Posted on 05-09-2019 11:03 AM
I have a handful of systems were users were inadvertently granted admin access. It's too time-consuming to recreate accounts for the users [devs with serious customization]
I've been attempting a number of dscl lines yet haven't found one to work -- is there a proper way to run it for 10.13 vs earlier?
You'd find anyone in 503 and reset it to 501, correct?
Posted on 05-09-2019 11:28 AM
You don't want to use dscl anymore to remove admin access. The tool to use is dseditgroup
sudo dseditgroup -o edit -d <accountname> admin
The above is the basic idea. Replace <accountname> with the actual account name you want to remove admin access from (no < or >)
And to answer your question about 503 vs 501, this has nothing to do with admin access. That's simply the Unique ID (UID) of the account, which are all unique per account on a given system.