Jamf Nation Community

jttavares · ‎03-22-2022

I know this has been asked many times, but I can't seem to find a specific script I can use in a policy to demote a specific user from admin to standard. All our accounts are local accounts. We have been doing some auditing and see too many admin accounts out there and are targeting specific users on specific remote/off site Macs. I have seen scripts that target all users except "admin123" and demote everyone else but that admin account. I need to specifically target a user by account name. I am not a good at scripting, which I why I am asking for help. Appreciate any feedback or suggestions.

Thank You.

atomczynski · ‎03-22-2022

You could try the following

Policy
Files and Process
Execute Command

dseditgroup -o edit -d nameoftheusertodemotegoeshere -t user -L admin

example

dseditgroup -o edit -d localadministrator -t user -L admin

View solution in original post

atomczynski · ‎03-22-2022

You could try the following

Policy
Files and Process
Execute Command

dseditgroup -o edit -d nameoftheusertodemotegoeshere -t user -L admin

example

dseditgroup -o edit -d localadministrator -t user -L admin

jttavares · ‎03-23-2022

Thank you! @atomczynski I need to learn scripting. I assume I should start with zsh instead of bash? Any thoughts on that?

fotofojo · ‎02-23-2023

Awhile back I found someone posted a way to elevate from standard to admin using this line:

dseditgroup -o edit -a "$(who | awk '/console/{ print $1 }')" -t user admin

What I liked about this is that it will apply to whomever is logged in at the current time. My question is, what would be a similar line that would demote the currently logged in user back to standard? Changing "admin" to "standard" does not work.

Jamf Nation Community

Script to demote a specific user (account) from admin to standard user