mirror of
https://github.com/MLBZ521/MacAdmin.git
synced 2026-02-03 14:03:26 +00:00
v1.1.0 = Bug Fix and other improvements
+ Fixed an issue when parsing through accounts passed via argument 4 + Improved the comparison for local admins and protected admins (made this more reliable/safe) + Should prevent accounts with substrings of one another from matching
This commit is contained in:
Zack T
@@ -3,7 +3,7 @@
|
||||
###################################################################################################
|
||||
# Script Name: Remove-LocalAdminRights.sh
|
||||
# By: Zack Thompson / Created: 2/14/2020
|
||||
# Version: 1.0.0 / Updated: 2/14/2020 / By: ZT
|
||||
# Version: 1.1.0 / Updated: 7/20/2020 / By: ZT
|
||||
#
|
||||
# Description: This script removes local accounts from the local admin group; accounts that are
|
||||
# desired to be in the group are be specified from the Jamf Pro script parameter 4
|
||||
@@ -28,28 +28,28 @@ protected_admins+=("root")
|
||||
|
||||
# If parameters were provided, loop through them.
|
||||
if [[ -n $4 ]]; then
|
||||
IFS=", " read accounts <<< $4
|
||||
IFS="," read -a accounts <<< "${4}"
|
||||
|
||||
for account in $accounts; do
|
||||
protected_admins+=("${account}")
|
||||
for account in "${accounts[@]}"; do
|
||||
protected_admins+=("${account## }")
|
||||
done
|
||||
fi
|
||||
|
||||
# Check the local environment and remove the proper account
|
||||
if [[ -e "/Library/Preferences/com.jamfsoftware.jamf.plist" ]]; then
|
||||
jss_url=$( /usr/bin/defaults read "/Library/Preferences/com.jamfsoftware.jamf" jss_url )
|
||||
jss_url=$( /usr/bin/defaults read "/Library/Preferences/com.jamfsoftware.jamf" jss_url )
|
||||
|
||||
if [[ "${jss_url}" == "${prod}" ]]; then
|
||||
protected_admins+=("${prod_jma}")
|
||||
elif [[ "${jss_url}" == "${dev}" ]]; then
|
||||
protected_admins+=("${dev_jma}")
|
||||
else
|
||||
echo "ERROR: Unknown Jamf Pro environment!"
|
||||
exit 2
|
||||
fi
|
||||
if [[ "${jss_url}" == "${prod}" ]]; then
|
||||
protected_admins+=("${prod_jma}")
|
||||
elif [[ "${jss_url}" == "${dev}" ]]; then
|
||||
protected_admins+=("${dev_jma}")
|
||||
else
|
||||
echo "ERROR: Unknown Jamf Pro environment!"
|
||||
exit 2
|
||||
fi
|
||||
else
|
||||
echo "ERROR: Issue with the Jamf Framework!"
|
||||
exit 1
|
||||
echo "ERROR: Issue with the Jamf Framework!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
##################################################
|
||||
@@ -58,7 +58,8 @@ fi
|
||||
exit_code=0
|
||||
|
||||
# Get a list of the current admin group
|
||||
admin_users=$( /usr/bin/dscl . -read Groups/admin GroupMembership | /usr/bin/awk -F "GroupMembership: " '{print $2}' )
|
||||
admin_users=$( /usr/bin/dscl . -read Groups/admin GroupMembership | \
|
||||
/usr/bin/awk -F "GroupMembership: " '{print $2}' )
|
||||
|
||||
# For verbosity in the policy log
|
||||
echo "The following accounts are in the local admin group:"
|
||||
@@ -67,37 +68,42 @@ for user in $admin_users; do
|
||||
done
|
||||
|
||||
# Loop through the admin users
|
||||
for user in $admin_users; do
|
||||
for local_user in $admin_users; do
|
||||
|
||||
echo -e "${user} - "
|
||||
echo -e "${local_user} - "
|
||||
|
||||
# Check if the admin user is a protected_admin
|
||||
if [[ "${protected_admins[*]}" == *"${user}"* ]]; then
|
||||
for protected_admin in "${protected_admins[@]}"; do
|
||||
|
||||
# Remove user from the admin group
|
||||
/usr/sbin/dseditgroup -o edit -d "${user}" -t user admin
|
||||
exit_code_check=$?
|
||||
if [ "${protected_admin}" == "${local_user}" ] ; then
|
||||
|
||||
# Remove user from the admin group
|
||||
/usr/sbin/dseditgroup -o edit -d "${local_user}" -t user admin
|
||||
exit_code_check=$?
|
||||
|
||||
# Check if the removal was successful
|
||||
if [ $exit_code_check == "0" ]; then
|
||||
echo "removed from admin group"
|
||||
else
|
||||
echo "FAILED to remove from admin group"
|
||||
exit_code=1
|
||||
fi
|
||||
|
||||
# Check if the removal was successful
|
||||
if [ $exit_code_check == "0" ]; then
|
||||
echo "removed from admin group"
|
||||
else
|
||||
echo "FAILED to remove from admin group"
|
||||
exit_code=1
|
||||
echo "protected admin"
|
||||
fi
|
||||
|
||||
else
|
||||
echo "protected admin"
|
||||
fi
|
||||
done
|
||||
|
||||
done
|
||||
|
||||
# Get an updated list of the local admin group
|
||||
updatedLocalAdminGroup=$( /usr/bin/dscl . -read Groups/admin GroupMembership | /usr/bin/awk -F "GroupMembership: " '{print $2}' )
|
||||
updated_local_admin_group=$( /usr/bin/dscl . -read Groups/admin GroupMembership | \
|
||||
/usr/bin/awk -F "GroupMembership: " '{print $2}' )
|
||||
|
||||
# For verbosity in the policy log
|
||||
echo "Updated local admin group:"
|
||||
for user in $updatedLocalAdminGroup; do
|
||||
for user in $updated_local_admin_group; do
|
||||
echo " - ${user}"
|
||||
done
|
||||
|
||||
|
||||
Reference in New Issue
Block a user