Posted on 03-06-2022 02:47 PM
Hello Teams, Kindly help me with a script to remove admin right on some of our MAC managed by JAMF.
Solved! Go to Solution.
Posted on 03-07-2022 04:41 AM
Replace USERNAME with the username of the user you'd like to remove from Admin.
dseditgroup -o edit -d USERNAME -t user admin
Posted on 03-07-2022 04:41 AM
Replace USERNAME with the username of the user you'd like to remove from Admin.
dseditgroup -o edit -d USERNAME -t user admin
Posted on 07-17-2023 08:05 PM
hey, i get the error "username and password must be provided".
Posted on 03-07-2022 11:42 PM
Thank you boss for this, however, I need this script to remove admin rights from all our MAC users.
Posted on 03-08-2022 04:14 AM
If you only have one user per machine, you can use this:
#!/bin/sh
LoggedInUser=$(scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )
dseditgroup -o edit -d $LoggedInUser -t user admin
Posted on 03-08-2022 04:34 AM
Thank you very much, I really appreciate this.
Posted on 03-09-2022 07:40 AM
@DBrowning Thank you, Dennis!
What would be a command to change Standard user to Admin, please?
Posted on 03-09-2022 08:06 AM
Change the -d to -a
dseditgroup -o edit -a $LoggedInUser -t user admin
Posted on 03-09-2022 10:53 AM
Thank you sir!
Posted on 03-16-2022 10:12 PM
You could also use something like this to account for service accounts and also monitor if a user elevates rights on another account while promoted as an admin.
#!/bin/bash
#for SelfService to escalate user to gain admin privileges for 30 minutes.
currentUser=$(who | awk '/console/{print $1}')
#Notify user
osascript -e 'display dialog "You now have administrative rights for 30 minutes." buttons {"Ok"} default button 1'
#if the LaunchDaemon is running, unload it to "reset" the timer
#if it does not exist, create it!
if test -f /Library/LaunchDaemons/removeAdmin.plist; then
launchctl unload /Library/LaunchDaemons/removeAdmin.plist
else
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist Label -string "removeAdmin"
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist ProgramArguments -array -string /bin/sh -string "/Library/Application Support/JAMF/removeAdminRights.sh"
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist StartInterval -integer 1800
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist RunAtLoad -boolean yes
sudo chown root:wheel /Library/LaunchDaemons/removeAdmin.plist
sudo chmod 644 /Library/LaunchDaemons/removeAdmin.plist
fi
#load the daemon again! (or for the first time)
launchctl load /Library/LaunchDaemons/removeAdmin.plist
#just in case you're pc is slow
sleep 10
#give user Admin rights
/usr/sbin/dseditgroup -o edit -a $currentUser -t user admin
#Create the RemoveAdminScript to be ran in 30 mimutes (1800 secs)
cat << 'EOF' > /Library/Application\ Support/JAMF/removeAdminRights.sh
#initiate list of admins
admins=()
for username in $(dscl . list /Users UniqueID | grep -vw yourserviceadmin | grep -vw jamfmanagementaccount | awk '$2 > 500 { print $1 }'); do
if [[ $(dsmemberutil checkmembership -U "${username}" -G admin) != *not* ]]; then
admins+=("${username}")
fi
done
#remove all admins
for admin in ${admins[@]}; do
/usr/sbin/dseditgroup -o edit -d $admin -t user admin
done
EOF
exit 0
A few other admins and I combined this together. Note you don't want to accidentally demote your management account so account for that and TEST, TEST, TEST before pushing out to everyone. We have a group of users called test pilots and our change process looks like this: Apple Endpoint Team Test Devices -> IT Team -> Security/TechOps -> Test Pilots (Mix of every dept in case the previous teams miss something) -> GA release. usually, we do them in weekly intervals but sometimes have combined a few when they are less impacting apps/changes.
Posted on 05-24-2024 06:57 AM
Question to you guys.
I just tested the script from @DBrowning right now a few times. It is working fine and it removes the admin rights for my testuser on my testmacbook.
I saw in a few other threads here, that removing admin rights can bring some trouble. For example, that every user is loosing his admin rights.
I checked this behaviour on my testmac and i do not see any impact on my hidden ADE Adminaccount or the mgmgt account from UIE.
I logged in my testmacbook with my hidden ADE account and its still admin
i tested also some commands sudo jamf recon, sudo jamf manage, sudo jamf policy (via terminal when using my downgraded account) and everything is working.
So i am just a bit confused about this and soon we will start to remove admin rights on macbooks for our user.
the threads i mean is for example these two:
Re: Remove Local Admin Access - Jamf Nation Community - 230715
Re: Removing Local Admin Privilege using a Script - Jamf Nation Community - 284250
Apreciate for any helpfull tip.
THX in advance
Posted on 05-28-2024 04:36 AM
Those other post have loops that remove admin rights from anyone other then the usernames listed in the loop conditions. If you use the commands I have above, rights will only be removed from the logged in user.
Posted on 08-06-2024 09:45 PM
Thanks @DBrowning When I try on JAMF it throws an error Group not found exit code 64
On terminal it says username password must be provided