Jamf Nation Community

Thank you boss for this, however, I need this script to remove admin rights from all our MAC users.

@DBrowning Thank you, Dennis!

What would be a command to change Standard user to Admin, please?

You could also use something like this to account for service accounts and also monitor if a user elevates rights on another account while promoted as an admin.

#!/bin/bash
#for SelfService to escalate user to gain admin privileges for 30 minutes.
currentUser=$(who | awk '/console/{print $1}')
#Notify user
osascript -e 'display dialog "You now have administrative rights for 30 minutes." buttons {"Ok"} default button 1'
#if the LaunchDaemon is running, unload it to "reset" the timer
#if it does not exist, create it!
if test -f /Library/LaunchDaemons/removeAdmin.plist; then
    launchctl unload /Library/LaunchDaemons/removeAdmin.plist
    else
        sudo defaults write /Library/LaunchDaemons/removeAdmin.plist Label -string "removeAdmin"
        sudo defaults write /Library/LaunchDaemons/removeAdmin.plist ProgramArguments -array -string /bin/sh -string "/Library/Application Support/JAMF/removeAdminRights.sh"
        sudo defaults write /Library/LaunchDaemons/removeAdmin.plist StartInterval -integer 1800
        sudo defaults write /Library/LaunchDaemons/removeAdmin.plist RunAtLoad -boolean yes
        sudo chown root:wheel /Library/LaunchDaemons/removeAdmin.plist
        sudo chmod 644 /Library/LaunchDaemons/removeAdmin.plist
fi
#load the daemon again! (or for the first time)
launchctl load /Library/LaunchDaemons/removeAdmin.plist
#just in case you're pc is slow
sleep 10
#give user Admin rights
/usr/sbin/dseditgroup -o edit -a $currentUser -t user admin
#Create the RemoveAdminScript to be ran in 30 mimutes (1800 secs)
cat << 'EOF' > /Library/Application\ Support/JAMF/removeAdminRights.sh
#initiate list of admins
admins=()
for username in $(dscl . list /Users UniqueID | grep -vw yourserviceadmin | grep -vw jamfmanagementaccount | awk '$2 > 500 { print $1 }'); do
    if [[ $(dsmemberutil checkmembership -U "${username}" -G admin) != *not* ]]; then
        admins+=("${username}")
    fi
done
#remove all admins
for admin in ${admins[@]}; do
    /usr/sbin/dseditgroup -o edit -d $admin -t user admin
done
EOF
exit 0

A few other admins and I combined this together.  Note you don't want to accidentally demote your management account so account for that and TEST, TEST, TEST before pushing out to everyone.  We have a group of users called test pilots and our change process looks like this:  Apple Endpoint Team Test Devices -> IT Team -> Security/TechOps -> Test Pilots (Mix of every dept in case the previous teams miss something) -> GA release.  usually, we do them in weekly intervals but sometimes have combined a few when they are less impacting apps/changes.

Question to you guys.
I just tested the script from @DBrowning right now a few times. It is working fine and it removes the admin rights for my testuser on my testmacbook.

I saw in a few other threads here, that removing admin rights can bring some trouble. For example, that every user is loosing his admin rights. 
I checked this behaviour on my testmac and i do not see any impact on my hidden ADE Adminaccount or the mgmgt account from UIE.

I logged in my testmacbook with my hidden ADE account and its still admin

i tested also some commands sudo jamf recon, sudo jamf manage, sudo jamf policy (via terminal when using my downgraded account) and everything is working.

So i am just a bit confused about this and soon we will start to remove admin rights on macbooks for our user.

the threads i mean is for example these two:

Re: Remove Local Admin Access - Jamf Nation Community - 230715

Re: Removing Local Admin Privilege using a Script - Jamf Nation Community - 284250

Apreciate for any helpfull tip.

THX in advance