Unable to make user admin on some devices via script

ML_User
New Contributor

We are using a policy with a script to make the currently signed in user an admin. We have tried both normal commands for making a user an admin but only certain test devices actually make the user an admin. We are in the process of wiping our devices multiple times a day to test the Pre-stage enrollment and this seems to be one of the few hang ups. 
For reference, this is the script we are using that works on some devices but not all:

`#!/bin/bash
currentUser=$(who | awk '/console/{print $1}')
sudo dscl . -append /Groups/admin GroupMembership $currentUser
exit 0`

Sometimes it will work and make the account admin but then when we restart the device it will go back to being standard. No amount of re-running this script or a similar one will get it to work after the initial try if its successful either. Is there any chance there is some sort of cache or file somewhere that maybe tells the Mac that a user belongs to the Standard section that needs to be erased or appended to get rid of the current user so that it doesn't keep the user standard? I haven't found a similar issue among the discussions on this site so far

5 REPLIES 5

Hilton221
New Contributor II

This security challenge has been exacerbated in recent years with worm-based malware targeting users with admin rights on a local workstation. The attack makes it easy to infect others in the network, especially as a lot of organizations switch off things like Windows Firewall. Now more than ever, there’s a need to find a balance between the security of your Windows workstation estate, and local administrative autonomy. 

 

Thanks,      My Herbalife Nutrition
Hilton221

AtillaTheC
Contributor II

We leverage this script but I havn't tested it in a while.

#!/bin/bash

# Get username of current logged in user
# This method breaks if you allow multiple accounts logged in.
USERNAME=$(ls -l /dev/console | awk '{print $3}')

membership=$(dsmemberutil checkmembership -U $USERNAME -G admin)
if [ "$membership" == "user is not a member of the group" ];
then
	/usr/sbin/dseditgroup -o edit -a $USERNAME -t user admin
fi

QSLogan
New Contributor II

This is pretty much the same as my solution, however I have the entire thing packed into one line via the Files and Processes > Execute Command, rather than a whole script: 

dseditgroup -o edit -a "$(who | awk '/console/{ print $1 }')" -t user admin

This is actively working for me and I've had no issues. I set it to run on login. 

lowergm
New Contributor

There could be several reasons why you are unable to make a user an admin on some devices via a script. Here are a few things you can check:

  1. Permissions: Make sure the user running the script has the necessary permissions to make changes to the devices. They may need to be added to the local administrators group on each device.

  2. Script errors: Check the script for any errors that may be preventing it from running correctly. Make sure the syntax is correct and all variables are properly defined.

  3. Device configuration: Verify that the devices are configured correctly and allow for remote administration. Some devices may require additional configuration to allow remote access.

  4. Firewall settings: Check the firewall settings on the devices to ensure that they are not blocking the script from running.

  5. Antivirus software: Some antivirus software may block scripts from running. Check the antivirus settings to see if they are blocking the script.

If none of these solutions work, you may need to troubleshoot further or seek additional assistance.

jerrymark
New Contributor

Here are some general steps and considerations you can follow to troubleshoot the problem:

1. **Script and Permissions:**
- Ensure that the script you're using has the necessary permissions to make a user an admin. Administrative actions typically require elevated privileges.
- Check if the script is written correctly and doesn't have any syntax errors that might be preventing it from functioning as intended.

2. **Device-Specific Issues:**
- Different operating systems (Windows, macOS, Linux) have different methods for managing user accounts and privileges. Make sure the script is compatible with the operating system on each device.
- Verify that the user account you're trying to make an admin actually exists on the device.
- Check if the user account has the necessary permissions to become an admin. Some systems might have additional requirements or restrictions.

3. **Error Messages:**
- If you're encountering error messages, read them carefully to understand the issue. Error messages often provide valuable information about what went wrong.
- Search online for the specific error message to find solutions that others might have used to resolve the same issue.

4. **Debugging:**
- Add logging statements to your script to track its progress and identify where it might be failing.
- Break down the script into smaller sections and test each section individually. This can help pinpoint the exact step where the issue occurs.

5. **User Interaction:**
- Some systems might require user interaction (such as entering passwords) to make a user an admin. Ensure that the script is designed to handle such interactions, if necessary.

6. **Security Software:**
- Antivirus or security software might interfere with administrative actions. Temporarily disable such software to see if it's causing the issue.

7. **Documentation and Resources:**
- Consult the documentation for the specific devices and operating systems you're working with. There might be specific guidelines or commands you need to follow.
- Search online forums, communities, and support pages for similar issues. Others might have encountered the same problem and found solutions.

8. **Testing:**
- Test the script on a small scale first, on a device where you can afford to make changes without causing significant issues.
- Once you've identified and resolved the issue, gradually scale up to other devices.

If you can provide more specific details about the devices, operating systems, script, and any error messages you're encountering, I can offer more targeted assistance.