Skip to main content

Hello All,

Our machines are all mobile accounts vs local accounts.
we have 1 local account that we want to retain admin access for, but all other mobile accounts and local accounts need to be standard accounts.

ive read some of the other threads and tried their options but i believe them to be for local - tested here and a user could install an app without IT intervention.

We arent tied in to AD, so we cant use their info.
the only tie-in to AD is a script that gets run to get their info from AD , but its not constant no live.

bonus points for a script that allows temporary access for execs/named individuals

below is the tested script, that doesnt work.

!/bin/sh

IFS=$' ' declare -a localusers=($(dscl . list /Users UniqueID | grep -v namedadminaccount | awk '$2 >= 500 && $2 < 1000 {print $1}')) unset IFS

for i in "${localusers[@]}" do /usr/sbin/dseditgroup -o edit -n /Local/Default -d $i -t "user" "admin" done

EDIT: is this broken becase dscl needs LDAP binding?!?!

Your issue is with the awk. Remove the check that limits the UIDs to less than 1000, since you are probably using accounts with much higher UIDs mapped to Active Directory. Keep the > 500 so you aren't affecting service accounts required by the OS.

Beyond that, mobile accounts are local accounts for all intents and purposes.

Try this:

#!/bin/sh

IFS=$'
'
declare -a localusers=($(dscl . list /Users UniqueID | grep -v namedadminaccount | awk '$2 >= 500 {print $1}'))
unset IFS

for i in "${localusers[@]}"; do
    echo "Demoting $i to standard user"
    /usr/sbin/dseditgroup -o edit -n /Local/Default -d $i -t "user" "admin"
done

is there a better option? i havent come across a few options but looking for something easier to maintain.

that being said, how would you script this to allow for, say, 1hr of admin access then automatically reverting? i dont want the user to have to go back to self service to undo the admin and hope for them to keep it honest, however, i would like them to go to SS to get admin access (but keep it automated)

i figure the process would go: open ticket > approval > assign to SS > confirm in logs its been run > remove user from policy

lastly, for the line: /usr/sbin/dseditgroup -o edit -n /Local/Default -d $i -t "user" "admin"

can you break down the user / admin part for me please?

thanks!

I use a bash script to make users admin (as needed). This will make the user Admin right away, without logging out / in.

The command line looks like this;

!/bin/bash

userName=ls -l /dev/console | cut -d " " -f 4

add user to Admin group

dscl . -append /Groups/admin GroupMembership $userName

To remove them you can use:
dscl . -delete /Groups/admin GroupMembership $userName

I actually have the script setup to run for 5 minutes and then remove the User. So basically, if approved, they get the "Temp Admin Rights" policy in Self Service. When they run it, it will give them Admin rights for 5 minutes and then remove them.

dscl requires LDAP access ya?

our JSS doesnt have LDAP attached, but we do have a script that searches out LDAP info.

@alexjdale

heres an image of the effect - i replaced named admin with our admin name but it still revokes its access.
i can tell script works since im running this through SSH on another machine and that _admin account got its admin rights removed too.

i verified on my machine which has never had this script run on and my account says admin: yes.

is there another variable im missing that i need to change?

thanks!

Terms & ConditionsCookie settingsAccessibility statement