- Jamf Nation Community
- Products
- Jamf Pro
- Remove local administrator level access for curren...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Remove local administrator level access for currently logged in user.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-09-2020 11:03 AM
I'm looking to remove administrator level access from mobile accounts.
I have an extension attribute which lists admin level accounts on a machine and looks like I only have a few computers to clean up.
I'm looking for a script which remove local administrator access to the currently logged in user. Thus far I found scripts that remove from all users except the ones listed.
I wonder if there is something simpler out there.
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-09-2020 11:07 AM
Hey,
I’m using something like this:
#!/bin/sh
adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-)
for user in $adminUsers
do
if [ "$user" != "root" ] && [ "$user" != "admin" ] && [ "$user" != "jadmin" ]
then
dseditgroup -o edit -d $user -t user admin
if [ $? = 0 ]; then echo "Removed user $user from admin group"; fi
else
echo "Admin user $user left alone"
fi
doneOptions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-09-2020 11:13 AM
Thanks for the speedy reply.
I see that on line 5 you specify if user is not.
Do I need to add the Jamf management account to this list or is this one omitted?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-09-2020 11:13 AM
I'm guessing one of the scripts you found could be adapted pretty easily to only work on the currently logged in user.
Getting the logged in user (multiple ways to do this):
loggedInUser=$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ {print $3}')Removing admin rights from that user:
/usr/sbin/dseditgroup -o edit -d "$loggedInUser" -t user adminCombine the above lines together into a script for a simple version. Should be easy enough.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-09-2020 11:33 AM
Based on the info I've created the following:
#!/bin/bash
loggedInUser=$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ {print $3}')
/usr/sbin/dseditgroup -o edit -d "$loggedInUser" -t user adminand logged out, logged in and now I see the user is no longer an admin.
This will only run it for the currently logged in account, right?
Anything else? Thank you.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-09-2020 12:22 PM
Did you set it up to run on login? It sounds like it based on what you posed above. If so, then generally speaking that should be all you need to do.
However, if you have a local admin account on all your Macs that you use, such as an IT account, and if it's something techs log in with in from time to time, I would consider adding a check to make sure the $loggedInUser is not that account, and if it is, to just exit without doing anything. Otherwise if the next login happens to be that local IT admin account, the script won't discriminate and will just remove admin rights from that account, which I'm guessing you wouldn't want.
Something like this should work for you in case the above scenario is a concern.
#!/bin/bash
localITAccount="username" ## Change username to your actual local admin account
loggedInUser=$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ {print $3}')
if [ "$loggedInUser" != "$localITAccount" ]; then
/usr/sbin/dseditgroup -o edit -d "$loggedInUser" -t user admin
else
echo "Logged in user $loggedInUser is the local IT admin account. Exiting without making changes..."
exit 0
fiOptions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-09-2020 01:01 PM
Sounds good.
Thus far I only have one machine affected and this one is used by a single person. I have a Self Service icon published to my test group only (to run manually as the affected user).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-10-2020 09:02 AM
In terms of simple check out the SAP Mac team’s Privileges.app
It works well both locally as well as being customizable and enterprise-controllable: https://github.com/SAP/macOS-enterprise-privileges
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-10-2020 11:04 AM
End users are not local administrators (as a default). Thus far found a single computer where this was not the case.
All apps are installed automatically or Self Service.
The script is scoped to my internal test group and one affected computer to run once.
The tech assigned to the building will run the policy and once done I'll remove the computer from scope.
