Hi,
what’s the best practice for disabling root account in macOS?
Script and Policy sound about right but what does everyone else use?
Page 1 / 1
I used an old script that was pushed out:
!/bin/bash
Parameters
mgmtAccount="admin" # Required; Example: so_and_so_admin
Variables
userList=$(/usr/bin/dscl . read /Groups/admin GroupMembership | /usr/bin/cut -d " " -f 2-)
Exit out if we don't have our parameters set
[[ -z "$mgmtAccount" ]] && echo "No management account specified to ignore; exiting." && exit 1
Loop through each user and demote them, skipping root and the Jamf Pro management account specified
for userName in $userList; do if [[ "$userName" != "root" ]] && [[ "$userName" != "$mgmtAccount" ]]; then /usr/sbin/dseditgroup -o edit -d "$userName" admin echo "Account "$userName" had admin privileges removed." fi
done
exit 0
If you want to disable the 'root' user (uid 0), the following code will do just that. If instead you are trying to disable elevate privileges for admin users, then @BWonderchild script would do.
#!/bin/bash
DSCL_BIN=$(which dscl)
# Read root user authentication authority from local domain using the DSCL command line
rootEnableCheck="$(dscl . read /Users/root | grep AuthenticationAuthority 2>&1 > /dev/null ; echo $?)"
if [ "${rootEnableCheck}" == 1 ]; then
echo "No root user enabled"
else
echo "Deleting the Authentication Authority for root user"
$DSCL_BIN . delete /Users/root AuthenticationAuthority
fi
exit 0
If you want to disable the 'root' user (uid 0), the following code will do just that. If instead you are trying to disable elevate privileges for admin users, then @BWonderchild script would do.
#!/bin/bash
DSCL_BIN=$(which dscl)
# Read root user authentication authority from local domain using the DSCL command line
rootEnableCheck="$(dscl . read /Users/root | grep AuthenticationAuthority 2>&1 > /dev/null ; echo $?)"
if [ "${rootEnableCheck}" == 1 ]; then
echo "No root user enabled"
else
echo "Deleting the Authentication Authority for root user"
$DSCL_BIN . delete /Users/root AuthenticationAuthority
fi
exit 0
You the real MVP
I used an old script that was pushed out:
!/bin/bash
Parameters
mgmtAccount="admin" # Required; Example: so_and_so_admin
Variables
userList=$(/usr/bin/dscl . read /Groups/admin GroupMembership | /usr/bin/cut -d " " -f 2-)
Exit out if we don't have our parameters set
[[ -z "$mgmtAccount" ]] && echo "No management account specified to ignore; exiting." && exit 1
Loop through each user and demote them, skipping root and the Jamf Pro management account specified
for userName in $userList; do if [[ "$userName" != "root" ]] && [[ "$userName" != "$mgmtAccount" ]]; then /usr/sbin/dseditgroup -o edit -d "$userName" admin echo "Account "$userName" had admin privileges removed." fi
done
exit 0
This was a good starting point for me, so thank you. I just had to do a couple tweaks so it would run (adding a # to the shebang, commenting out 'Parameters' and 'Variables', changing the line spacing a little).
I can confirm the below is working to demote all users, except the ones you exclude (mgmtAccount variable), in the latest Monterey (12.5).
#!/bin/bash
#Parameters
#Required; Example: so_and_so_admin
mgmtAccount=Administrator
#Variables
userList=$(/usr/bin/dscl . read /Groups/admin GroupMembership | /usr/bin/cut -d " " -f 2-)
#Exit out if we don't have our parameters set
[[ -z "$mgmtAccount" ]] && echo "No management account specified to ignore; exiting." && exit 1
#Loop through each user and demote them, skipping root and the Jamf Pro management account specified
for userName in $userList; do if [[ "$userName" != "root" ]] && [[ "$userName" != "$mgmtAccount" ]]; then /usr/sbin/dseditgroup -o edit -d "$userName" admin echo "Account "$userName" had admin privileges removed."
fi
done
exit 0
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.