Promote Standard account to Admin Account

rhooper
Contributor III

Hello all,

We have been having huge issues with the standard account; cannot update software(Chrome), cannot add personal network printers, cannot add WiFi, etc. So it was the consensus to promote the standard account to an Admin account. I am hoping there is an script to perform this very act, because updating 900+ devices is a little daunting.

I see there is a script to demote and we have it in the wings for deployment should this entire Admin rights thing go South. I am no scripter, but know enough to follow through what will happen when things are run. So any and all help is appreciated.

1 ACCEPTED SOLUTION

dwandro92
Contributor III

I am not sure what would be causing that error, but the following troubleshooting step should help to rule out the script as the root cause.

Instead of using a script, try pasting the following command into the "Execute command" field of the policy, underneath the "Files and Processes" payload/section:

dseditgroup -o edit -a "$(who | awk '/console/{ print $1 }')" -t user admin

Here are what the options mean:

-o: specify the operation. In this case, it is edit.
-a: add a user or group to the target group. In this case, it will be the currently logged in user.
-t: specify the type of resource that you are adding to the group. In this case, you are telling the command that the currently logged in user is a user, not a group.

View solution in original post

9 REPLIES 9

duffcalifornia
Contributor

[https://jamfnation.jamfsoftware.com/discussion.html?id=6990](link URL)

Pretty sure everything you're looking for is right there.

edit: I can't get that link to work for the life of me, but if you search "temporary admin" you should get that post by @brockma9 - it was even featured at JNUC.

rhooper
Contributor III

Thanks... I think.

We use no AD and have all Macs. We do not want to grant temp Admin Rights though, we figure it that these clients are old enough to take care of this stuff themselves. AS far as the argument goes about the management portion, this may change next year after we get a hang of this JSS program, its huge and I am new to it.

dwandro92
Contributor III

You can make a user an admin using the following command (with elevated permissions, of course):

dseditgroup -o edit -a "${username}" -t user admin

rhooper
Contributor III

dwandro92, by elevated you mean sudo, yes?

The standard accounts are all named differently.
is this where an 'if' statement would come in? I am no scripter, but I can basically follow through the script to see what it is supposed to do. I would think it would need to find the current user logged in and then change their group from standard to admin.... but how to get from point a to point b is way beyond me.

What are all the switches -o -a - t.... I have searched for them, but have not found much in the way of descriptions.

Thanks all for helping me out a of a tight spot.

I used a script written by JAMF:

!/bin/bash

grab current user

curUser=ls -l /dev/console | cut -d " " -f 4

Make current user an admin

dseditgroup -o edit -a $curUser -t user admin

but when run on the standard account it fails with the attached error. I do not think it is using the admin account to install the script. I have had the user reboot the device, relload Self Service and still nothing works and still get the error.

a0e992b0153a45928749791d5963d450

dwandro92
Contributor III

I am not sure what would be causing that error, but the following troubleshooting step should help to rule out the script as the root cause.

Instead of using a script, try pasting the following command into the "Execute command" field of the policy, underneath the "Files and Processes" payload/section:

dseditgroup -o edit -a "$(who | awk '/console/{ print $1 }')" -t user admin

Here are what the options mean:

-o: specify the operation. In this case, it is edit.
-a: add a user or group to the target group. In this case, it will be the currently logged in user.
-t: specify the type of resource that you are adding to the group. In this case, you are telling the command that the currently logged in user is a user, not a group.

fotofojo
New Contributor III

Can this command be altered to demote an admin account to a standard one? Thanks

jhuls
Contributor III

@rhooper Making everyone admin is generally considered the opposite direction organizations should go. There are likely answers to each of the problems you're mentioning. If you're intent on giving admin access though, you might consider watching this video that provides a nice solution for giving admin privileges on an as needed basis.

Getting Users to Do Your Job (Without Them Knowing It)

wawuku
New Contributor

I was able to use this simple script to accomplish this, where John is the Username;

dscl . -append /groups/admin GroupMembership john

Hope this helps.

Jimmy1
New Contributor

Hi, thank you for posting. How did you go about creating a group with admin rights? My understanding is that no administrator group is built into the OS. 

Thanks