Help

Policy to Change Account Type?

Go to solution
musat
Contributor III

Posted on ‎02-12-2013 01:30 PM

Not sure if this is possible. We are rolling out MacBooks to students and are making their account a standard user by default. If a student manages to make their account an administrator, is there a way to check that and change it back? Say they figure out what the JAMF admin account password is. I have one computer I know of where the student has changed their account type, and created a second admin account. Any options here aside from re-imaging?

0 Kudos
2 ACCEPTED SOLUTIONS

Go to solution
mm2270
Legendary Contributor III

Posted on ‎02-12-2013 01:50 PM

Sure.

Use dseditgroup to make any accounts on the Mac outside of known local admin accounts your using into standard users.
See this snippet from something I worked on a while ago-

#!/bin/sh

## Demote admin users to standard

## Get list of users for demotion
/bin/echo "Building list of local user accounts for demotion"
userList=$( /usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 >= 501 { print $1; }' | /usr/bin/grep -ve "admin|otheradmin|anotheradmin" )

## Remove admin privs from each user and add them into the _lpadmin group
for i in $userList; do
    if [[ `/usr/sbin/dseditgroup -o checkmember -m $i admin | /usr/bin/awk '{ print $1 }'` = "yes" ]]; then
    /bin/echo "User $i is currently an admin. Converting into Standard User"
    /usr/sbin/dseditgroup -o edit -d $i -t user admin
    /bin/echo "Adding $i into _lpadmin group"
    /usr/sbin/dseditgroup -o edit -a $i -t user _lpadmin
        else
            echo "User $i is currently a Standard User. Leaving as is."
    fi
done

In the above, you need to replace the reverse grep (grep -ve) with your local admin accounts between the quote marks. Place a pipe betwen each name if you have multiple ones. if you only have one, no need for "-ve", just use grep -v "youradminname"

Note that this only sees accounts above UID 500, so it safely ignores all the System level accounts.

View solution in original post

Go to solution
mm2270
Legendary Contributor III

Posted on ‎02-13-2013 07:30 AM

I'm assuming there is a way to enable firmware passwords using Casper, but I'm not finding it.

https://jamfnation.jamfsoftware.com/article.html?id=58

View solution in original post

0 Kudos
12 REPLIES 12

Go to solution
bajones
Contributor II

Posted on ‎02-12-2013 01:47 PM

I would re-image it because there's no telling what else the kid did with local admin access. Do you use firmware passwords in your environment? If you don't, I would recommend enabling firmware passwords to prevent booting the computer in single-user mode.

0 Kudos

Go to solution
mm2270
Legendary Contributor III

Posted on ‎02-12-2013 01:50 PM

Sure.

Use dseditgroup to make any accounts on the Mac outside of known local admin accounts your using into standard users.
See this snippet from something I worked on a while ago-

#!/bin/sh

## Demote admin users to standard

## Get list of users for demotion
/bin/echo "Building list of local user accounts for demotion"
userList=$( /usr/bin/dscl . -list /Users UniqueID | /usr/bin/awk '$2 >= 501 { print $1; }' | /usr/bin/grep -ve "admin|otheradmin|anotheradmin" )

## Remove admin privs from each user and add them into the _lpadmin group
for i in $userList; do
    if [[ `/usr/sbin/dseditgroup -o checkmember -m $i admin | /usr/bin/awk '{ print $1 }'` = "yes" ]]; then
    /bin/echo "User $i is currently an admin. Converting into Standard User"
    /usr/sbin/dseditgroup -o edit -d $i -t user admin
    /bin/echo "Adding $i into _lpadmin group"
    /usr/sbin/dseditgroup -o edit -a $i -t user _lpadmin
        else
            echo "User $i is currently a Standard User. Leaving as is."
    fi
done

In the above, you need to replace the reverse grep (grep -ve) with your local admin accounts between the quote marks. Place a pipe betwen each name if you have multiple ones. if you only have one, no need for "-ve", just use grep -v "youradminname"

Note that this only sees accounts above UID 500, so it safely ignores all the System level accounts.

Go to solution
mm2270
Legendary Contributor III

Posted on ‎02-12-2013 02:02 PM

Just to chime in again. bajones does make a good point. While the above will work to bring unauthorized admins back down to standard, its going to be hard to tell what other changes may have been made while the student had admin access
Secondly, if you even suspect that someone found out or guessed your Casper service account password, I would flip that to something else immediately with a policy. Might even be a good idea to flip it once a month or so just in case.
If you want to go really nuts, you can tell Casper to flip the password to something randomized on every Mac as frequently as you want. Even you won't know what the password is, but the JSS will keep track of it.

0 Kudos

Go to solution
musat
Contributor III

Posted on ‎02-13-2013 07:13 AM

Yeah, we'll be looking at reimaging, but with the inventory logs we can look a little at what might have been installed. I've modded this script and it is working great. Of course, we'll also be changing the admin password. :)

0 Kudos

Go to solution
musat
Contributor III

Posted on ‎02-13-2013 07:25 AM

I'm assuming there is a way to enable firmware passwords using Casper, but I'm not finding it.

0 Kudos

Go to solution
mm2270
Legendary Contributor III

Posted on ‎02-13-2013 07:30 AM

I'm assuming there is a way to enable firmware passwords using Casper, but I'm not finding it.

https://jamfnation.jamfsoftware.com/article.html?id=58

0 Kudos

Go to solution
hkim
Contributor II

Posted on ‎02-13-2013 08:21 AM

Firmware passwords are essential if you want to make sure the user stays a non admin. They're not hacking the JSS password, it's just as simple as going into Single User Mode and then deleting /var/db/.AppleSetupDone to force the computer to make a fresh admin account.

0 Kudos

Go to solution
fdeltesta
Contributor

Posted on ‎05-21-2019 01:03 AM

Hi,

Thank you for your script @mm2270 ! Works very when lauched manually, though, I'm having trouble executing it through jamf.

The log says it completed, but show, no user where modified and there's no line returned, like the fisrt echo is not even appearing, it feels like the script simply ignores every commands. And I tried triggering it at login/logout/startup/selfservice. Always the same.

Does anyone have a hint ?

Edit : Nevermind, I just didn't put the script in my policy...........

0 Kudos

Go to solution
jlombardo
Contributor

Posted on ‎11-05-2021 09:33 AM

Bumping this.

I tried using the script by @mm2270 provided (thank you), however even putting the admin users I want to preserve as admins in 

grep -ve "admin|otheradmin" )

 Has anyone else run into this?

0 Kudos

Go to solution
mm2270
Legendary Contributor III
In response to jlombardo

Posted on ‎11-05-2021 09:55 AM

@jlombardo Try changing it to:

/usr/bin/egrep -v "admin|otheradmin"

I don't think grep -ve is well supported anymore. I've seen issues with it myself and have had to change out some of my scripts to use egrep as well. The script I posted above is from 2013.

Go to solution
jlombardo
Contributor
In response to mm2270

Posted on ‎11-05-2021 10:00 AM

Yea I know, a man can dream that it was still going to work right?
0 Kudos

Go to solution
jlombardo
Contributor
In response to mm2270

Posted on ‎11-05-2021 12:31 PM

That worked like a charm, thanks for your efforts

0 Kudos