We created user accounts and deployed the devices for new employees, but upon review, we realized the accounts were mistakenly given administrator privileges. The issue with these privileges is that we’re concerned users might change device settings or remove device management, which is very concerning for us. Additionally, some employees are working remotely, and we don’t have the feasibility to bring their devices to the office. Can anyone assist us with this as it’s an urgent priority?
Need to change the user account from Admin to Standard roleSolved
Replies (5)
Hello @pauel,
Thanks for reaching out. No worries, we have a solution that works for both macOS and Windows devices. Follow the below steps to change the role of a user account:
- Navigate to the Manage tab.
- Click on the device for which you want to change the user’s role.
- Go to the Local Accounts tab and click on the user whose role you want to change. You can also change the user role by clicking on the three horizontal dots next to the respective user.
- Click Actions and select the Change User Role option.
- Click Change, then enter your Hexnode UEM portal password to confirm the role change.
You can follow the same steps for both macOS and Windows devices.
For more information, refer to the help documentation for managing user accounts on Mac and managing local user accounts on Windows.
If you still have any queries, you know where to find us😌.
Cheers,
John Cooper
Hexnode UEM
Thanks for the swift response. I know it’s a big ask, but is there any way I can change the user roles by selecting all devices, like a bulk action?
Currently, it’s not possible to perform this action as a bulk user action. We encourage you to keep sharing your ideas and suggestions with us on Hexnode Connect—your feedback is highly valued and appreciated.
Regards,
John Cooper
Hexnode UEM
Hey! I have some admin accounts on my Mac that need to be changed to standard accounts. Is there a Terminal command to do this on my enrolled devices besides the method mentioned above?
Hello @roosevelt! Yeah, you can definitely change the account role via the Terminal or use a custom script if you want to do it for multiple devices at once.
To downgrade an Admin account to a Standard account, you can execute the following command via the Live Terminal on enrolled devices:
1 |
sudo dscl . -delete /Groups/admin GroupMembership username |
Just replace “username” with the actual username of the account you want to downgrade.
Now, if you’re looking to do this in bulk, as @pauel previously asked, select your specific devices and run the following custom script via Execute Custom Script remote action. The accounts need to be logged in while running this script. Here’s the custom script to downgrade an account from Admin to Standard:
1 2 3 4 5 6 7 8 9 10 |
loggedInUser=$(/usr/bin/stat -f%Su "/dev/console") # Check if $loggedInUser has admin privileges. if /usr/bin/dscl . -read "/groups/admin" GroupMembership | /usr/bin/grep -q "$loggedInUser"; then # Remove admin privileges from $loggedInUser. /usr/sbin/dseditgroup -o edit -d "$loggedInUser" -t user admin /bin/echo "Admin privileges removed from $loggedInUser." else /bin/echo "$loggedInUser is not an admin, no action required." fi exit 0 |
If you want to revert the Standard role to an Admin, here’s the command and the custom script to use.
Terminal command:
1 |
sudo dscl . -append /Groups/admin GroupMembership username |
Custom Script:
1 2 3 4 5 6 7 8 9 10 |
loggedInUser=$(/usr/bin/stat -f%Su "/dev/console") # Grant admin privileges to $loggedInUser. if /usr/bin/dscl . -read "/groups/admin" GroupMembership | /usr/bin/grep -q "$loggedInUser"; then /bin/echo "$loggedInUser already has admin privileges, no action required." else # /usr/bin/dscl . -append "/groups/admin" GroupMembership "$loggedInUser" /usr/sbin/dseditgroup -o edit -a "$loggedInUser" -t user admin /bin/echo "Granted admin privileges to $loggedInUser." fi exit 0 |
Hope this helps! Let me know if you run into any issues during the process.
Regards,
Ben Clarke
Hexnode UEM