In most corporate environments, administrator privileges are granted during initial Device setup and never revoked. Over time — new hires, re-enrollments, and software installations — users accumulate privileges they no longer need. Those privileges become an attack surface: unauthorized software installs, bypassed endpoint security controls, accidental changes to system configuration.
This Script enforces a least-privilege baseline across your entire macOS fleet. It automatically demotes all local user accounts to Standard User — except one designated IT management account that retains its administrator privileges. The Script is safe to run silently on all Devices and is designed to be idempotent: running it multiple times always produces the same result.
The Applivery Agent for macOS must be installed and active on the Device. Learn more about the macOS Agent.
Requirements
| Requirement | Detail |
|---|---|
| Platform | macOS |
| Execution privileges | Root (default in Applivery) |
| Protected account | A local admin account must already exist on the Device before running this Script |
Before deploying this Script, make sure the protected management account (EXCLUDE_USER) exists on the Device and already has administrator privileges. If it doesn't exist or isn't an admin, the Script will abort as a safety measure to prevent locking out access to the system.
Setup
Once in the Applivery Dashboard, follow the steps described here to create a Script. Paste the following Script into the editor. Before saving, set the EXCLUDE_USER variable to the short name of your IT management account.
| Variable | Description | Default value |
|---|---|---|
EXCLUDE_USER |
The username that must retain administrator rights | admin |
Select Bash as the language, give it a descriptive name (e.g., Restrict Admin Rights), and click Create.
#!/bin/bash
# ---
# Title: Demote all local admins to standard (except EXCLUDE_USER)
# Description: Ensures only a specific local account has administrator privileges.
# Author: Applivery
# Version: 1.0.0
# ---
# ======== CONFIGURATION ========
EXCLUDE_USER="admin"
ADMIN_GROUP="admin"
# ======== FUNCTIONS ========
is_admin() {
local user="$1"
dseditgroup -o checkmember -m "$user" "$ADMIN_GROUP" &>/dev/null
return $?
}
# ======== INITIAL CHECKS ========
if [[ $EUID -ne 0 ]]; then
echo "Error: This script must be run with sudo"
exit 1
fi
if ! id "$EXCLUDE_USER" &>/dev/null; then
echo "Error: User '$EXCLUDE_USER' does not exist on this system."
exit 1
fi
if ! is_admin "$EXCLUDE_USER"; then
echo "WARNING: '$EXCLUDE_USER' is NOT an administrator. Aborting for safety."
exit 1
fi
# ======== GET HUMAN USERS ========
users=$(dscl . list /Users | grep -v '^_' | while read -r user; do
uid=$(dscl . read "/Users/$user" UniqueID | awk '{print $2}')
if [[ "$uid" =~ ^[0-9]+$ && "$uid" -ge 501 ]]; then
echo "$user"
fi
done)
# ======== PROCESS EACH USER ========
echo "Processing local users..."
echo "──────────────────────────────────────────────"
count_changed=0
count_skipped=0
while IFS= read -r username; do
[[ -z "$username" ]] && continue
if [[ "$username" == "$EXCLUDE_USER" ]]; then
echo "[SKIP] $username (intentionally excluded)"
((count_skipped++))
continue
fi
if ! is_admin "$username"; then
echo "[OK] $username → already standard (non-admin)"
continue
fi
echo -n "[PROC] $username → removing admin rights... "
if dseditgroup -o edit -d "$username" -t user "$ADMIN_GROUP" 2>/dev/null; then
echo "SUCCESS"
((count_changed++))
else
echo "FAILED"
echo " → Could not remove admin rights (directory service issue?)"
fi
done <<< "$users"
echo "──────────────────────────────────────────────"
echo "Summary:"
echo " Users processed : $(echo "$users" | wc -l | xargs)"
echo " Demoted to standard : $count_changed"
echo " Skipped (excluded) : $count_skipped"
echo ""
echo "Protected user (should remain admin): $EXCLUDE_USER"
if is_admin "$EXCLUDE_USER"; then
echo "✓ User '$EXCLUDE_USER' still has administrator privileges."
else
echo "⚠ ATTENTION: '$EXCLUDE_USER' is NO LONGER an administrator."
echo " Restore admin rights manually:"
echo " sudo dseditgroup -o edit -a \"$EXCLUDE_USER\" -t user admin"
fi
exit 0
Now, navigate to any of your Devices, select the Scripts tab, click on the + Assign Script button, and select the one you just created.
You can also assign Scripts to Policies. To do this, navigate to the Policies section, select the desired Policy, and click on the Scripts tab. The process will be the same as when assigning it directly to an individual Device.
| Method | Behaviour | Recommended? |
|---|---|---|
| Once | Runs one time per Device. | ✅ Suitable for a one-time remediation across an existing fleet. |
| Loop | Runs repeatedly at the configured interval (15m, 1h, 6h, 1d, 7d). | ✅ Recommended for continuous enforcement — detects new admin accounts as they appear. |
| On demand | Only runs when manually triggered. | ✅ Useful for ad-hoc audits initiated by IT. |
The recommended setup is Loop with a daily or weekly interval to continuously detect and demote any new admin accounts. Use Once for a one-time remediation on an existing fleet.
This Script does not require any arguments. The protected account is configured directly in the EXCLUDE_USER variable inside the Script. Click Add to save the assignment.
Recommended deployment order
When enrolling a new Device, the recommended sequence is:
- The Device enrolls in Applivery.
- The Create Hidden Admin User Script runs to create the IT management account.
- This Script runs to demote all other local users to Standard.
This guarantees that IT always retains management access while end users cannot make unauthorized system changes.
Run this Script in combination with the Create Hidden Admin User Script to ensure the management account always exists before applying the restriction.
Available on GitHub
This Script is part of the Applivery Public Script Repository. Least privilege is the first line of defense — this Script applies that Policy across your entire fleet in seconds.