Jamf Nation Community

Hi All,

I’ve been recently tasked with this… & need a little help with my script.

Scripts below with output below that, basically the script errors if the account is not in the admin group. That’s fine, but I’d like to know if there is a way to turn that error result into say ‘echo “ User Not An Admin” so the script doesn’t fail.

Something like: if returned of the result =

SCRIPT:
for u in `ls /Users | grep -v "Shared"` ; do UserID=dscl . read /Users/$u | grep UniqueID | cut -c 11- if [[ "$UserID" -gt "1000" ]]; then dscl . delete /Groups/admin GroupMembership "$u" echo "Removing User $u from admin group..." else echo "User $u is local..." fi
done
exit 0

OUTPUT: Running Script 010 Remove Users From Admin Group.sh...
Script Exit Code:0
Script Result: DS Error: -14136 (eDSRecordNotFound)
User .localized is local...
User Admin is local...
Removing User btoms from admin group...
attribute status: eDSAttributeNotFound
DS Error: -14134 (eDSAttributeNotFound)
Removing User dfrancol from admin group...
attribute status: eDSAttributeNotFound
DS Error: -14134 (eDSAttributeNotFound)
Removing User nleonard from admin group...
User testfr is local...

Ben Toms
IT Support Analyst GREY Group
The Johnson Building, 77 Hatton Garden, London, EC1N 8JS
T: +44 (0) 20-3037-3819 |
Main: +44 (0) 20 3037 3000 | IT Helpdesk: +44 (0) 20 3037 3883

My cohort modified my original "grant admin rights" script to remove them (basically flipped the logic I had used in the original script I made). It picks up at $4 so you can use this with Casper Remote or a policy and you can just plunk in your values into the fields that Remote or the policy provides. If you need to run it at the command line, just throw in junk for $1, $2 and $3 before plunking down your actual user names.

j

#!/bin/sh

############################################################
# This script removes a user from the local admin group.
# It does account for duplicate entries that have to be
# removed separately.
#
# Modified: 28 June 2010
# By: Charlie Smith
############################################################

# Check if run as root
ROOT_UID="0"
if [ $UID -ne "$ROOT_UID" ] ; then
echo "Please run this script as root or with sudo rights!"
exit 1
fi

# Put into an array all users from input and normalize to all lower case.
Users[0]="$(echo ${4} | tr 'A-Z' 'a-z')"
Users[1]="$(echo ${5} | tr 'A-Z' 'a-z')"
Users[2]="$(echo ${6} | tr 'A-Z' 'a-z')"
Users[3]="$(echo ${7} | tr 'A-Z' 'a-z')"
Users[4]="$(echo ${8} | tr 'A-Z' 'a-z')"
Users[5]="$(echo ${9} | tr 'A-Z' 'a-z')"
Users[6]="$(echo ${10} | tr 'A-Z' 'a-z')"
Users[7]="$(echo ${11} | tr 'A-Z' 'a-z')"

# Assign to an arry the current members of the admin group.
# We'll need this to compare to, in case of duplicates.
Admins=(dscl . -read /Groups/admin GroupMembership | cut -d ":" -f 2)

# Set our arrays as variables.
AdminsTmp=(${Admins[@]})
AdminsToRemove=(${Users[@]})

# Comparison loop to remove user names that match.
for (( j=0 ; j <${#AdminsToRemove[@]} ; j++ ))
do
for (( i=0 ; i <${#AdminsTmp[@]} ; i++ ))
do
if [[ "${AdminsToRemove[$j]}" == "${AdminsTmp[$i]}" ]]
then
dscl . -delete /Groups/admin GroupMembership ${AdminsToRemove[$j]}
let "i++"
fi
done
done

echo "Removal complete."
echo "*** The remaining admins are: `dscl . -read /Groups/admin GroupMembership | cut -d ":" -f 2`"
exit 0

--
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

Simplified version

#!/bin/bash

for u in `ls /Users | grep -v "Shared"` ; do

if [[ `dscl . read /Users/$u | awk '/UniqueID/ { print $2 }'` -gt "1000" ]]

then dscl . delete /Groups/admin GroupMembership $u

else echo "$u is not an AD user"

fi

done

exit 0

Thanks Jared & tom for the replies.

Jared, your script is great.. but we cannot pass variables to for the account names as we do not know what local network accounts are in the admin group.

Tom, your script gives DS Error's similar to mine. (your scripts below my comments here).

It looks like the error happens when the script tries to remove an account from the admin group that's not in the admin group.

So is there a way to;

1. Compare the admin GroupMembership against all users with a UserID > 1000 & only remove those that are in both?

2. if the value returned from the script equals a string to just continue?

Ben Toms
IT Support Analyst GREY Group
The Johnson Building, 77 Hatton Garden, London, EC1N 8JS
T: +44 (0) 20-3037-3819 |
Main: +44 (0) 20 3037 3000 | IT Helpdesk: +44 (0) 20 3037 3883

This is what I discovered yesterday when comparing directory services
local to directory services LDAPv3. So my script was written while I
was testing with local accounts and it works great. However, it does
not work with LDAP because the data output is way different. I barely
had time to play with it yesterday, but it would require me to rewrite
the code to reflect the changes when doing dscl look ups on the LDAPv3
database over the local database.

This seems to work well for us.. thanks for all the help with this..

#!/bin/sh

# Reads all user accounts located /Users/
for u in `ls /Users | grep -v "Shared"` ; do

# Reads Group Membership of local Admin Group for a in `dscl . read /Groups/admin GroupMembership` ; do

#Compares u to a for matches if [[ "$u" == "$a" ]]; then

# Gets UniqueID for each matched account. UserID=dscl . read /Users/$u | grep UniqueID | cut -c 11-

# If the UniqueID is above 1000 it's a network account, so remove from admin group. if [[ "$UserID" -gt "1000" ]]; then

dscl . delete /Groups/admin GroupMembership "$u"

echo "Removing Network User $u From Admin Group..."

# If UniqueID is below 1000, acount is a local account. else

echo "User $u Is A Local Admin Account..."

fi fi

done

done

exit 0

Ben Toms
IT Support Analyst GREY Group
The Johnson Building, 77 Hatton Garden, London, EC1N 8JS
T: +44 (0) 20-3037-3819 |
Main: +44 (0) 20 3037 3000 | IT Helpdesk: +44 (0) 20 3037 3883

Ok so it does remove the accounts from the admin group, yet they’ve still got admin rights… (& it’s not from nested groups).. there must be another group somewhere they’re a member off on the mac..

Ben Toms
IT Support Analyst GREY Group
The Johnson Building, 77 Hatton Garden, London, EC1N 8JS
T: +44 (0) 20-3037-3819 |
Main: +44 (0) 20 3037 3000 | IT Helpdesk: +44 (0) 20 3037 3883

So dseditgroup –o <localuser> -n . <group>

Reveals that these accounts are not under dsAttrTypeStandard:GroupMembership –

But they are appearing at dsAttrTypeStandard:GroupMembers - as their GeneratedUID..

Fun..

Ben Toms
IT Support Analyst GREY Group
The Johnson Building, 77 Hatton Garden, London, EC1N 8JS
T: +44 (0) 20-3037-3819 |
Main: +44 (0) 20 3037 3000 | IT Helpdesk: +44 (0) 20 3037 3883

The below works, but still gives the error
“Script Exit Code:0
Script Result: DS Error: -14136 (eDSRecordNotFound)
DS Error: -14136 (eDSRecordNotFound)
DS Error: -14136 (eDSRecordNotFound)
User Admin Is A Local Admin Account... “ at the beginning.

# Reads all user accounts located /Users/, returning the shortname.
for u in `ls /Users | grep -v "Shared"` ; do

# Reads Group Membership of local Admin Group for a in `dscl . read /Groups/admin GroupMembership` ; do

#Compares u to a for matches (based on shortname) if [[ "$u" == "$a" ]]; then

# Gets UniqueID for each matched account. UserID=dscl . read /Users/$u | grep UniqueID | cut -c 11-

# If the UniqueID is above 1000 it's a network account, so remove from admin group. if [[ "$UserID" -gt "1000" ]]; then

echo "Removing Network User $u From Admin Group..."

dscl . delete /Groups/admin GroupMembership "$u"

# If UniqueID is below 1000, acount is a local account. else

echo "User $u Is A Local Admin Account..."

fi fi

done

# Reads Group Membership of local Admin Group for d in `dscl . read /Groups/admin GroupMembers` ; do

#Get GeneratedUID for each matched account. GeneratedUID=dscl . read /Users/$u | grep GeneratedUID | cut -c 15-

#Compares GenatedUID to that contained within GroupMembers if [[ "$GeneratedUID" == "$d" ]]; then

# If the UniqueID is above 1000 it's a network account, so remove from admin group. if [[ "$UserID" -gt "1000" ]]; then

echo "Removing Network User with GeneratedUID $GeneratedUID from Admin Group..."

dscl . delete /Groups/admin GroupMembers "$GeneratedUID"

# If UniqueID is below 1000, acount is a local account. else

echo "User $GeneratedUID Is A Local Admin Account..." fi fi

done

done