Script removal of admin rights from mobile (AD) accounts

winterboer
New Contributor III

I've been looking thru the discussions trying to find a script that will help me remove admin rights from users with mobile accounts on Macs running Catalina.

We do have a few local accounts that I'd need to exclude from having their admin rights removed.

We're in the process of moving to Beyond Trust and need to remove users admin rights before it will actually work correctly.

Thanks!

7 REPLIES 7

geoff_widdowson
Contributor II

I use the script below. The accounts in the If statement are the ones being excluded.

#!/bin/sh

adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-)

for user in $adminUsers
do
    if [ "$user" != "root" ]  && [ "$user" != "Administrator" ] && [ "$user" != "jss_mgmt" ]
    then 
        dseditgroup -o edit -d $user -t user admin
        if [ $? = 0 ]; then echo "Removed user $user from admin group"; fi
    else
        echo "Admin user $user left alone"
    fi
done

mm2270
Legendary Contributor III

The script from @geoff.widdowson above could work and it correctly uses the dseditgroup command which is the preferred way, but it doesn't specifically target just mobile accounts. It could remove admin rights from other local accounts. That could be a benefit or not, depending on your environment.
If that's something you want to be sure of avoiding, you could target accounts that have UIDs above a certain range. Generally, anything in the 1000+ UID range are directory accounts of some kind, like cached AD mobile accounts.

However, a better way is to check for the existence of the OriginalAuthenticationAuthority key in the user details with something like dscl which only shows up on accounts that derive from an external directory.
See this thread for an example I posted a while back:
https://www.jamf.com/jamf-nation/discussions/14779/script-to-detect-if-logged-in-user-is-mobile-cach...

winterboer
New Contributor III

@geoff.widdowson I assume I'd need to reboot to complete this?

@mm2270 Do you have an example script where you would use this in conjunction with @geoff.widdowson script? There are some local accounts that need to be excluded. Which I was able to to do in the Geoff's script.

mm2270
Legendary Contributor III

Sure, here's an example I just put together. Can't say I've tested this since I no longer have access to machines with cached AD mobile accounts on them at the moment, but it should work. Just be sure to test this out carefully on a test VM or machine first.

#!/bin/zsh

## This finds all accounts with UIDs above 500, but you can change that to 1000 to ensure it's not even looking at most local accounts.
users_list=$(dscl . list /Users UniqueID | awk '$2 > 500 {print $1}')

while read user; do
    echo "Checking $user"
    ## This checks for the existence of the 'OriginalAuthenticationAuthority' key in the user account, which indicates a mobile AD account
    if [[ $(dscl . read /Users/"$user" OriginalAuthenticationAuthority 2>/dev/null) ]]; then
        echo "User $user is a mobile account. Checking admin status..."
        ## Here we check to see if it's an admin before trying to remove admin rights
        if [[ $(dseditgroup -o checkmember -m "$user" admin 2>&1 > /dev/null; echo $?) == "0" ]]; then
            echo "User $user has local admin privileges. Removing privileges now..."
            dseditgroup -o edit -d "$user" -t user admin
            if [ "$?" == "0" ]; then
                echo "Successfully removed admin rights from $user"
            else
                echo "An error occurred trying to remove admin rights from $user"
            fi
        else
            echo "User $user is not a local admin. Skipping..."
        fi
    else
        echo "User $user is not a mobile account. Skipping..."
    fi
done < <(echo "$users_list")

Alternatively, if @geoff.widdowson's script is working ok for you and you can safely exclude any local accounts you need to, there's no reason to overcomplicate things.

geoff_widdowson
Contributor II

@winterboer A reboot if one of the users is currently logged on, but othwerwise no.

a_hebert
Contributor

This is the script we used to get rid of admin rights from accounts that weren't in our admin list. Once admin rights are removed it will make sure the user can add wireless and printers. It will also write a log file to the /Library/Application Support/JAMF/bin. This one worked in our enviroment.

#!/bin/bash

# This script will remove admin privileges from any unauthorized admins

useIcon=/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertNoteIcon.icns
JHELPER="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"
##################Change user1, user2, etc to the users you want excluded####################
adminsList=$(dscacheutil -q group -a name admin | grep -v ^name | grep -v ^pass | grep -v ^gid | awk '{gsub("users:|user1|user2|user3|user4", "");print}')


if [ ! -f /Library/Application Support/JAMF/bin/removeadmin.log ]; then
    touch /Library/Application Support/JAMF/bin/removeadmin.log
    echo "[$(date)]: Created Log file" >> "/Library/Application Support/JAMF/bin/removeadmin.log"
fi




echo "[$(date)]: Checking for local admins" >> "/Library/Application Support/JAMF/bin/removeadmin.log"
if [[ ! -z "$adminsList" ]];then

  for uAdmin in $adminsList; do
      /usr/sbin/dseditgroup -o edit -d "$uAdmin" -t user admin
      echo "[$(date)]: Removing $uAdmin" >> "/Library/Application Support/JAMF/bin/removeadmin.log"

      sleep 2

      lpadminChk=$(dscacheutil -q group -a name _lpadmin | grep $uAdmin)

      while [ -z "$lpadminChk" ]; do
        echo "[$(date)]: Make $uAdmin a Printer Admin" >> "/Library/Application Support/JAMF/bin/removeadmin.log"
        /usr/bin/dscl . append /Groups/_lpadmin GroupMembership $uAdmin 
        lpadminChk=$(dscacheutil -q group -a name _lpadmin | grep $uAdmin)
      done
  done



  if [[ "$currentUser" != "root" ]]; then

      MESSAGE="Your account has been updated to meet new standards and your computer needs to reboot. Save any unsaved work and close any open programs and restart your computer as soon as it is convenient."

      THEMESSAGE=$("$JHELPER" -windowType utility -title "Systems Admin" -heading "Account Update" -description "$MESSAGE" -button1 "OK" -defaultButton 1 -icon "$useIcon" -iconSize 64)

      if [ "$THEMESSAGE" == "0" ]; then
          #/sbin/reboot
          exit 0
      fi
  else

      /sbin/reboot
      exit 0
  fi




else
    echo "[$(date)]: None found" >> "/Library/Application Support/JAMF/bin/removeadmin.log"

fi

exit 0

jhuls
Contributor III

@winterboer If you don't mind, can you explain what you mean by "We're in the process of moving to Beyond Trust and need to remove users admin rights before it will actually work correctly."

Why would you need to remove admin rights for this to work correctly?