Script to remove Admin Access

So, you want to remove all accounts (AD based) from the local admin group? Do your AD settings also need to be adjusted? Meaning, do you have to remove any AD groups from the AD settings under the Administrative tab?

If this is only a matter of getting the accounts out of the local admin group, there are probably 4-5 other threads that cover this. To point you in the right direction, do a search for dseditgroup. That's the tool you'll want to use in whatever script you go with.

I have no been able to find 1 script to use on all the computers. I can only seem to find scripts to remove individual users, and I want all AD users from all computers removed. Anyone who knows how to do this, please advise.

Took me 2 minutes of searching, I think this is what you're after: https://jamfnation.jamfsoftware.com/discussion.html?id=8150#responseChild43381

Thanks @mm2270 and @bentoms - unfortunately I had seen those posts but not been able to get it to work. I am having the same problem as another poster in that discussion, jhbush1973.

https://jamfnation.jamfsoftware.com/discussion.html?id=8150#responseChild43381

UserList=$( dscl . list /Users UniqueID | awk '$2 >= 501 {print $1}' | grep -v administrator )

for USER in "$UserList"; do /usr/sbin/dseditgroup -o edit -d $USER -t user admin
done

If I run the command locally on the machine - /usr/sbin/dseditgroup -o edit -d $USER -t user admin, where $user I put in the name of an user I want to remove. The command runs with no error, but running the script above from Casper, results in the following in the log: Script result: Group not found.

The machine was on and logged in, not at the startup screen. I am trying to find a script that works, or a fix to make this one work.

Thanks!

Try it as a bash script with process substitution. May work better

#!/bin/bash

while read useraccount; do
    /usr/sbin/dseditgroup -o edit -d $useraccount -t user admin
done < <(dscl . list /Users UniqueID | awk '$2 >= 501 {print $1}' | grep -v administrator)

@mm2270 - I ran your script as a policy and it removed admin access from all the users including the two local admins. My local admins are 501 & 502.

I got it. I will test it now. Sorry for the confusion.

Thanks @mm2270! Worked.

For those having issues with this on OS 10.10.3 This script is working for me. Thanks @mm2270

Excellent!! I goofed on the install of student accounts and the account 501 got demoted, which was the local admin instead of 502 which was the student. Tested on a student computer, worked like a charm. Thanks @mm2270

unfortunately this doesn't seem to be working on El Capitan

this fixed it for me for my ad plugin

dsconfigad -nogroups

but the script on El Capitan comes back with

line 5: syntax error near unexpected token `<'
line 5: `done < <(dscl . list /Users UniqueID | awk '$2 >= 501 {print $1}')'

@tkimpton That syntax error you posted usually means the script was run in the Bourne shell, not Bash. If you run the script like this-

sh /path/to/script.sh

it will explicitly try running it in the Bourne shell, not Bash, meaning it overrides the shebang. If the script is executable and you just use:

/path/to/script.sh

it will use the shebang for the interpreter, and run it as a bash script.

The process substitution command in the script doesn't exist in /bin/sh, but does in /bin/bash.

Hopefully that helps.

@mm2270 thanks for that, makes sense. Appreciated :)