Posted on 11-05-2020 10:34 AM
I've been looking thru the discussions trying to find a script that will help me remove admin rights from users with mobile accounts on Macs running Catalina.
We do have a few local accounts that I'd need to exclude from having their admin rights removed.
We're in the process of moving to Beyond Trust and need to remove users admin rights before it will actually work correctly.
Thanks!
Posted on 11-05-2020 11:57 AM
I use the script below. The accounts in the If statement are the ones being excluded.
#!/bin/sh
adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-)
for user in $adminUsers
do
if [ "$user" != "root" ] && [ "$user" != "Administrator" ] && [ "$user" != "jss_mgmt" ]
then
dseditgroup -o edit -d $user -t user admin
if [ $? = 0 ]; then echo "Removed user $user from admin group"; fi
else
echo "Admin user $user left alone"
fi
done
Posted on 11-05-2020 12:15 PM
The script from @geoff.widdowson above could work and it correctly uses the dseditgroup
command which is the preferred way, but it doesn't specifically target just mobile accounts. It could remove admin rights from other local accounts. That could be a benefit or not, depending on your environment.
If that's something you want to be sure of avoiding, you could target accounts that have UIDs above a certain range. Generally, anything in the 1000+ UID range are directory accounts of some kind, like cached AD mobile accounts.
However, a better way is to check for the existence of the OriginalAuthenticationAuthority
key in the user details with something like dscl
which only shows up on accounts that derive from an external directory.
See this thread for an example I posted a while back:
https://www.jamf.com/jamf-nation/discussions/14779/script-to-detect-if-logged-in-user-is-mobile-cach...
Posted on 11-05-2020 02:05 PM
@geoff.widdowson I assume I'd need to reboot to complete this?
@mm2270 Do you have an example script where you would use this in conjunction with @geoff.widdowson script? There are some local accounts that need to be excluded. Which I was able to to do in the Geoff's script.
Posted on 11-05-2020 02:50 PM
Sure, here's an example I just put together. Can't say I've tested this since I no longer have access to machines with cached AD mobile accounts on them at the moment, but it should work. Just be sure to test this out carefully on a test VM or machine first.
#!/bin/zsh
## This finds all accounts with UIDs above 500, but you can change that to 1000 to ensure it's not even looking at most local accounts.
users_list=$(dscl . list /Users UniqueID | awk '$2 > 500 {print $1}')
while read user; do
echo "Checking $user"
## This checks for the existence of the 'OriginalAuthenticationAuthority' key in the user account, which indicates a mobile AD account
if [[ $(dscl . read /Users/"$user" OriginalAuthenticationAuthority 2>/dev/null) ]]; then
echo "User $user is a mobile account. Checking admin status..."
## Here we check to see if it's an admin before trying to remove admin rights
if [[ $(dseditgroup -o checkmember -m "$user" admin 2>&1 > /dev/null; echo $?) == "0" ]]; then
echo "User $user has local admin privileges. Removing privileges now..."
dseditgroup -o edit -d "$user" -t user admin
if [ "$?" == "0" ]; then
echo "Successfully removed admin rights from $user"
else
echo "An error occurred trying to remove admin rights from $user"
fi
else
echo "User $user is not a local admin. Skipping..."
fi
else
echo "User $user is not a mobile account. Skipping..."
fi
done < <(echo "$users_list")
Alternatively, if @geoff.widdowson's script is working ok for you and you can safely exclude any local accounts you need to, there's no reason to overcomplicate things.
Posted on 11-06-2020 12:32 AM
@winterboer A reboot if one of the users is currently logged on, but othwerwise no.
Posted on 11-06-2020 06:02 AM
This is the script we used to get rid of admin rights from accounts that weren't in our admin list. Once admin rights are removed it will make sure the user can add wireless and printers. It will also write a log file to the /Library/Application Support/JAMF/bin. This one worked in our enviroment.
#!/bin/bash
# This script will remove admin privileges from any unauthorized admins
useIcon=/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertNoteIcon.icns
JHELPER="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"
##################Change user1, user2, etc to the users you want excluded####################
adminsList=$(dscacheutil -q group -a name admin | grep -v ^name | grep -v ^pass | grep -v ^gid | awk '{gsub("users:|user1|user2|user3|user4", "");print}')
if [ ! -f /Library/Application Support/JAMF/bin/removeadmin.log ]; then
touch /Library/Application Support/JAMF/bin/removeadmin.log
echo "[$(date)]: Created Log file" >> "/Library/Application Support/JAMF/bin/removeadmin.log"
fi
echo "[$(date)]: Checking for local admins" >> "/Library/Application Support/JAMF/bin/removeadmin.log"
if [[ ! -z "$adminsList" ]];then
for uAdmin in $adminsList; do
/usr/sbin/dseditgroup -o edit -d "$uAdmin" -t user admin
echo "[$(date)]: Removing $uAdmin" >> "/Library/Application Support/JAMF/bin/removeadmin.log"
sleep 2
lpadminChk=$(dscacheutil -q group -a name _lpadmin | grep $uAdmin)
while [ -z "$lpadminChk" ]; do
echo "[$(date)]: Make $uAdmin a Printer Admin" >> "/Library/Application Support/JAMF/bin/removeadmin.log"
/usr/bin/dscl . append /Groups/_lpadmin GroupMembership $uAdmin
lpadminChk=$(dscacheutil -q group -a name _lpadmin | grep $uAdmin)
done
done
if [[ "$currentUser" != "root" ]]; then
MESSAGE="Your account has been updated to meet new standards and your computer needs to reboot. Save any unsaved work and close any open programs and restart your computer as soon as it is convenient."
THEMESSAGE=$("$JHELPER" -windowType utility -title "Systems Admin" -heading "Account Update" -description "$MESSAGE" -button1 "OK" -defaultButton 1 -icon "$useIcon" -iconSize 64)
if [ "$THEMESSAGE" == "0" ]; then
#/sbin/reboot
exit 0
fi
else
/sbin/reboot
exit 0
fi
else
echo "[$(date)]: None found" >> "/Library/Application Support/JAMF/bin/removeadmin.log"
fi
exit 0
Posted on 11-06-2020 06:12 AM
@winterboer If you don't mind, can you explain what you mean by "We're in the process of moving to Beyond Trust and need to remove users admin rights before it will actually work correctly."
Why would you need to remove admin rights for this to work correctly?