Skip to main content
Question

Remove Local Admin Access

  • February 22, 2021
  • 7 replies
  • 85 views
S
Forum|alt.badge.img+3

I've been testing out a script to run the following command in Terminal:

sudo dseditgroup -o edit -d <accountname> admin

The command works fine when you put in the account name, but of course this is not ideal when there are about 100 Macs in scope. Is there any way to invoke the "current user" to be added to the line above? Ideally the script will check who is the current logged in user and remove their administrator rights. FWIW these are mobile AD accounts with local admin rights.

Thanks!

    7 replies

    geoff_widdowson
    Forum|alt.badge.img+8
    • geoff_widdowson
    • Contributor
    • 125 replies
    • February 23, 2021

    You can't remove admin right while a user is logged in using a script. I use a script that will remove admin rights on all users, unless I exclude them, but I can only run the script on logout.

    #!/bin/sh

adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-)

for user in $adminUsers
do
    if [ "$user" != "root" ]  && [ "$user" != "Administrator" ] && [ "$user" != "administrator" ] && [ "$user" != "jss_mgmt" ] 
    then 
        dseditgroup -o edit -d $user -t user admin
        if [ $? = 0 ]; then echo "Removed user $user from admin group"; fi
    else
        echo "Admin user $user left alone"
    fi
done
    S
    Forum|alt.badge.img+4
    • Saikat
    • New Contributor
    • 10 replies
    • February 24, 2021

    @scubastove I use below script to demote all users to standard from admin except jamf mgmt account. Our jamf mgmt account is admin. Hence the script will demote all users except "admin"

    !/bin/bash

    Parameters

    mgmtAccount="admin" # Required; Example: so_and_so_admin

    Variables

    userList=$(/usr/bin/dscl . read /Groups/admin GroupMembership | /usr/bin/cut -d " " -f 2-)

    Exit out if we don't have our parameters set

    [[ -z "$mgmtAccount" ]] && echo "No management account specified to ignore; exiting." && exit 1

    Loop through each user and demote them, skipping root and the Jamf Pro management account specified

    for userName in $userList; do if [[ "$userName" != "root" ]] && [[ "$userName" != "$mgmtAccount" ]]; then /usr/sbin/dseditgroup -o edit -d "$userName" admin echo "Account "$userName" had admin privileges removed." fi
    done

    exit 0

    S
    Forum|alt.badge.img+4
    • Saikat
    • New Contributor
    • 10 replies
    • February 24, 2021

    @scubastove I use below script to demote all users to standard from admin except jamf mgmt account. Our jamf mgmt account is admin. Hence the script will demote all users except "admin"

    !/bin/bash
    Parameters
    mgmtAccount="admin" # Required; Example: so_and_so_admin

    Variables
    userList=$(/usr/bin/dscl . read /Groups/admin GroupMembership | /usr/bin/cut -d " " -f 2-)

    Exit out if we don't have our parameters set
    [[ -z "$mgmtAccount" ]] && echo "No management account specified to ignore; exiting." && exit 1

    Loop through each user and demote them, skipping root and the Jamf Pro management account specified
    for userName in $userList; do if [[ "$userName" != "root" ]] && [[ "$userName" != "$mgmtAccount" ]]; then /usr/sbin/dseditgroup -o edit -d "$userName" admin echo "Account "$userName" had admin privileges removed." fi
    done

    exit 0

    T
    Forum|alt.badge.img+1
    • ttan
    • New Contributor
    • 3 replies
    • April 16, 2023

    Works well.

    Thanks @Saikat 

    T
    Forum|alt.badge.img+1
    • ttan
    • New Contributor
    • 3 replies
    • June 14, 2023

    Correct me if I am wrong, if I change -d to -a, it should change user from standard to admin, right?

    But it doesn't work. 

    Any suggestions? 

    Jacek_ADC
    Forum|alt.badge.img+7
    • Jacek_ADC
    • Valued Contributor
    • 93 replies
    • May 24, 2024

    You can't remove admin right while a user is logged in using a script. I use a script that will remove admin rights on all users, unless I exclude them, but I can only run the script on logout.

    #!/bin/sh

adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-)

for user in $adminUsers
do
    if [ "$user" != "root" ]  && [ "$user" != "Administrator" ] && [ "$user" != "administrator" ] && [ "$user" != "jss_mgmt" ] 
    then 
        dseditgroup -o edit -d $user -t user admin
        if [ $? = 0 ]; then echo "Removed user $user from admin group"; fi
    else
        echo "Admin user $user left alone"
    fi
done

    I am using this script and it only removes the admin rights for the logged in user while he is logged in. The hidden PreStage user account is untouched from this script and always admin

    #!/bin/sh LoggedInUser=$(scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' ) dseditgroup -o edit -d $LoggedInUser -t user admin

    Source: Solved: Re: Script to remove Admin right on MAC. - Jamf Nation Community - 260457
    and Kudos to DBrowning for this script

    Jacek_ADC
    Forum|alt.badge.img+7
    • Jacek_ADC
    • Valued Contributor
    • 93 replies
    • May 24, 2024

    I am using this script and it only removes the admin rights for the logged in user while he is logged in. The hidden PreStage user account is untouched from this script and always admin

    #!/bin/sh LoggedInUser=$(scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' ) dseditgroup -o edit -d $LoggedInUser -t user admin

    Source: Solved: Re: Script to remove Admin right on MAC. - Jamf Nation Community - 260457
    and Kudos to DBrowning for this script


    until now i do not see also some impact on the mgmt account from UIE


    Terms & ConditionsCookie settingsAccessibility statement