DemoteUnauthorizedAdmins.sh

#!/bin/bash

# This script runs at boot to make sure that no new admin accounts have
# been created in the interim.

# Get list of admin accounts into array
# These are the current admin users on the system who will be tested
# to see if they are on the allowed admins list.

admins=( $(dscl . -read /groups/admin | grep GroupMembership) )

# remove "GroupMembership:" from array. The way I get the values into the array also
# grabs "GroupMembership and adds it to the array.  Probably a better way to do this.

pos=0
admins=(${admins[@]:0:$pos} ${admins[@]:$(($pos + 1))})
echo ${admins[@]}

# print values in admins array to check command

for h in "${admins[@]}"
do
echo $h
done

# allowed array contains a list of allowed admin users

declare -a allowed=('admin' 'ardadmin' 'yehuda')

# the value of adminuser indicates if the user being tested
# is on the allowed list or not
# a value of 0 indicates that the user being tested is not on the allowed admins list
# a value of 1 indicates that the user being tested is on the allowed admins list
# adminuser starts with a value of 0 and when a match is found between the user being
# tested and a user on the allowed admins list, adminuser is increased by 1

declare -i adminuser=0

# loop through all admin users to test each user if it is allowed to remain admin

for j in "${admins[@]}"
do
echo "$j"
	# start loop through allowed users
	for i in "${allowed[@]}"
	do
		echo "comparing" "$j" "with" "$i" 
		if [ "$i" = "$j" ]; then
			echo "true"
			adminuser=$[adminuser+1]	
			echo $adminuser	
# break will hopefully allow early exit from the loop
#			break	
		else
			echo "false"
			echo $adminuser				
		fi
	done
		

	if  [ "$adminuser" = 0 ]; then
		echo "$j" "should be deleted"
# command to delete user being tested from admins group
#		dscl . -delete /Groups/admin GroupMembership $j
		dseditgroup -o edit -d $j -t user admin
		dseditgroup -o edit -a $j -t user staff
	else
		echo "$j" "is on the approved admin list"
	fi
adminuser=0
done
exit 0