Hello Teams, Kindly help me with a script to remove admin right on some of our MAC managed by JAMF.
Solved
Script to remove Admin right on MAC.
+3Best answer by DBrowning
Replace USERNAME with the username of the user you'd like to remove from Admin.
dseditgroup -o edit -d USERNAME -t user admin
+24Replace USERNAME with the username of the user you'd like to remove from Admin.
dseditgroup -o edit -d USERNAME -t user admin+3Thank you boss for this, however, I need this script to remove admin rights from all our MAC users.
+24Thank you boss for this, however, I need this script to remove admin rights from all our MAC users.
If you only have one user per machine, you can use this:
#!/bin/sh
LoggedInUser=$(scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )
dseditgroup -o edit -d $LoggedInUser -t user admin+3If you only have one user per machine, you can use this:
#!/bin/sh
LoggedInUser=$(scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )
dseditgroup -o edit -d $LoggedInUser -t user adminThank you very much, I really appreciate this.
+24@DBrowning Thank you, Dennis!
What would be a command to change Standard user to Admin, please?
Change the -d to -a
dseditgroup -o edit -a $LoggedInUser -t user admin
+22Change the -d to -a
dseditgroup -o edit -a $LoggedInUser -t user adminThank you sir!
+18You could also use something like this to account for service accounts and also monitor if a user elevates rights on another account while promoted as an admin.
#!/bin/bash
#for SelfService to escalate user to gain admin privileges for 30 minutes.
currentUser=$(who | awk '/console/{print $1}')
#Notify user
osascript -e 'display dialog "You now have administrative rights for 30 minutes." buttons {"Ok"} default button 1'
#if the LaunchDaemon is running, unload it to "reset" the timer
#if it does not exist, create it!
if test -f /Library/LaunchDaemons/removeAdmin.plist; then
launchctl unload /Library/LaunchDaemons/removeAdmin.plist
else
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist Label -string "removeAdmin"
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist ProgramArguments -array -string /bin/sh -string "/Library/Application Support/JAMF/removeAdminRights.sh"
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist StartInterval -integer 1800
sudo defaults write /Library/LaunchDaemons/removeAdmin.plist RunAtLoad -boolean yes
sudo chown root:wheel /Library/LaunchDaemons/removeAdmin.plist
sudo chmod 644 /Library/LaunchDaemons/removeAdmin.plist
fi
#load the daemon again! (or for the first time)
launchctl load /Library/LaunchDaemons/removeAdmin.plist
#just in case you're pc is slow
sleep 10
#give user Admin rights
/usr/sbin/dseditgroup -o edit -a $currentUser -t user admin
#Create the RemoveAdminScript to be ran in 30 mimutes (1800 secs)
cat << 'EOF' > /Library/Application\\ Support/JAMF/removeAdminRights.sh
#initiate list of admins
admins=()
for username in $(dscl . list /Users UniqueID | grep -vw yourserviceadmin | grep -vw jamfmanagementaccount | awk '$2 > 500 { print $1 }'); do
if [[ $(dsmemberutil checkmembership -U "${username}" -G admin) != *not* ]]; then
admins+=("${username}")
fi
done
#remove all admins
for admin in ${admins[@]}; do
/usr/sbin/dseditgroup -o edit -d $admin -t user admin
done
EOF
exit 0A few other admins and I combined this together. Note you don't want to accidentally demote your management account so account for that and TEST, TEST, TEST before pushing out to everyone. We have a group of users called test pilots and our change process looks like this: Apple Endpoint Team Test Devices -> IT Team -> Security/TechOps -> Test Pilots (Mix of every dept in case the previous teams miss something) -> GA release. usually, we do them in weekly intervals but sometimes have combined a few when they are less impacting apps/changes.
Replace USERNAME with the username of the user you'd like to remove from Admin.
dseditgroup -o edit -d USERNAME -t user adminhey, i get the error "username and password must be provided".
+7Question to you guys.
I just tested the script from @DBrowning right now a few times. It is working fine and it removes the admin rights for my testuser on my testmacbook.
I saw in a few other threads here, that removing admin rights can bring some trouble. For example, that every user is loosing his admin rights.
I checked this behaviour on my testmac and i do not see any impact on my hidden ADE Adminaccount or the mgmgt account from UIE.
I logged in my testmacbook with my hidden ADE account and its still admin
i tested also some commands sudo jamf recon, sudo jamf manage, sudo jamf policy (via terminal when using my downgraded account) and everything is working.
So i am just a bit confused about this and soon we will start to remove admin rights on macbooks for our user.
the threads i mean is for example these two:
Re: Remove Local Admin Access - Jamf Nation Community - 230715
Re: Removing Local Admin Privilege using a Script - Jamf Nation Community - 284250
Apreciate for any helpfull tip.
THX in advance
+24Question to you guys.
I just tested the script from @DBrowning right now a few times. It is working fine and it removes the admin rights for my testuser on my testmacbook.
I saw in a few other threads here, that removing admin rights can bring some trouble. For example, that every user is loosing his admin rights.
I checked this behaviour on my testmac and i do not see any impact on my hidden ADE Adminaccount or the mgmgt account from UIE.
I logged in my testmacbook with my hidden ADE account and its still admin
i tested also some commands sudo jamf recon, sudo jamf manage, sudo jamf policy (via terminal when using my downgraded account) and everything is working.
So i am just a bit confused about this and soon we will start to remove admin rights on macbooks for our user.
the threads i mean is for example these two:
Re: Remove Local Admin Access - Jamf Nation Community - 230715
Re: Removing Local Admin Privilege using a Script - Jamf Nation Community - 284250
Apreciate for any helpfull tip.
THX in advance
Those other post have loops that remove admin rights from anyone other then the usernames listed in the loop conditions. If you use the commands I have above, rights will only be removed from the logged in user.
Thanks @DBrowning When I try on JAMF it throws an error Group not found exit code 64
On terminal it says username password must be provided
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.