Posted on 10-18-2016 12:09 AM
Hello Community,
At the moment we have 50 Macs. On all Macy, the user are local admin. On all Devices we have a local account with admin rights, too.
Now we want to delete the local admin rights for all user. Only our local account geht local admin rights.
My question is: Can every help me to delete the local admin rights with a script? That only our local admin get the admin rights?
Many Thanks for help!
Christian
Solved! Go to Solution.
Posted on 10-18-2016 09:05 AM
Wow, awesome script @cvgs . @c.knipping here's a simpler one if that's what you're looking for. This will remove all admins other than the account you specify in the if statement on line 5. Simply replace YOURADMINACCOUNT with the name of the user you wish to remain an admin.
Good luck,
Eric
#!/bin/sh
adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-)
for user in $adminUsers
do
if [ "$user" != "root" ] && [ "$user" != "YOURADMINACCOUNT" ]
then
dseditgroup -o edit -d $user -t user admin
if [ $? = 0 ]; then echo "Removed user $user from admin group"; fi
else
echo "Admin user $user left alone"
fi
done
Posted on 10-18-2016 03:01 AM
You can use this script in Casper Remote or a Login/Logout Policy. Update "AdminWhitelist" with your local admins you want to keep (you can use regular expressions if needed), and use "remove" for parameter 4 and "yes" for parameter 5.
#!/bin/bash
# Get script parameters
targetDrive="${1}"
computerName="${2}"
userName="${3}"
ds_action="${4}"
userAutoconf="${5}"
#
group_ds_name="admin"
AdminWhitelist=(
"adobeinstall"
"root"
"admin-[^ ]*"
)
# check parameters
if [[ "${targetDrive}" != "/" ]]; then
echo "Error: Script can only be used on boot volume."
exit 1
fi
if [[ -z "${ds_action}" ]]; then
echo "Error: No action specified: [add|remove]."
exit 1
fi
if [[ "${userAutoconf}" == "yes" ]]; then
# autodetect user, but ignore whitelisted users
sGrepCommand="/usr/bin/grep -v"
for item in "${AdminWhitelist[@]}"; do
sGrepCommand="${sGrepCommand} -e '^${item} .*$'"
done
sFullCommand="/bin/ps -a -x -o user,command | grep 'loginwindow [c]onsole' | ${sGrepCommand} | /usr/bin/head -n 1 | /usr/bin/awk '{print $1}'"
userNameAuto=$( eval ${sFullCommand} )
if [[ -n "${userNameAuto}" ]]; then
if [[ -z "${userName}" ]]; then
echo "Using Aqua user ${userNameAuto}."
userName="${userNameAuto}"
elif [[ "${userName}" != "${userNameAuto}" ]]; then
echo "Info: Ignoring Aqua user ${userNameAuto}."
fi
fi
fi
# filter again against whitelist
for item in "${AdminWhitelist[@]}"; do
if [[ "${item}" == "${userName}" ]]; then
echo "User ${item} is whitelisted."
exit 0
fi
done
if [[ -z "${userName}" ]]; then
echo "Error: No user name specified."
exit 1
fi
sUserUID="$( /usr/bin/id -u "${userName}" 2>/dev/null )"
if [[ -z "${sUserUID}" ]]; then
echo "Error: user ${userName} does not exist."
exit 1
fi
case $ds_action in
"add")
iIsGroupMember=$( /usr/sbin/dseditgroup -o checkmember -u "${userName}" "${group_ds_name}" 2>/dev/null |
/usr/bin/grep -c '^no .*' )
if [[ ${iIsGroupMember} -eq 1 ]]; then
/usr/sbin/dseditgroup -o edit -n /Local/Default -a "${userName}" -t "user" "${group_ds_name}"
&& echo "Added user ${userName} to group ${group_ds_name}."
|| echo "Error adding user ${userName} to group ${group_ds_name}."
else
echo "User ${userName} is already a member of group ${group_ds_name}."
fi
;;
"remove")
iIsGroupMember=$( /usr/sbin/dseditgroup -o checkmember -u "${userName}" "${group_ds_name}" 2>/dev/null |
/usr/bin/grep -c '^yes .*' )
if [[ ${iIsGroupMember} -eq 1 ]]; then
/usr/sbin/dseditgroup -o edit -n /Local/Default -d "${userName}" -t "user" "${group_ds_name}"
&& echo "Removed user ${userName} from group ${group_ds_name}."
|| echo "Error removing user ${userName} from group ${group_ds_name}."
else
echo "User ${userName} is not a member of group ${group_ds_name}."
fi
;;
*)
echo "Error: wrong action [add|remove]"
;;
esac
exit 0
Christoph
Posted on 10-18-2016 04:07 AM
Hi Christoph (@cvgs),
Many Thanks for this script. To solve my issue I need only to edit the Whitelist, right? There I can add the local Account which only needs the local admin rights and other accounts get only the user premissions, right?
Many Thanks
Christian
Posted on 10-18-2016 09:05 AM
Wow, awesome script @cvgs . @c.knipping here's a simpler one if that's what you're looking for. This will remove all admins other than the account you specify in the if statement on line 5. Simply replace YOURADMINACCOUNT with the name of the user you wish to remain an admin.
Good luck,
Eric
#!/bin/sh
adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-)
for user in $adminUsers
do
if [ "$user" != "root" ] && [ "$user" != "YOURADMINACCOUNT" ]
then
dseditgroup -o edit -d $user -t user admin
if [ $? = 0 ]; then echo "Removed user $user from admin group"; fi
else
echo "Admin user $user left alone"
fi
done
Posted on 03-27-2023 03:35 AM
Hello, great script works like a charm. what would be oposite action? if i removed user from admins, how can i retun it?
Posted on 10-18-2016 11:13 PM
@etippett Many thanks for this easy script! Works great! :-)
Posted on 05-12-2017 02:25 PM
@etippett would this remove the JSS management account? In test I lost casper remote access after i ran this command.
Posted on 08-01-2017 05:51 AM
It's simple, in the script you must modify it here [ "$user" != "YOURADMINACCOUNT" ] by your casper admin account
Posted on 09-21-2018 09:29 AM
@dimitri.fransquin , is it possible to list more than one local admin account? Our internal help desk utilizes a local admin account for support that we want to ensure isn't removed.
EDIT - Well, it appears you can just add additional accounts w/ &&.. Is that correct?
[ "$user" != "root" ] && [ "$user" != "YOURADMINACCOUNT" ] && [ "$user" != "SECONDADMINACCOUNT" ]
Posted on 11-04-2019 10:30 AM
@etippett I am trying to run your script from a jamf pro policy but it is not running.
is there any additional parameter I need to use or something?
Posted on 11-04-2019 11:12 AM
You're gonna want at least one local admin on the computer, otherwise you run a big risk of bricking it.
Posted on 02-12-2020 08:20 AM
@etippett thanks this is great. If I want to use an array to white list all the admin account I don't want to change (because we have a lot) , what would the condition in the if statement be?
I can't figure out how I loop through both arrays , can you put a for loop in a for loop?
#Whitelist accounts you dont want to remove adminWhiteList=( "root" "admin1" "admin2" "admin3" "admin4" ) adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-) for item in "${adminWhiteList[@]}"; do if[[ "${item}" != "$user"]] #hmmmmm.... confused ...lol done