From 8396980b971750e95ede52a9dadb59b1038ce397 Mon Sep 17 00:00:00 2001
From: Zack T <MLBZ521@gmail.com>
Date: Mon, 29 Nov 2021 22:24:23 -0700
Subject: [PATCH] v1.0.0 = Initial Version

Initial Version
---
 Jamf Pro/Scripts/Remove-LocalAdminRights.sh | 105 ++++++++++++++++++++
 1 file changed, 105 insertions(+)
 create mode 100644 Jamf Pro/Scripts/Remove-LocalAdminRights.sh

diff --git a/Jamf Pro/Scripts/Remove-LocalAdminRights.sh b/Jamf Pro/Scripts/Remove-LocalAdminRights.sh
new file mode 100644
index 0000000..3c0bec6
--- /dev/null
+++ b/Jamf Pro/Scripts/Remove-LocalAdminRights.sh	
@@ -0,0 +1,105 @@
+#!/bin/bash
+
+###################################################################################################
+# Script Name:  Remove-LocalAdminRights.sh
+# By:  Zack Thompson / Created:  2/14/2020
+# Version:  1.0.0 / Updated:  2/14/2020 / By:  ZT
+#
+# Description:  This script removes local accounts from the local admin group; accounts that are 
+# 		desired to be in the group are be specified from the Jamf Pro script parameter 4
+#
+###################################################################################################
+
+echo "*****  Remove-LocalAdminRights Process:  START  *****"
+
+##################################################
+# Define Variables
+
+prod="https://prod.jps.server.com:8443/"
+prod_jma="jma"
+dev="https://dev.jps.server.com:8443/"
+dev_jma="jmadev"
+
+##################################################
+# Build protected_admins array
+
+protected_admins=()
+protected_admins+=("root")
+
+# If parameters were provided, loop through them.
+if [[ -n $4 ]]; then
+	IFS=", " read accounts <<< $4
+
+	for account in $accounts; do
+		protected_admins+=("${account}")
+	done
+fi
+
+# Check the local environment and remove the proper account
+if [[ -e "/Library/Preferences/com.jamfsoftware.jamf.plist" ]]; then
+    jss_url=$( /usr/bin/defaults read "/Library/Preferences/com.jamfsoftware.jamf" jss_url )
+
+    if [[ "${jss_url}" == "${prod}" ]]; then
+        protected_admins+=("${prod_jma}")
+    elif [[ "${jss_url}" == "${dev}" ]]; then
+        protected_admins+=("${dev_jma}")
+    else
+        echo "ERROR:  Unknown Jamf Pro environment!"
+        exit 2
+    fi
+else
+    echo "ERROR:  Issue with the Jamf Framework!"
+    exit 1
+fi
+
+##################################################
+# Bits staged...
+
+exit_code=0
+
+# Get a list of the current admin group
+admin_users=$( /usr/bin/dscl . -read Groups/admin GroupMembership | /usr/bin/awk -F "GroupMembership: " '{print $2}' )
+
+# For verbosity in the policy log
+echo "The following accounts are in the local admin group:"
+for user in $admin_users; do
+	echo " - ${user}"
+done
+
+# Loop through the admin users
+for user in $admin_users; do
+
+	echo -e "${user} - "
+
+	# Check if the admin user is a protected_admin
+	if [[ "${protected_admins[*]}" == *"${user}"* ]]; then
+
+		# Remove user from the admin group
+		/usr/sbin/dseditgroup -o edit -d "${user}" -t user admin
+		exit_code_check=$?
+
+		# Check if the removal was successful
+		if [ $exit_code_check == "0" ]; then
+			echo "removed from admin group"
+		else
+			echo "FAILED to remove from admin group"
+			exit_code=1
+		fi
+
+	else
+		echo "protected admin"
+	fi
+
+done
+
+# Get an updated list of the local admin group
+updatedLocalAdminGroup=$( /usr/bin/dscl . -read Groups/admin GroupMembership | /usr/bin/awk -F "GroupMembership: " '{print $2}' )
+
+# For verbosity in the policy log
+echo "Updated local admin group:"
+for user in $updatedLocalAdminGroup; do
+	echo " - ${user}"
+done
+
+echo "*****  Remove-LocalAdminRights Process:  COMPLETE  *****"
+exit $exit_code
\ No newline at end of file