Help

Promote Standard account to Admin Account

Go to solution
rhooper
Contributor III

Posted on ‎10-04-2016 12:18 PM

Hello all,

We have been having huge issues with the standard account; cannot update software(Chrome), cannot add personal network printers, cannot add WiFi, etc. So it was the consensus to promote the standard account to an Admin account. I am hoping there is an script to perform this very act, because updating 900+ devices is a little daunting.

I see there is a script to demote and we have it in the wings for deployment should this entire Admin rights thing go South. I am no scripter, but know enough to follow through what will happen when things are run. So any and all help is appreciated.

Labels:
Reply
1 ACCEPTED SOLUTION

Go to solution
dwandro92
Contributor III

Posted on ‎10-05-2016 02:46 PM

I am not sure what would be causing that error, but the following troubleshooting step should help to rule out the script as the root cause.

Instead of using a script, try pasting the following command into the "Execute command" field of the policy, underneath the "Files and Processes" payload/section:

dseditgroup -o edit -a "$(who | awk '/console/{ print $1 }')" -t user admin

Here are what the options mean:

-o: specify the operation. In this case, it is edit.
-a: add a user or group to the target group. In this case, it will be the currently logged in user.
-t: specify the type of resource that you are adding to the group. In this case, you are telling the command that the currently logged in user is a user, not a group.

View solution in original post

Reply
9 REPLIES 9

Go to solution
duffcalifornia
Contributor

Posted on ‎10-04-2016 12:23 PM

[https://jamfnation.jamfsoftware.com/discussion.html?id=6990](link URL)

Pretty sure everything you're looking for is right there.

edit: I can't get that link to work for the life of me, but if you search "temporary admin" you should get that post by @brockma9 - it was even featured at JNUC.

0 Kudos
Reply

Go to solution
rhooper
Contributor III

Posted on ‎10-04-2016 12:35 PM

Thanks... I think.

We use no AD and have all Macs. We do not want to grant temp Admin Rights though, we figure it that these clients are old enough to take care of this stuff themselves. AS far as the argument goes about the management portion, this may change next year after we get a hang of this JSS program, its huge and I am new to it.

0 Kudos
Reply

Go to solution
dwandro92
Contributor III

Posted on ‎10-04-2016 02:20 PM

You can make a user an admin using the following command (with elevated permissions, of course):

dseditgroup -o edit -a "${username}" -t user admin

0 Kudos
Reply

Go to solution
rhooper
Contributor III

Posted on ‎10-05-2016 11:10 AM

dwandro92, by elevated you mean sudo, yes?

The standard accounts are all named differently.
is this where an 'if' statement would come in? I am no scripter, but I can basically follow through the script to see what it is supposed to do. I would think it would need to find the current user logged in and then change their group from standard to admin.... but how to get from point a to point b is way beyond me.

What are all the switches -o -a - t.... I have searched for them, but have not found much in the way of descriptions.

Thanks all for helping me out a of a tight spot.

I used a script written by JAMF:

!/bin/bash

grab current user

curUser=ls -l /dev/console | cut -d " " -f 4

Make current user an admin

dseditgroup -o edit -a $curUser -t user admin

but when run on the standard account it fails with the attached error. I do not think it is using the admin account to install the script. I have had the user reboot the device, relload Self Service and still nothing works and still get the error.

a0e992b0153a45928749791d5963d450

0 Kudos
Reply

Go to solution
dwandro92
Contributor III

Posted on ‎10-05-2016 02:46 PM

I am not sure what would be causing that error, but the following troubleshooting step should help to rule out the script as the root cause.

Instead of using a script, try pasting the following command into the "Execute command" field of the policy, underneath the "Files and Processes" payload/section:

dseditgroup -o edit -a "$(who | awk '/console/{ print $1 }')" -t user admin

Here are what the options mean:

-o: specify the operation. In this case, it is edit.
-a: add a user or group to the target group. In this case, it will be the currently logged in user.
-t: specify the type of resource that you are adding to the group. In this case, you are telling the command that the currently logged in user is a user, not a group.

Reply

Go to solution
fotofojo
New Contributor III
In response to dwandro92

Posted on ‎02-17-2023 11:34 AM

Can this command be altered to demote an admin account to a standard one? Thanks

Reply

Go to solution
jhuls
Contributor III

Posted on ‎10-05-2016 03:03 PM

@rhooper Making everyone admin is generally considered the opposite direction organizations should go. There are likely answers to each of the problems you're mentioning. If you're intent on giving admin access though, you might consider watching this video that provides a nice solution for giving admin privileges on an as needed basis.

Getting Users to Do Your Job (Without Them Knowing It)

Reply

Go to solution
wawuku
New Contributor

Posted on ‎08-15-2019 06:22 AM

I was able to use this simple script to accomplish this, where John is the Username;

dscl . -append /groups/admin GroupMembership john

Hope this helps.

0 Kudos
Reply

Go to solution
Jimmy1
New Contributor
In response to wawuku

Posted on ‎03-03-2022 09:08 AM

Hi, thank you for posting. How did you go about creating a group with admin rights? My understanding is that no administrator group is built into the OS. 

Thanks

0 Kudos
Reply