Remove Local Admin Rights

ds_support
New Contributor III

Hello Community,

At the moment we have 50 Macs. On all Macy, the user are local admin. On all Devices we have a local account with admin rights, too.

Now we want to delete the local admin rights for all user. Only our local account geht local admin rights.

My question is: Can every help me to delete the local admin rights with a script? That only our local admin get the admin rights?

Many Thanks for help!
Christian

1 ACCEPTED SOLUTION

etippett
Contributor II

Wow, awesome script @cvgs . @c.knipping here's a simpler one if that's what you're looking for. This will remove all admins other than the account you specify in the if statement on line 5. Simply replace YOURADMINACCOUNT with the name of the user you wish to remain an admin.

Good luck,
Eric

#!/bin/sh

adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-)

for user in $adminUsers
do
    if [ "$user" != "root" ]  && [ "$user" != "YOURADMINACCOUNT" ]
    then 
        dseditgroup -o edit -d $user -t user admin
        if [ $? = 0 ]; then echo "Removed user $user from admin group"; fi
    else
        echo "Admin user $user left alone"
    fi
done

View solution in original post

10 REPLIES 10

cvgs
Contributor II

You can use this script in Casper Remote or a Login/Logout Policy. Update "AdminWhitelist" with your local admins you want to keep (you can use regular expressions if needed), and use "remove" for parameter 4 and "yes" for parameter 5.

#!/bin/bash

# Get script parameters
targetDrive="${1}"
computerName="${2}"
userName="${3}"
ds_action="${4}"
userAutoconf="${5}"
#
group_ds_name="admin"

AdminWhitelist=(
"adobeinstall"
"root"
"admin-[^ ]*"
)

# check parameters
if [[ "${targetDrive}" != "/" ]]; then
    echo "Error: Script can only be used on boot volume."
    exit 1
fi

if [[ -z "${ds_action}" ]]; then
    echo "Error: No action specified: [add|remove]."
    exit 1
fi

if [[ "${userAutoconf}" == "yes" ]]; then
    # autodetect user, but ignore whitelisted users
    sGrepCommand="/usr/bin/grep -v"
    for item in "${AdminWhitelist[@]}"; do
        sGrepCommand="${sGrepCommand} -e '^${item} .*$'"
    done
    sFullCommand="/bin/ps -a -x -o user,command | grep 'loginwindow [c]onsole' | ${sGrepCommand} | /usr/bin/head -n 1 | /usr/bin/awk '{print $1}'"
    userNameAuto=$( eval ${sFullCommand} )
    if [[ -n "${userNameAuto}" ]]; then
        if [[ -z "${userName}" ]]; then
            echo "Using Aqua user ${userNameAuto}."
            userName="${userNameAuto}"
        elif [[ "${userName}" != "${userNameAuto}" ]]; then
            echo "Info: Ignoring Aqua user ${userNameAuto}."
        fi
    fi
fi

# filter again against whitelist
for item in "${AdminWhitelist[@]}"; do
    if [[ "${item}" == "${userName}" ]]; then
        echo "User ${item} is whitelisted."
        exit 0
    fi
done

if [[ -z "${userName}" ]]; then
    echo "Error: No user name specified."
    exit 1
fi

sUserUID="$( /usr/bin/id -u "${userName}" 2>/dev/null )"
if [[ -z "${sUserUID}" ]]; then
    echo "Error: user ${userName} does not exist."
    exit 1
fi

case $ds_action in
"add")
    iIsGroupMember=$( /usr/sbin/dseditgroup -o checkmember -u "${userName}" "${group_ds_name}" 2>/dev/null |
        /usr/bin/grep -c '^no .*' )
    if [[ ${iIsGroupMember} -eq 1 ]]; then
        /usr/sbin/dseditgroup -o edit -n /Local/Default -a "${userName}" -t "user" "${group_ds_name}" 
            && echo "Added user ${userName} to group ${group_ds_name}." 
            || echo "Error adding user ${userName} to group ${group_ds_name}."
    else
        echo "User ${userName} is already a member of group ${group_ds_name}."
    fi
    ;;
"remove")
    iIsGroupMember=$( /usr/sbin/dseditgroup -o checkmember -u "${userName}" "${group_ds_name}" 2>/dev/null |
        /usr/bin/grep -c '^yes .*' )
    if [[ ${iIsGroupMember} -eq 1 ]]; then
        /usr/sbin/dseditgroup -o edit -n /Local/Default -d "${userName}" -t "user" "${group_ds_name}" 
            && echo "Removed user ${userName} from group ${group_ds_name}." 
            || echo "Error removing user ${userName} from group ${group_ds_name}."
    else
        echo "User ${userName} is not a member of group ${group_ds_name}."
    fi
    ;;
*)
    echo "Error: wrong action [add|remove]"
    ;;
esac

exit 0

Christoph

ds_support
New Contributor III

Hi Christoph (@cvgs),

Many Thanks for this script. To solve my issue I need only to edit the Whitelist, right? There I can add the local Account which only needs the local admin rights and other accounts get only the user premissions, right?

Many Thanks
Christian

etippett
Contributor II

Wow, awesome script @cvgs . @c.knipping here's a simpler one if that's what you're looking for. This will remove all admins other than the account you specify in the if statement on line 5. Simply replace YOURADMINACCOUNT with the name of the user you wish to remain an admin.

Good luck,
Eric

#!/bin/sh

adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-)

for user in $adminUsers
do
    if [ "$user" != "root" ]  && [ "$user" != "YOURADMINACCOUNT" ]
    then 
        dseditgroup -o edit -d $user -t user admin
        if [ $? = 0 ]; then echo "Removed user $user from admin group"; fi
    else
        echo "Admin user $user left alone"
    fi
done

View solution in original post

ds_support
New Contributor III

@etippett Many thanks for this easy script! Works great! 🙂

hlisupport
New Contributor

@etippett would this remove the JSS management account? In test I lost casper remote access after i ran this command.

dimitri_fransqu
New Contributor

It's simple, in the script you must modify it here [ "$user" != "YOURADMINACCOUNT" ] by your casper admin account

jon_verret
New Contributor II

@dimitri.fransquin , is it possible to list more than one local admin account? Our internal help desk utilizes a local admin account for support that we want to ensure isn't removed.

EDIT - Well, it appears you can just add additional accounts w/ &&.. Is that correct?

[ "$user" != "root" ] && [ "$user" != "YOURADMINACCOUNT" ] && [ "$user" != "SECONDADMINACCOUNT" ]

gweisz
New Contributor

@etippett I am trying to run your script from a jamf pro policy but it is not running.
is there any additional parameter I need to use or something?

tlarkin
Honored Contributor

You're gonna want at least one local admin on the computer, otherwise you run a big risk of bricking it.

mcgace
New Contributor III

@etippett thanks this is great. If I want to use an array to white list all the admin account I don't want to change (because we have a lot) , what would the condition in the if statement be?

I can't figure out how I loop through both arrays , can you put a for loop in a for loop?

#Whitelist accounts you dont want to remove adminWhiteList=( "root" "admin1" "admin2" "admin3" "admin4" ) adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-) for item in "${adminWhiteList[@]}"; do if[[ "${item}" != "$user"]] #hmmmmm.... confused ...lol done