Help

Unable to make user admin on some devices via script

ML_BM
New Contributor

Posted on ‎12-01-2022 02:02 PM

We are using a policy with a script to make the currently signed in user an admin. We have tried both normal commands for making a user an admin but only certain test devices actually make the user an admin. We are in the process of wiping our devices multiple times a day to test the Pre-stage enrollment and this seems to be one of the few hang ups. 
For reference, this is the script we are using that works on some devices but not all:

`#!/bin/bash
currentUser=$(who | awk '/console/{print $1}')
sudo dscl . -append /Groups/admin GroupMembership $currentUser
exit 0`

Sometimes it will work and make the account admin but then when we restart the device it will go back to being standard. No amount of re-running this script or a similar one will get it to work after the initial try if its successful either. Is there any chance there is some sort of cache or file somewhere that maybe tells the Mac that a user belongs to the Standard section that needs to be erased or appended to get rid of the current user so that it doesn't keep the user standard? I haven't found a similar issue among the discussions on this site so far

0 Kudos
3 REPLIES 3

Hilton221
New Contributor II

‎12-01-2022 10:13 PM - edited ‎12-02-2022 07:48 PM

This security challenge has been exacerbated in recent years with worm-based malware targeting users with admin rights on a local workstation. The attack makes it easy to infect others in the network, especially as a lot of organizations switch off things like Windows Firewall. Now more than ever, there’s a need to find a balance between the security of your Windows workstation estate, and local administrative autonomy. 

 

Thanks,      My Herbalife Nutrition
Hilton221

AtillaTheC
Contributor II

Posted on ‎12-02-2022 07:54 AM

We leverage this script but I havn't tested it in a while.

#!/bin/bash

# Get username of current logged in user
# This method breaks if you allow multiple accounts logged in.
USERNAME=$(ls -l /dev/console | awk '{print $3}')

membership=$(dsmemberutil checkmembership -U $USERNAME -G admin)
if [ "$membership" == "user is not a member of the group" ];
then
	/usr/sbin/dseditgroup -o edit -a $USERNAME -t user admin
fi

QSLogan
New Contributor II
In response to AtillaTheC

Posted on ‎12-07-2022 11:10 AM

This is pretty much the same as my solution, however I have the entire thing packed into one line via the Files and Processes > Execute Command, rather than a whole script: 

dseditgroup -o edit -a "$(who | awk '/console/{ print $1 }')" -t user admin

This is actively working for me and I've had no issues. I set it to run on login. 

0 Kudos