Jamf Nation Community

KyleEricson · ‎04-24-2018

I have a self service item to make domain users a local admin if they are not one. How can I scope this to only domain users that are not local admins on that Mac?

Read My Blog: https://www.ericsontech.com

mm2270 · ‎04-24-2018

You will probably need to create an Extension Attribute that captures the "admin" state of user accounts on the Mac. There are probably a dozen examples on here of how to do that, and specifically ones that only look at either local or domain accounts. I would search around for existing EA scripts to use for that.

bentoms · ‎04-24-2018

Have a nose at: https://macmule.com/2015/11/06/ad-users-losing-admin-rights-when-off-the-domain/

jlopez007 · ‎05-25-2018

@kericson Can you share that self-service item?

KyleEricson · ‎05-25-2018

#!/bin/bash 
#
####################################################################################################
#
# Copyright (c) 2013, JOHN KITZMILLER.  All rights reserved.
#
#       THIS SOFTWARE IS PROVIDED BY JOHN KITZMILLER "AS IS" AND ANY
#       EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
#       WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
#       DISCLAIMED. IN NO EVENT SHALL JOHN KITZMILLER BE LIABLE FOR ANY
#       DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
#       (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
#       LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
#       ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
#       (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
#       SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#####################################################################################################
#
# SUPPORT FOR THIS PROGRAM
#
#       This program is distributed "as is" by John Kitzmiller. For more
#       information or support for this script, please visit kitzy.org.
#
#####################################################################################################
#
# ABOUT THIS PROGRAM
#
# NAME
#   makeAdminUser.sh
#
####################################################################################################
#
# HISTORY
#
#   Version: 1.0
#
#   - Created by John Kitzmiller
#
####################################################################################################

# Check to make sure $3 is set properly by the JSS, if not, set the current username manually
# This is a workaround for D-005003 (resolved in 9.01)

if [ -z $3 ]; 
    then 
        currentUser=`stat -f '%Su' /dev/console` 
    else 
        currentUser=$3 
fi 

# Add the current user to the local admin group on the Mac

dseditgroup -o edit -a $currentUser -t user admin

if [ "$?" == "0" ];
    then
        echo "Successfully added $currentUser to admin group"
    else
        echo "ERROR: Unable to add $currentUser to admin group"
        exit 1
fi

exit 0

Read My Blog: https://www.ericsontech.com

jlopez007 · ‎05-25-2018

@kericson Thanks! Saves me the trouble of finding it or, worse, writing it myself :-)

jamflund · ‎11-09-2020

@kericson How to exclude within this script root account? Something like this?

if [ -z $3 ]; then currentUser=stat -f '%Su' /dev/console else currentUser=$3 fi

Add the current user to the local admin group on the Mac

do if [ "currentUser" != "root" ] && [ "$user" != "jadmin" ] then dseditgroup -o edit -a $currentUser -t user admin

if [ "$?" == "0" ]; then echo "Successfully added $currentUser to admin group" else echo "ERROR: Unable to add $currentUser to admin group" exit 1
fi

exit 0

Jamf Nation Community

Scope Make me a local admin

Add the current user to the local admin group on the Mac