+11Hi folks, we have another security audit in which I need to show which users have admin rights on their Macs.
Under Local accounts, I can see the accounts on my Mac, but it doesn't show if the users have admin rights. Is there an attribute that can be set to show this. This is an immediate need and any help is appreciated.
Thanks!
Corbin
+24Apparently the reporting on admin status for local accounts was removed as of version 9, as far as any of us can tell anyway. Haven't seen a way to bring that back. It simply doesn't show this information anymore in a computer's details.
I'm not clear if this was simply an oversight or if JAMF had information during development that lead them to believe his was a little used feature.
Either way, it would be good to see this come back in a future update.
I'm sorry to say that unless someone from JAMF chimes in with some secret way to see this data, it looks like your only real option for now may be to create an Extension Attribute that looks at all local accounts and determines admin status and returns a list of any that are admins.
+7I wrote this Extension Attribute to list me the local user accounts and differentiate between admin accounts I expect and ones that are "non-standard", using Smart Groups to search for the non-standard string so I can catch up admin membership approvals with our Service Desk.
#!/bin/sh
localusers=`dscl . list /users | grep -v _ | grep -v daemon | grep -v nobody | grep -v root | grep -v casperscreensharing`
rm -f /tmp/localusers
for i in $localusers
do
if [ "`dseditgroup -n /Local/Default -o read admin | grep $i`" != "" ]; then
if [[ "$i" != "jssadmin" && "$i" != "admin" ]]; then # WHERE I LIST MY SERVICE ADMIN ACCOUNTS
echo "$i is a non-standard admin"
echo "$i *admin - non-standard" >> /tmp/localusers
else
echo "$i is an admin"
echo "$i *admin" >> /tmp/localusers
fi
else
echo "$i is a standard user"
echo "$i" >> /tmp/localusers
fi
done
echo "<result>`cat /tmp/localusers`</result>"Andrew
Example:
Local Users:
user_a *admin - non-standard
jssadmin *admin
admin *admin
user_b
user_c
+23how would I go about ignoring the local admin accounts? Basically, for these accounts, I don't want them to report...
if [[ "$i" != "jssadmin" && "$i" != "admin" ]];But the other users I do want it reported on.
+13More "grep -v name" pipes... but be careful. You'll never get a name that contains "admin" if you grep -v admin. So, if your users have created a local admin with admin in the name (seen in, trust me it happens) those would be excluded.
+24Easily avoided by using ^ & $ surrounding the name, like this - grep -v ^admin$
Most people don't realize it but grep supports beginning and end line notations, so using it like above will avoid accidentally excluding accounts with names like "localadmin", "myadmin", "administrator" and such and only match something with the exact name "admin"
personally, I would not use so many grep -v pipes though. It gets unwieldy and is really unnecessary if you tailor the command properly. For example, maybe only look for accounts within a certain UID range to start off with so you don't need to exclude all those system level accounts.
+7If you want to completely ignore the accounts from the report to begin with, as @JPDyson says, just like this by grep -v and a pipe;
localusers=`dscl . list /users | grep -v _ | grep -v daemon | grep -v nobody | grep -v root | grep -v casperscreensharing | grep -v admin1 | grep -v admin2 | grep -v admin3`etc
If you want to list more local admin accounts that are "standard admin accounts", then do it like this (adding to the if test);
if [[ "$i" != "admin1" && "$i" != "admin2" && "$i" != "admin3" && "$i" != "admin4" && "$i" != "admin5" ]]; thenObviously both go back in to the relevant line in the script.
Andrew
+23haha oh :) Yeah, good call. Thank you!
+7I personally don't mind sifting through "large" information as long as your output is accurate and doesn't affect the time the script takes to run. But @mm2270 is right about multiple greps being sloppy ;), you could use some simple regular expression to achieve the same affect;
localusers=`dscl . list /users | grep -vE '_|daemon|nobody|root|casperscreensharing'`Andrew
+23Thank you all for your input, it seems to be working well now! I do have a another dumb question, how can I make it so that each user is a separate line? Right now I get
user1 is an admin user2 is an admin user3 is an admin user4 is an
+7Is the spacing on the JSS page tight on the width as the EA is appending lines to a file so should not be word wrapping. Could you run the script and copy paste the contents of the file (/tmp/localusers) here?
Andrew
EDIT: Every way I look at it I can't recreate the problem you're having, could you copy paste your version of the Extension Attribute here?
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.