Jamf Nation Community

pblake · ‎08-11-2014

I am looking for a script to remove admin access on 100 machines that are using AD accounts. We have a local admin that I want to remain, and be the only admin.

Any ideas?

mm2270 · ‎08-18-2014

What are they named? My script looks at all accounts in the 501 and up range and only excludes anything called "administrator" explicitly, so if they are called something else, that would be why it affected them. You need to change the grep -v to use whatever names you want to exclude, or, you could simply look at accounts with UIDs from 503 and up instead:

#!/bin/bash

while read useraccount; do
    /usr/sbin/dseditgroup -o edit -d $useraccount -t user admin
done < <(dscl . list /Users UniqueID | awk '$2 >= 503 {print $1}')

View solution in original post

mm2270 · ‎08-11-2014

So, you want to remove all accounts (AD based) from the local admin group? Do your AD settings also need to be adjusted? Meaning, do you have to remove any AD groups from the AD settings under the Administrative tab?

If this is only a matter of getting the accounts out of the local admin group, there are probably 4-5 other threads that cover this. To point you in the right direction, do a search for dseditgroup. That's the tool you'll want to use in whatever script you go with.

pblake · ‎08-11-2014

I have no been able to find 1 script to use on all the computers. I can only seem to find scripts to remove individual users, and I want all AD users from all computers removed. Anyone who knows how to do this, please advise.

bentoms · ‎08-11-2014

Took me 2 minutes of searching, I think this is what you're after: https://jamfnation.jamfsoftware.com/discussion.html?id=8150#responseChild43381

pblake · ‎08-12-2014

Thanks @mm2270 and @bentoms - unfortunately I had seen those posts but not been able to get it to work. I am having the same problem as another poster in that discussion, jhbush1973.

https://jamfnation.jamfsoftware.com/discussion.html?id=8150#responseChild43381

UserList=$( dscl . list /Users UniqueID | awk '$2 >= 501 {print $1}' | grep -v administrator )

for USER in "$UserList"; do /usr/sbin/dseditgroup -o edit -d $USER -t user admin
done

If I run the command locally on the machine - /usr/sbin/dseditgroup -o edit -d $USER -t user admin, where $user I put in the name of an user I want to remove. The command runs with no error, but running the script above from Casper, results in the following in the log: Script result: Group not found.

The machine was on and logged in, not at the startup screen. I am trying to find a script that works, or a fix to make this one work.

Thanks!

mm2270 · ‎08-12-2014

Try it as a bash script with process substitution. May work better

#!/bin/bash

while read useraccount; do
    /usr/sbin/dseditgroup -o edit -d $useraccount -t user admin
done < <(dscl . list /Users UniqueID | awk '$2 >= 501 {print $1}' | grep -v administrator)

pblake · ‎08-18-2014

@mm2270 - I ran your script as a policy and it removed admin access from all the users including the two local admins. My local admins are 501 & 502.

mm2270 · ‎08-18-2014

What are they named? My script looks at all accounts in the 501 and up range and only excludes anything called "administrator" explicitly, so if they are called something else, that would be why it affected them. You need to change the grep -v to use whatever names you want to exclude, or, you could simply look at accounts with UIDs from 503 and up instead:

#!/bin/bash

while read useraccount; do
    /usr/sbin/dseditgroup -o edit -d $useraccount -t user admin
done < <(dscl . list /Users UniqueID | awk '$2 >= 503 {print $1}')

pblake · ‎08-18-2014

I got it. I will test it now. Sorry for the confusion.

pblake · ‎08-25-2014

Thanks @mm2270! Worked.

Buscher · ‎06-15-2015

For those having issues with this on OS 10.10.3 This script is working for me. Thanks @mm2270

ben_hertenstein · ‎08-22-2015

Excellent!! I goofed on the install of student accounts and the account 501 got demoted, which was the local admin instead of 502 which was the student. Tested on a student computer, worked like a charm. Thanks @mm2270

tkimpton · ‎02-22-2016

unfortunately this doesn't seem to be working on El Capitan

tkimpton · ‎02-22-2016

this fixed it for me for my ad plugin

dsconfigad -nogroups

but the script on El Capitan comes back with

line 5: syntax error near unexpected token `<'
line 5: `done < <(dscl . list /Users UniqueID | awk '$2 >= 501 {print $1}')'

mm2270 · ‎02-22-2016

@tkimpton That syntax error you posted usually means the script was run in the Bourne shell, not Bash. If you run the script like this-

sh /path/to/script.sh

it will explicitly try running it in the Bourne shell, not Bash, meaning it overrides the shebang. If the script is executable and you just use:

/path/to/script.sh

it will use the shebang for the interpreter, and run it as a bash script.

The process substitution command in the script doesn't exist in /bin/sh, but does in /bin/bash.

Hopefully that helps.

tkimpton · ‎02-22-2016

@mm2270 thanks for that, makes sense. Appreciated :)

Jamf Nation Community

Script to remove Admin Access