Remove local administrator level access for currently logged in user.

atomczynski
Valued Contributor

I'm looking to remove administrator level access from mobile accounts.

I have an extension attribute which lists admin level accounts on a machine and looks like I only have a few computers to clean up.

I'm looking for a script which remove local administrator access to the currently logged in user. Thus far I found scripts that remove from all users except the ones listed.

I wonder if there is something simpler out there.

8 REPLIES 8

Cyberghost
New Contributor III

Hey,

I’m using something like this:

#!/bin/sh

adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-)

for user in $adminUsers
do
    if [ "$user" != "root" ]  && [ "$user" != "admin" ] && [ "$user" != "jadmin" ]
    then 
        dseditgroup -o edit -d $user -t user admin
        if [ $? = 0 ]; then echo "Removed user $user from admin group"; fi
    else
        echo "Admin user $user left alone"
    fi
done

atomczynski
Valued Contributor

Thanks for the speedy reply.
I see that on line 5 you specify if user is not.

Do I need to add the Jamf management account to this list or is this one omitted?

mm2270
Legendary Contributor III

I'm guessing one of the scripts you found could be adapted pretty easily to only work on the currently logged in user.

Getting the logged in user (multiple ways to do this):

loggedInUser=$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ {print $3}')

Removing admin rights from that user:

/usr/sbin/dseditgroup -o edit -d "$loggedInUser" -t user admin

Combine the above lines together into a script for a simple version. Should be easy enough.

atomczynski
Valued Contributor

Based on the info I've created the following:

#!/bin/bash

loggedInUser=$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ {print $3}')

/usr/sbin/dseditgroup -o edit -d "$loggedInUser" -t user admin

and logged out, logged in and now I see the user is no longer an admin.

This will only run it for the currently logged in account, right?
Anything else? Thank you.

mm2270
Legendary Contributor III

Did you set it up to run on login? It sounds like it based on what you posed above. If so, then generally speaking that should be all you need to do.
However, if you have a local admin account on all your Macs that you use, such as an IT account, and if it's something techs log in with in from time to time, I would consider adding a check to make sure the $loggedInUser is not that account, and if it is, to just exit without doing anything. Otherwise if the next login happens to be that local IT admin account, the script won't discriminate and will just remove admin rights from that account, which I'm guessing you wouldn't want.

Something like this should work for you in case the above scenario is a concern.

#!/bin/bash

localITAccount="username" ## Change username to your actual local admin account

loggedInUser=$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ {print $3}')

if [ "$loggedInUser" != "$localITAccount" ]; then
    /usr/sbin/dseditgroup -o edit -d "$loggedInUser" -t user admin
else
    echo "Logged in user $loggedInUser is the local IT admin account. Exiting without making changes..."
    exit 0
fi

atomczynski
Valued Contributor

Sounds good.

Thus far I only have one machine affected and this one is used by a single person. I have a Self Service icon published to my test group only (to run manually as the affected user).

blackholemac
Valued Contributor III

In terms of simple check out the SAP Mac team’s Privileges.app

It works well both locally as well as being customizable and enterprise-controllable: https://github.com/SAP/macOS-enterprise-privileges

atomczynski
Valued Contributor

End users are not local administrators (as a default). Thus far found a single computer where this was not the case.
All apps are installed automatically or Self Service.

The script is scoped to my internal test group and one affected computer to run once.
The tech assigned to the building will run the policy and once done I'll remove the computer from scope.