YehudaBialik · August 3, 2015 13:57
diff --git a/DemoteUnauthorizedAdmins.sh b/DemoteUnauthorizedAdmins.sh
 #!/bin/bash

 # This script runs at boot to make sure that no new admin accounts have
 # been created in the interim.

 # Get list of admin accounts into array
 # These are the current admin users on the system who will be tested
 # to see if they are on the allowed admins list.

 admins=( $(dscl . -read /groups/admin | grep GroupMembership) )

 # remove "GroupMembership:" from array. The way I get the values into the array also
 # grabs "GroupMembership and adds it to the array.  Probably a better way to do this.

 pos=0
 admins=(${admins[@]:0:$pos} ${admins[@]:$(($pos + 1))})
 echo ${admins[@]}

 # print values in admins array to check command

 for h in "${admins[@]}"
 do
 echo $h
 done

 # allowed array contains a list of allowed admin users

 declare -a allowed=('admin' 'ardadmin' 'yehuda')

 # the value of adminuser indicates if the user being tested
 # is on the allowed list or not
 # a value of 0 indicates that the user being tested is not on the allowed admins list
 # a value of 1 indicates that the user being tested is on the allowed admins list
 # adminuser starts with a value of 0 and when a match is found between the user being
 # tested and a user on the allowed admins list, adminuser is increased by 1

 declare -i adminuser=0

 # loop through all admin users to test each user if it is allowed to remain admin

 for j in "${admins[@]}"
 do
 echo "$j"
 	# start loop through allowed users
 	for i in "${allowed[@]}"
 	do
 		echo "comparing" "$j" "with" "$i" 
 		if [ "$i" = "$j" ]; then
 			echo "true"
 			adminuser=$[adminuser+1]	
 			echo $adminuser	
 # break will hopefully allow early exit from the loop
 #			break	
 		else
 			echo "false"
 			echo $adminuser				
 		fi
 	done
 		

 	if  [ "$adminuser" = 0 ]; then
 		echo "$j" "should be deleted"
 # command to delete user being tested from admins group
 #		dscl . -delete /Groups/admin GroupMembership $j
 		dseditgroup -o edit -d $j -t user admin
 		dseditgroup -o edit -a $j -t user staff
 	else
 		echo "$j" "is on the approved admin list"
 	fi
 adminuser=0
 done
 exit 0
	#!/bin/bash

	# This script runs at boot to make sure that no new admin accounts have
	# been created in the interim.

	# Get list of admin accounts into array
	# These are the current admin users on the system who will be tested
	# to see if they are on the allowed admins list.

	admins=( $(dscl . -read /groups/admin \| grep GroupMembership) )

	# remove "GroupMembership:" from array. The way I get the values into the array also
	# grabs "GroupMembership and adds it to the array. Probably a better way to do this.

	pos=0
	admins=(${admins[@]:0:$pos} ${admins[@]:$(($pos + 1))})
	echo ${admins[@]}

	# print values in admins array to check command

	for h in "${admins[@]}"
	do
	echo $h
	done

	# allowed array contains a list of allowed admin users

	declare -a allowed=('admin' 'ardadmin' 'yehuda')

	# the value of adminuser indicates if the user being tested
	# is on the allowed list or not
	# a value of 0 indicates that the user being tested is not on the allowed admins list
	# a value of 1 indicates that the user being tested is on the allowed admins list
	# adminuser starts with a value of 0 and when a match is found between the user being
	# tested and a user on the allowed admins list, adminuser is increased by 1

	declare -i adminuser=0

	# loop through all admin users to test each user if it is allowed to remain admin

	for j in "${admins[@]}"
	do
	echo "$j"
	# start loop through allowed users
	for i in "${allowed[@]}"
	do
	echo "comparing" "$j" "with" "$i"
	if [ "$i" = "$j" ]; then
	echo "true"
	adminuser=$[adminuser+1]
	echo $adminuser
	# break will hopefully allow early exit from the loop
	# break
	else
	echo "false"
	echo $adminuser
	fi
	done


	if [ "$adminuser" = 0 ]; then
	echo "$j" "should be deleted"
	# command to delete user being tested from admins group
	# dscl . -delete /Groups/admin GroupMembership $j
	dseditgroup -o edit -d $j -t user admin
	dseditgroup -o edit -a $j -t user staff
	else
	echo "$j" "is on the approved admin list"
	fi
	adminuser=0
	done
	exit 0