jamf / makemeanadmin Goto Github PK

Hello, I'm just curious, if it's possible to add the user to an additional group, I'd like to create a seperate policy for a specific user so they can be added to the Wheel group as well. is it possible to do this in the script as it is?

Many thanks

Ian

Hello Pseymour,

I try to install Make Me Admin v2.3 on a Windows 10 computer (version 1809) using the packaged MSI that was downloaded on Github/Releases. the installer copies all the files and fails to start the service. A dialog appears telling that the service could not be started, then, when hitting retry, it fails again. Cancelling the installation removes the binaries. The UI could start during installation, but gets removed after cancellation.

I activated MSI installer logging, this is the associated logfile:

MSI (s) (5C:3C) [10:43:32:556]: Invoking remote custom action. DLL: C:\Windows\Installer\MSI89F0.tmp, Entrypoint: ExecServiceConfig
MSI (s) (5C:C4) [10:43:32:557]: Generating random cookie.
MSI (s) (5C:C4) [10:43:32:560]: Created Custom Action Server with PID 12756 (0x31D4).
MSI (s) (5C:F0) [10:43:32:590]: Running as a service.
MSI (s) (5C:F0) [10:43:32:592]: Hello, I'm your 32bit Elevated Non-remapped custom action server.
MSI (s) (5C:54) [10:43:32:599]: Executing op: ActionStart(Name=StartServices,Description=Starting services,Template=Service: [1])
MSI (s) (5C:54) [10:43:32:599]: Executing op: ProgressTotal(Total=1,Type=1,ByteEquivalent=1300000)
MSI (s) (5C:54) [10:43:32:599]: Executing op: ServiceControl(,Name=MakeMeAdmin,Action=1,Wait=1,)
MSI (s) (5C:54) [10:47:36:573]: Note: 1: 2205 2: 3: Error
MSI (s) (5C:54) [10:47:36:573]: Note: 1: 2228 2: 3: Error 4: SELECT Message FROM Error WHERE Error = 1920
MSI (c) (B0:00) [10:47:36:578]: Font created. Charset: Req=0, Ret=0, Font: Req=MS Shell Dlg, Ret=MS Shell Dlg

Error 1920. Service 'Make Me Admin' (MakeMeAdmin) failed to start. Verify that you have sufficient privileges to start system services.
MSI (s) (5C:54) [10:49:04:468]: Note: 1: 2205 2: 3: Error
MSI (s) (5C:54) [10:49:04:468]: Note: 1: 2228 2: 3: Error 4: SELECT Message FROM Error WHERE Error = 1709
MSI (s) (5C:54) [10:49:04:468]: Product: Make Me Admin -- Error 1920. Service 'Make Me Admin' (MakeMeAdmin) failed to start. Verify that you have sufficient privileges to start system services.

MSI (s) (5C:54) [10:53:08:453]: Note: 1: 2205 2: 3: Error
MSI (s) (5C:54) [10:53:08:453]: Note: 1: 2228 2: 3: Error 4: SELECT Message FROM Error WHERE Error = 1920
MSI (s) (5C:0C) [10:53:08:476]: I/O on thread 4896 could not be cancelled. Error: 1168
MSI (s) (5C:0C) [10:53:08:476]: I/O on thread 17436 could not be cancelled. Error: 1168
MSI (s) (5C:0C) [10:53:08:476]: I/O on thread 13652 could not be cancelled. Error: 1168
MSI (s) (5C:0C) [10:53:08:476]: I/O on thread 5572 could not be cancelled. Error: 1168
MSI (s) (5C:54) [10:53:08:477]: Note: 1: 2205 2: 3: Error
MSI (s) (5C:54) [10:53:08:477]: Note: 1: 2228 2: 3: Error 4: SELECT Message FROM Error WHERE Error = 1709
MSI (s) (5C:54) [10:53:08:477]: Product: Make Me Admin -- Error 1920. Service 'Make Me Admin' (MakeMeAdmin) failed to start. Verify that you have sufficient privileges to start system services.

I also tried to start it manually, it fails. The MSI was started with administrator rights, even though I understood from some issues here that it might not be required. Can you please help ? If required, I can DM you the full logfile.

PS: While looking up the error code 1902, I found this thread:
https://stackoverflow.com/questions/20061057/error-1920-service-failed-to-start-verify-that-you-have-sufficient-privileges-t

I will try some suggestions in the meantime.
Thank you in advance for your help.

Kind regards,
Astorias96

When testing this script, it does not write the $userToRemove.logarchive log file which should be logging the activity during elevation.
Because of this the script does not log activity during the elevated session, and therefore is not tracking what the users did during that time. Which is a security concern.

Is it possible to integrate this script into Jamf? With a nice interface and control to admins?

Script appears to complete with exit code 0, but the user does not get promoted to admin in SysPrefs - Users & Groups.

error : mani2 is not in the sudoers file. This incident will be reported.

but have access and enabled the admin while checking the account and its admin user , able to install the apps while doing the sudo its says "machi2 is not in the sudoers file. This incident will be reported."

I am having issues with this script running immediately it only runs after a restart, is that normal?Then it does not remove admin rights from said account after the time is up this can cause issues for our environment is there a way to change this?

Hi,

I have tried this script on a Mac, and it works perfectly fine.

However, in regards to the log file script, it does create the appropriate folder in /private/var/userToRemove, and also the file.

However, the log file, named user, does not display any logs apart from the name of the user account that executed the script.

I tested the default script shown in this Github, is there anything im missing?

This can be fixed by changing line 23 to the following:

currentUser=$(who | awk '/console/{print $1}' | grep -v _mbsetupuser)

I have noticed that this script doesnt

-The script doesn't remove the 'removeAdmin.plist' LaunchDaemon properly. If you look in /Library/LaunchDaemons after it runs, the plist is NOT removed - even though the script is written to remove it. It gets UNLOADED fine - but not removed.

-The script doesn't remove itself (removal script that gets generated in /Library/Application Support/JAMF). So I have a step to delete it if it already exists prior to continuing. This is to prevent an older, outdated version from running (or there are conflict swith an existing file etc).

Anyone else notice the removeAdminRights.sh doesnt get removed?

1. Whenever the LaunchDaemon ('removeAdmin.plist') loads, it errors with code 127. I have been observing it using the LaunchControl GUI tool. It appears to load/run, but then it definitely throws an error.

2. After the workflow is done and the user account is demoted to a standard user again, the ‘removeAdminRights.sh’ script doesn’t delete the LaunchDaemon.

3. The final step in which the script collects logs and saves them to an archive file. This step needs to be moved earlier in the script and the syntax needed to be changed.

Change syntax from: log collect --last 30m --output /private/var/userToRemove/$userToRemove.logarchive

To: log collect --output /private/var/userToRemove/$userToRemove.logarchive --last 30m

(Thanks to Brant Backes on Slack.)