Jamf Nation Community

ds_support · ‎10-18-2016

Hello Community,

At the moment we have 50 Macs. On all Macy, the user are local admin. On all Devices we have a local account with admin rights, too.

Now we want to delete the local admin rights for all user. Only our local account geht local admin rights.

My question is: Can every help me to delete the local admin rights with a script? That only our local admin get the admin rights?

Many Thanks for help!
Christian

etippett · ‎10-18-2016

Wow, awesome script @cvgs . @c.knipping here's a simpler one if that's what you're looking for. This will remove all admins other than the account you specify in the if statement on line 5. Simply replace YOURADMINACCOUNT with the name of the user you wish to remain an admin.

Good luck,
Eric

#!/bin/sh

adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-)

for user in $adminUsers
do
    if [ "$user" != "root" ]  && [ "$user" != "YOURADMINACCOUNT" ]
    then 
        dseditgroup -o edit -d $user -t user admin
        if [ $? = 0 ]; then echo "Removed user $user from admin group"; fi
    else
        echo "Admin user $user left alone"
    fi
done

View solution in original post

cvgs · ‎10-18-2016

You can use this script in Casper Remote or a Login/Logout Policy. Update "AdminWhitelist" with your local admins you want to keep (you can use regular expressions if needed), and use "remove" for parameter 4 and "yes" for parameter 5.

#!/bin/bash

# Get script parameters
targetDrive="${1}"
computerName="${2}"
userName="${3}"
ds_action="${4}"
userAutoconf="${5}"
#
group_ds_name="admin"

AdminWhitelist=(
"adobeinstall"
"root"
"admin-[^ ]*"
)

# check parameters
if [[ "${targetDrive}" != "/" ]]; then
    echo "Error: Script can only be used on boot volume."
    exit 1
fi

if [[ -z "${ds_action}" ]]; then
    echo "Error: No action specified: [add|remove]."
    exit 1
fi

if [[ "${userAutoconf}" == "yes" ]]; then
    # autodetect user, but ignore whitelisted users
    sGrepCommand="/usr/bin/grep -v"
    for item in "${AdminWhitelist[@]}"; do
        sGrepCommand="${sGrepCommand} -e '^${item} .*$'"
    done
    sFullCommand="/bin/ps -a -x -o user,command | grep 'loginwindow [c]onsole' | ${sGrepCommand} | /usr/bin/head -n 1 | /usr/bin/awk '{print $1}'"
    userNameAuto=$( eval ${sFullCommand} )
    if [[ -n "${userNameAuto}" ]]; then
        if [[ -z "${userName}" ]]; then
            echo "Using Aqua user ${userNameAuto}."
            userName="${userNameAuto}"
        elif [[ "${userName}" != "${userNameAuto}" ]]; then
            echo "Info: Ignoring Aqua user ${userNameAuto}."
        fi
    fi
fi

# filter again against whitelist
for item in "${AdminWhitelist[@]}"; do
    if [[ "${item}" == "${userName}" ]]; then
        echo "User ${item} is whitelisted."
        exit 0
    fi
done

if [[ -z "${userName}" ]]; then
    echo "Error: No user name specified."
    exit 1
fi

sUserUID="$( /usr/bin/id -u "${userName}" 2>/dev/null )"
if [[ -z "${sUserUID}" ]]; then
    echo "Error: user ${userName} does not exist."
    exit 1
fi

case $ds_action in
"add")
    iIsGroupMember=$( /usr/sbin/dseditgroup -o checkmember -u "${userName}" "${group_ds_name}" 2>/dev/null |
        /usr/bin/grep -c '^no .*' )
    if [[ ${iIsGroupMember} -eq 1 ]]; then
        /usr/sbin/dseditgroup -o edit -n /Local/Default -a "${userName}" -t "user" "${group_ds_name}" 
            && echo "Added user ${userName} to group ${group_ds_name}." 
            || echo "Error adding user ${userName} to group ${group_ds_name}."
    else
        echo "User ${userName} is already a member of group ${group_ds_name}."
    fi
    ;;
"remove")
    iIsGroupMember=$( /usr/sbin/dseditgroup -o checkmember -u "${userName}" "${group_ds_name}" 2>/dev/null |
        /usr/bin/grep -c '^yes .*' )
    if [[ ${iIsGroupMember} -eq 1 ]]; then
        /usr/sbin/dseditgroup -o edit -n /Local/Default -d "${userName}" -t "user" "${group_ds_name}" 
            && echo "Removed user ${userName} from group ${group_ds_name}." 
            || echo "Error removing user ${userName} from group ${group_ds_name}."
    else
        echo "User ${userName} is not a member of group ${group_ds_name}."
    fi
    ;;
*)
    echo "Error: wrong action [add|remove]"
    ;;
esac

exit 0

Christoph

ds_support · ‎10-18-2016

Hi Christoph (@cvgs),

Many Thanks for this script. To solve my issue I need only to edit the Whitelist, right? There I can add the local Account which only needs the local admin rights and other accounts get only the user premissions, right?

Many Thanks
Christian

etippett · ‎10-18-2016

Wow, awesome script @cvgs . @c.knipping here's a simpler one if that's what you're looking for. This will remove all admins other than the account you specify in the if statement on line 5. Simply replace YOURADMINACCOUNT with the name of the user you wish to remain an admin.

Good luck,
Eric

#!/bin/sh

adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-)

for user in $adminUsers
do
    if [ "$user" != "root" ]  && [ "$user" != "YOURADMINACCOUNT" ]
    then 
        dseditgroup -o edit -d $user -t user admin
        if [ $? = 0 ]; then echo "Removed user $user from admin group"; fi
    else
        echo "Admin user $user left alone"
    fi
done

skrituliukas · ‎03-27-2023

Hello, great script works like a charm. what would be oposite action? if i removed user from admins, how can i retun it?

ds_support · ‎10-18-2016

@etippett Many thanks for this easy script! Works great! :-)

hlisupport · ‎05-12-2017

@etippett would this remove the JSS management account? In test I lost casper remote access after i ran this command.

dimitri_fransqu · ‎08-01-2017

It's simple, in the script you must modify it here [ "$user" != "YOURADMINACCOUNT" ] by your casper admin account

jon_verret · ‎09-21-2018

@dimitri.fransquin , is it possible to list more than one local admin account? Our internal help desk utilizes a local admin account for support that we want to ensure isn't removed.

EDIT - Well, it appears you can just add additional accounts w/ &&.. Is that correct?

[ "$user" != "root" ] && [ "$user" != "YOURADMINACCOUNT" ] && [ "$user" != "SECONDADMINACCOUNT" ]

gweisz · ‎11-04-2019

@etippett I am trying to run your script from a jamf pro policy but it is not running.
is there any additional parameter I need to use or something?

tlarkin · ‎11-04-2019

You're gonna want at least one local admin on the computer, otherwise you run a big risk of bricking it.

mcgace · ‎02-12-2020

@etippett thanks this is great. If I want to use an array to white list all the admin account I don't want to change (because we have a lot) , what would the condition in the if statement be?

I can't figure out how I loop through both arrays , can you put a for loop in a for loop?

#Whitelist accounts you dont want to remove adminWhiteList=( "root" "admin1" "admin2" "admin3" "admin4" ) adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-) for item in "${adminWhiteList[@]}"; do if[[ "${item}" != "$user"]] #hmmmmm.... confused ...lol done

Jamf Nation Community

Remove Local Admin Rights