You’re not wrong to be cautious. I tried to “clean up” admin users once and nearly locked myself out of half the fleet.
Hexnode does let you create admin users, downgrade admins, and delete users. That part works. The problem starts when you try to scale it.
Even if you go down the scripting route, you still need to know the exact admin usernames on each Mac. There’s no generic “remove all admins” option. On top of that, macOS enforces the rule that at least one admin account must always exist, so you can’t revoke or delete all admin users in one shot anyway.
What actually worked for us was boring but safe:
First, we used Hexnode Automations to push a single, standard admin account to every Mac. Same name, same role, everywhere. Once that was in place, we went into each device’s Local Accounts section in Hexnode and manually dealt with the old admins one by one. Change role, disable, or delete depending on the device.
Is it fully automated? Nope.
Is it annoying? Absolutely.
But it’s the only way we found that doesn’t end with people being locked out of their own machines.
If your end goal is “one admin to rule them all,” plan for some manual cleanup. macOS just doesn’t let you bulldoze your way through this one.
33 Views
