Script Help after 10.27.0 to ignore User-Initiated Enrollment Admin Account and custom Admin Account

bern
New Contributor II

After we upgraded from Jamf 10.26.0 to Jamf 10.28.0, we noticed that our User-Initiated Enrollment Admin Account (Hidden Box Selected) and our Custom Admin Account (Created with Policy / Script at Enrollment) were turned into Standard Accounts with our Script we use to make any Account with a UniqueID > 500 a Standard Account. Having them Hidden before used to keep them from being turned into Standard Accounts. Seems like changes since Jamf 10.27.0 and changes by Apple have changed how this works.

https://support.apple.com/HT203998
https://docs.jamf.com/10.27.0/jamf-pro/release-notes/What's_New.html

Script we use to make any Account a Standard Account if the UniqueID is greater than 500:

#!/bin/bash
# Script to detect if a computer has a local admin account on it with an UID of above 500
# generate user list of users with UID greater than 500

for username in $(dscl . list /Users UniqueID | awk '$2 > 500 { print $1 }'); do

# Checks to see which usernames are reported as being admins. The
# check is running dsmemberutil's check membership and listing the
# accounts that are being reported as admin users. Actual check is
# for accounts that are NOT not an admin (i.e. not standard users.)

    if [[ $(dsmemberutil checkmembership -U "${username}" -G admin) != *not* ]]; then
        /usr/sbin/dseditgroup -o edit -d $username -t user admin
    fi
done

Script we use to make our Custom Hidden Admin Account for management:

sudo jamf createAccount -username CUSTOMADMIN -password $4 -realname CUSTOMADMIN -home /private/var/CUSTOMADMIN -admin -hiddenUser -suppressSetupAssistant
sudo pwpolicy -u CUSTOMADMIN -setpolicy "minChars=8"
dseditgroup -o edit -a dwadmin -t user admin

We also have the User-Initiated Enrollment Admin Account which is Hidden but our Script now catches that Account and turns into a Standard Account too which means we can't use Jamf Remote to remote into those systems since the Account was turned into a Standard Account too.

I was hoping to get assistance with a new Script which still turns new Accounts into Standard Accounts but keeps the User-Initiated-Enrollment Admin account and our custom Admin Account as Admin Accounts.

Really appreciate your time and help! Thank you!

1 REPLY 1

bern
New Contributor II

Found a script posted by @palmeida that worked perfectly! Thank you!

#!/bin/sh

adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-)

for user in $adminUsers
do
    if [ "$user" != "root" ]  && [ "$user" != "CUSTOMADMINHERE" ]  && [ "$user" != "JAMFADMINHERE" ]
    then 
        dseditgroup -o edit -d $user -t user admin
        if [ $? = 0 ]; then echo "Removed user $user from admin group"; fi
    else
        echo "Admin user $user left alone"
    fi
done