Script to remove Admin right on MAC.

Swapdevs
New Contributor II

Hello Teams, Kindly help me with a script to remove admin right on some of our MAC managed by JAMF.

1 ACCEPTED SOLUTION

DBrowning
Valued Contributor II

Replace USERNAME with the username of the user you'd like to remove from Admin.

dseditgroup -o edit -d USERNAME -t user admin

View solution in original post

12 REPLIES 12

DBrowning
Valued Contributor II

Replace USERNAME with the username of the user you'd like to remove from Admin.

dseditgroup -o edit -d USERNAME -t user admin

deep
New Contributor

hey, i get the error "username and password must be provided".

Swapdevs
New Contributor II

Thank you boss for this, however, I need this script to remove admin rights from all our MAC users.

DBrowning
Valued Contributor II

If you only have one user per machine, you can use this:

#!/bin/sh

LoggedInUser=$(scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )

dseditgroup -o edit -d $LoggedInUser -t user admin

Swapdevs
New Contributor II

Thank you very much, I really appreciate this.

mhasman
Valued Contributor

@DBrowning Thank you, Dennis!

What would be a command to change Standard user to Admin, please?

DBrowning
Valued Contributor II

Change the -d to -a

dseditgroup -o edit -a $LoggedInUser -t user admin

mhasman
Valued Contributor

Thank you sir!

daniel_ross
Contributor III

You could also use something like this to account for service accounts and also monitor if a user elevates rights on another account while promoted as an admin.

#!/bin/bash
#for SelfService to escalate user to gain admin privileges for 30 minutes.
currentUser=$(who | awk '/console/{print $1}')
#Notify user
osascript -e 'display dialog "You now have administrative rights for 30 minutes." buttons {"Ok"} default button 1'
#if the LaunchDaemon is running, unload it to "reset" the timer
#if it does not exist, create it!
if test -f /Library/LaunchDaemons/removeAdmin.plist; then
    launchctl unload /Library/LaunchDaemons/removeAdmin.plist
    else
        sudo defaults write /Library/LaunchDaemons/removeAdmin.plist Label -string "removeAdmin"
        sudo defaults write /Library/LaunchDaemons/removeAdmin.plist ProgramArguments -array -string /bin/sh -string "/Library/Application Support/JAMF/removeAdminRights.sh"
        sudo defaults write /Library/LaunchDaemons/removeAdmin.plist StartInterval -integer 1800
        sudo defaults write /Library/LaunchDaemons/removeAdmin.plist RunAtLoad -boolean yes
        sudo chown root:wheel /Library/LaunchDaemons/removeAdmin.plist
        sudo chmod 644 /Library/LaunchDaemons/removeAdmin.plist
fi
#load the daemon again! (or for the first time)
launchctl load /Library/LaunchDaemons/removeAdmin.plist
#just in case you're pc is slow
sleep 10
#give user Admin rights
/usr/sbin/dseditgroup -o edit -a $currentUser -t user admin
#Create the RemoveAdminScript to be ran in 30 mimutes (1800 secs)
cat << 'EOF' > /Library/Application\ Support/JAMF/removeAdminRights.sh
#initiate list of admins
admins=()
for username in $(dscl . list /Users UniqueID | grep -vw yourserviceadmin | grep -vw jamfmanagementaccount | awk '$2 > 500 { print $1 }'); do
    if [[ $(dsmemberutil checkmembership -U "${username}" -G admin) != *not* ]]; then
        admins+=("${username}")
    fi
done
#remove all admins
for admin in ${admins[@]}; do
    /usr/sbin/dseditgroup -o edit -d $admin -t user admin
done
EOF
exit 0

A few other admins and I combined this together.  Note you don't want to accidentally demote your management account so account for that and TEST, TEST, TEST before pushing out to everyone.  We have a group of users called test pilots and our change process looks like this:  Apple Endpoint Team Test Devices -> IT Team -> Security/TechOps -> Test Pilots (Mix of every dept in case the previous teams miss something) -> GA release.  usually, we do them in weekly intervals but sometimes have combined a few when they are less impacting apps/changes.

Jacek_ADC
Contributor II

Question to you guys.
I just tested the script from @DBrowning right now a few times. It is working fine and it removes the admin rights for my testuser on my testmacbook.

I saw in a few other threads here, that removing admin rights can bring some trouble. For example, that every user is loosing his admin rights. 
I checked this behaviour on my testmac and i do not see any impact on my hidden ADE Adminaccount or the mgmgt account from UIE.

I logged in my testmacbook with my hidden ADE account and its still admin

i tested also some commands sudo jamf recon, sudo jamf manage, sudo jamf policy (via terminal when using my downgraded account) and everything is working.

So i am just a bit confused about this and soon we will start to remove admin rights on macbooks for our user.

the threads i mean is for example these two:

Re: Remove Local Admin Access - Jamf Nation Community - 230715

Re: Removing Local Admin Privilege using a Script - Jamf Nation Community - 284250

Apreciate for any helpfull tip.

THX in advance

DBrowning
Valued Contributor II

Those other post have loops that remove admin rights from anyone other then the usernames listed in the loop conditions.  If you use the commands I have above, rights will only be removed from the logged in user.  

cpatel86400
New Contributor

Thanks @DBrowning When I try on JAMF it throws an error Group not found exit code 64
On terminal it says username password must be provided