Solved

Promote Standard account to Admin Account

Forum|Forum|9 years ago
October 4, 2016
9 replies
254 views

+10

rhooper
Valued Contributor

Hello all,

We have been having huge issues with the standard account; cannot update software(Chrome), cannot add personal network printers, cannot add WiFi, etc. So it was the consensus to promote the standard account to an Admin account. I am hoping there is an script to perform this very act, because updating 900+ devices is a little daunting.

I see there is a script to demote and we have it in the wings for deployment should this entire Admin rights thing go South. I am no scripter, but know enough to follow through what will happen when things are run. So any and all help is appreciated.

Best answer by dwandro92

I am not sure what would be causing that error, but the following troubleshooting step should help to rule out the script as the root cause.

Instead of using a script, try pasting the following command into the "Execute command" field of the policy, underneath the "Files and Processes" payload/section:

dseditgroup -o edit -a "$(who | awk '/console/{ print $1 }')" -t user admin

Here are what the options mean:

-o: specify the operation. In this case, it is edit.
-a: add a user or group to the target group. In this case, it will be the currently logged in user.
-t: specify the type of resource that you are adding to the group. In this case, you are telling the command that the currently logged in user is a user, not a group.

duffcalifornia
Contributor
Forum|Forum|9 years ago
October 4, 2016

[https://jamfnation.jamfsoftware.com/discussion.html?id=6990](link URL)

Pretty sure everything you're looking for is right there.

edit: I can't get that link to work for the life of me, but if you search "temporary admin" you should get that post by @brockma9 - it was even featured at JNUC.

+10

rhooper
Author
Valued Contributor
Forum|Forum|9 years ago
October 4, 2016

Thanks... I think.

We use no AD and have all Macs. We do not want to grant temp Admin Rights though, we figure it that these clients are old enough to take care of this stuff themselves. AS far as the argument goes about the management portion, this may change next year after we get a hang of this JSS program, its huge and I am new to it.

dwandro92
Contributor
Forum|Forum|9 years ago
October 4, 2016

You can make a user an admin using the following command (with elevated permissions, of course):

dseditgroup -o edit -a "${username}" -t user admin

+10

rhooper
Author
Valued Contributor
Forum|Forum|9 years ago
October 5, 2016

dwandro92, by elevated you mean sudo, yes?

The standard accounts are all named differently.
is this where an 'if' statement would come in? I am no scripter, but I can basically follow through the script to see what it is supposed to do. I would think it would need to find the current user logged in and then change their group from standard to admin.... but how to get from point a to point b is way beyond me.

What are all the switches -o -a - t.... I have searched for them, but have not found much in the way of descriptions.

Thanks all for helping me out a of a tight spot.

I used a script written by JAMF:

!/bin/bash

grab current user

curUser=ls -l /dev/console | cut -d " " -f 4

Make current user an admin

dseditgroup -o edit -a $curUser -t user admin

but when run on the standard account it fails with the attached error. I do not think it is using the admin account to install the script. I have had the user reboot the device, relload Self Service and still nothing works and still get the error.

dwandro92
Contributor
Answer
Forum|Forum|9 years ago
October 5, 2016

I am not sure what would be causing that error, but the following troubleshooting step should help to rule out the script as the root cause.

Instead of using a script, try pasting the following command into the "Execute command" field of the policy, underneath the "Files and Processes" payload/section:

dseditgroup -o edit -a "$(who | awk '/console/{ print $1 }')" -t user admin

Here are what the options mean:

+14

jhuls
Valued Contributor
Forum|Forum|9 years ago
October 5, 2016

@rhooper Making everyone admin is generally considered the opposite direction organizations should go. There are likely answers to each of the problems you're mentioning. If you're intent on giving admin access though, you might consider watching this video that provides a nice solution for giving admin privileges on an as needed basis.

Getting Users to Do Your Job (Without Them Knowing It)

wawuku
New Contributor
Forum|Forum|6 years ago
August 15, 2019

I was able to use this simple script to accomplish this, where John is the Username;

dscl . -append /groups/admin GroupMembership john

Hope this helps.

Jimmy1
New Contributor
Forum|Forum|3 years ago
March 3, 2022

I was able to use this simple script to accomplish this, where John is the Username;

dscl . -append /groups/admin GroupMembership john

Hope this helps.

Hi, thank you for posting. How did you go about creating a group with admin rights? My understanding is that no administrator group is built into the OS.

Thanks

fotofojo
Contributor
Forum|Forum|2 years ago
February 17, 2023

I am not sure what would be causing that error, but the following troubleshooting step should help to rule out the script as the root cause.

Instead of using a script, try pasting the following command into the "Execute command" field of the policy, underneath the "Files and Processes" payload/section:

dseditgroup -o edit -a "$(who | awk '/console/{ print $1 }')" -t user admin

Here are what the options mean:

Can this command be altered to demote an admin account to a standard one? Thanks

!/bin/bash

grab current user

Make current user an admin

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded