventory logs we can look a little at what might have been installed. I've modded this script and it is working great. Of course, we'll also be changing the admin password. :)
Posted on 02-13-2013 07:25 AM
I'm assuming there is a way to enable firmware passwords using Casper, but I'm not finding it.
Posted on 02-13-2013 07:30 AM
I'm assuming there is a way to enable firmware passwords using Casper, but I'm not finding it.
Posted on 02-13-2013 08:21 AM
Firmware passwords are essential if you want to make sure the user stays a non admin. They're not hacking the JSS password, it's just as simple as going into Single User Mode and then deleting /var/db/.AppleSetupDone to force the computer to make a fresh admin account.
Posted on 05-21-2019 01:03 AM
Hi,
Thank you for your script @mm2270 ! Works very when lauched manually, though, I'm having trouble executing it through jamf.
The log says it completed, but show, no user where modified and there's no line returned, like the fisrt echo is not even appearing, it feels like the script simply ignores every commands. And I tried triggering it at login/logout/startup/selfservice. Always the same.
Does anyone have a hint ?
Edit : Nevermind, I just didn't put the script in my policy...........
Posted on 11-05-2021 09:33 AM
Bumping this.
I tried using the script by @mm2270 provided (thank you), however even putting the admin users I want to preserve as admins in
grep -ve "admin|otheradmin" )
Has anyone else run into this?
Posted on 11-05-2021 09:55 AM
@jlombardo Try changing it to:
/usr/bin/egrep -v "admin|otheradmin"
I don't think grep -ve is well supported anymore. I've seen issues with it myself and have had to change out some of my scripts to use egrep as well. The script I posted above is from 2013.
Posted on 11-05-2021 10:00 AM
Posted on 11-05-2021 12:31 PM
That worked like a charm, thanks for your efforts