Jamf Nation Community

I wrote this bash script las Fall to demote users who had not passed
our "MKA Driver's Test". Against my judgment, it was decided to allow
all our students in our 1:1 program to be administrators of their
computers. However, they must regularly prove their competence and
understanding of our AUP, school rules, and adhere to our computer
usage guidelines. This is done by having them take a "Driver's Test"
once or twice a year. If a student fails to take the test, or gets
anything other than 100% on the test, they lose their admin rights. I
wrote this script to demote the offenders without having to have their
computer visit me in our Tech Center.

-------

#!/bin/bash

# Create an array of shortnames in the local DirectoryServices node.
# If the shortname starts with '', it is a system user: ignore it
# (this saves a bit of time when running the script, since we can
# skip these users, without checking their UID, etc.)
users=( `dscl . -list /Users | egrep -v "^()w+"` )

# Create arrays of admin short names and admin GUID's
# Before we can remove a short name or GUID from the admin group,
# We have to make sure it is there first. If it is not there,
# and we try to remove it, we will generate an error. The error
# is harmless, but we don't like to polute our output with ignoreable
# errors. Later, we will search these arrays before deleting anything.
arrayOfAdminUsersShortnames=( `dscl . -read /Groups/admin
GroupMembership | sed 's/GroupMembership: //'` )
arrayOfAdminUsersGUIDs=( `dscl . -read /Groups/admin GroupMembers |
sed 's/GroupMembers: //'` )

# For each shortname in the 'users' array, check to see if we should demote it,
# then demote it
for user in ${users[@]}
do # Grab the UID of the shortname userUID=dscl . -read /Users/${user} UniqueID | awk '{print $NF}'

# Check to see if the UID of this user is 501 or higher. # If it is, collect the RecordName (shortname) and the GUID, # then remove both of them from the admin group if [ "${userUID}" -ge 501 ]; then # Set the short name of the user we want to remove userToRemoveShortname="${user}"

# Grab the GUID of the user we want to remove, using
the short nam userToRemoveGUID=`dscl . -read /Users/${user} GeneratedUID | awk
'{print $NF}'`

# If the user's short name exists in theadmin group, remove the
user's shortname from GroupMemembership for adminUser in ${arrayOfAdminUsersShortnames[@]-} do if [[ $adminUser == ${userToRemoveShortname} ]]; then dscl . -delete /Groups/admin
GroupMembership ${userToRemoveShortname} fi done

# If the user's GUID exists the the admin group, remove
the user's
GUID from GroupMembers for adminUserGIUD in ${arrayOfAdminUsersGUIDs[@]-} do if [[ $adminUserGIUD == ${userToRemoveGUID} ]]; then dscl . -delete /Groups/admin
GroupMembers ${userToRemoveGUID} fi done fi
done

----------------

So far, this script has worked very well. Eventually, I'll modify this
to allow for the reversal...promotion of an account to admin. But for
the immediate future, a promotion requires the offending student visit
the Tech Center for me to manually promote their account back to
Admin. I like this because it enforced facetime with the student and
gives me a chance to lecture them about responsible use, etc. Heh.

I wish I didn't have to play these games with admin access, but
politically I was overruled and have been engineering solutions like
this to help ease the administration of 1000 laptops with students and
faculty as administrators. I have many Extension Attributes in JSS
that watch for other offenses and misuse of the computers.

It's been an interesting first year of our program. I'm currently
writing up documentation to present at next summer's 1:1 Laptop
Institute at the Lusanne School in Memphis. I'm also considering
speaking at next year's PSU MacAdmins Conference at Penn State (highly
recommend you check out this small but amazingly technical conference
devoted to Mac management).

Hope this helps,

Damien Barrett
Systems Technician
The Montclair Kimberley Academy
Montclair, NJ 07042
973-842-2812