Removing Local admin privileges on existing machines

rbingham917
New Contributor III

Hi Nation members-

I'm having a bit of a problem trying to conceptualize this, and maybe one of you can help me. It was decried from on high that we will not be granting local admin privileges unless you are a member of a specific AD group. I am using a small dseditgroup script to apply admin privileges on the machines, that part works.

The issue I am facing is I have some people who had the local administrator rights from the get-go being in violation of that policy, so I will need to make a script to check if they are a member of said group, then remove their admin privileges until they fill the proper forms and get added to the group.

I have a good idea of what I want to do, but I can't figure it out :(

Thanks

3 REPLIES 3

mm2270
Legendary Contributor III

Can you post the existing dseditgroup script you have now? We can probably use it as a basis and help you tweak it to determine if the logged in user is part of that group and take the appropriate action(s).

rbingham917
New Contributor III

It's a simple 1 liner,

dseditgroup -o edit -a macadmins -t group admin

sgoetz
Contributor

Hey @rbingham917

We had to remove admin rights as well. This is the script I used:

adminUsers=$(dscl . read /Groups/admin GroupMembership | sed 's|GroupMembership:||;s|root||;s|ITadmin||;s|ITadmin||;s|ITadmin||' | tr -s " ")

for i in $adminUsers
    do
        dseditgroup -o edit -d "$i" -t user admin
        echo "$i demoted"
    done

The ITAdmins names you will want to replace with admin accounts you want to keep.

Hope that helps out

Shawn