Script to remove Admin right on MAC.

New Contributor II

Hello Teams, Kindly help me with a script to remove admin right on some of our MAC managed by JAMF.


Valued Contributor II

Replace USERNAME with the username of the user you'd like to remove from Admin.

dseditgroup -o edit -d USERNAME -t user admin

View solution in original post


Valued Contributor II

Replace USERNAME with the username of the user you'd like to remove from Admin.

dseditgroup -o edit -d USERNAME -t user admin

New Contributor

hey, i get the error "username and password must be provided".

New Contributor II

Thank you boss for this, however, I need this script to remove admin rights from all our MAC users.

Valued Contributor II

If you only have one user per machine, you can use this:


LoggedInUser=$(scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )

dseditgroup -o edit -d $LoggedInUser -t user admin

New Contributor II

Thank you very much, I really appreciate this.

Valued Contributor

@DBrowning Thank you, Dennis!

What would be a command to change Standard user to Admin, please?

Valued Contributor II

Change the -d to -a

dseditgroup -o edit -a $LoggedInUser -t user admin

Valued Contributor

Thank you sir!

Contributor III

You could also use something like this to account for service accounts and also monitor if a user elevates rights on another account while promoted as an admin.

#for SelfService to escalate user to gain admin privileges for 30 minutes.
currentUser=$(who | awk '/console/{print $1}')
#Notify user
osascript -e 'display dialog "You now have administrative rights for 30 minutes." buttons {"Ok"} default button 1'
#if the LaunchDaemon is running, unload it to "reset" the timer
#if it does not exist, create it!
if test -f /Library/LaunchDaemons/removeAdmin.plist; then
    launchctl unload /Library/LaunchDaemons/removeAdmin.plist
        sudo defaults write /Library/LaunchDaemons/removeAdmin.plist Label -string "removeAdmin"
        sudo defaults write /Library/LaunchDaemons/removeAdmin.plist ProgramArguments -array -string /bin/sh -string "/Library/Application Support/JAMF/"
        sudo defaults write /Library/LaunchDaemons/removeAdmin.plist StartInterval -integer 1800
        sudo defaults write /Library/LaunchDaemons/removeAdmin.plist RunAtLoad -boolean yes
        sudo chown root:wheel /Library/LaunchDaemons/removeAdmin.plist
        sudo chmod 644 /Library/LaunchDaemons/removeAdmin.plist
#load the daemon again! (or for the first time)
launchctl load /Library/LaunchDaemons/removeAdmin.plist
#just in case you're pc is slow
sleep 10
#give user Admin rights
/usr/sbin/dseditgroup -o edit -a $currentUser -t user admin
#Create the RemoveAdminScript to be ran in 30 mimutes (1800 secs)
cat << 'EOF' > /Library/Application\ Support/JAMF/
#initiate list of admins
for username in $(dscl . list /Users UniqueID | grep -vw yourserviceadmin | grep -vw jamfmanagementaccount | awk '$2 > 500 { print $1 }'); do
    if [[ $(dsmemberutil checkmembership -U "${username}" -G admin) != *not* ]]; then
#remove all admins
for admin in ${admins[@]}; do
    /usr/sbin/dseditgroup -o edit -d $admin -t user admin
exit 0

A few other admins and I combined this together.  Note you don't want to accidentally demote your management account so account for that and TEST, TEST, TEST before pushing out to everyone.  We have a group of users called test pilots and our change process looks like this:  Apple Endpoint Team Test Devices -> IT Team -> Security/TechOps -> Test Pilots (Mix of every dept in case the previous teams miss something) -> GA release.  usually, we do them in weekly intervals but sometimes have combined a few when they are less impacting apps/changes.

Contributor II

Question to you guys.
I just tested the script from @DBrowning right now a few times. It is working fine and it removes the admin rights for my testuser on my testmacbook.

I saw in a few other threads here, that removing admin rights can bring some trouble. For example, that every user is loosing his admin rights. 
I checked this behaviour on my testmac and i do not see any impact on my hidden ADE Adminaccount or the mgmgt account from UIE.

I logged in my testmacbook with my hidden ADE account and its still admin

i tested also some commands sudo jamf recon, sudo jamf manage, sudo jamf policy (via terminal when using my downgraded account) and everything is working.

So i am just a bit confused about this and soon we will start to remove admin rights on macbooks for our user.

the threads i mean is for example these two:

Re: Remove Local Admin Access - Jamf Nation Community - 230715

Re: Removing Local Admin Privilege using a Script - Jamf Nation Community - 284250

Apreciate for any helpfull tip.

THX in advance

Valued Contributor II

Those other post have loops that remove admin rights from anyone other then the usernames listed in the loop conditions.  If you use the commands I have above, rights will only be removed from the logged in user.