Does anyone know of a good way to do this in an extension attribute or similar? I need to track down laptops that haven't yet been switched over to using AD accounts.
Answer
Determine if an account is a Mobile or Local Account
+5Best answer by ctangora
I wouldn't say that the local accounts can't go above 1000. I have a few users that tried tricking us into thinking they had AD accounts by changing their UID to be in the 10,000 range. I just changed a test account to 2900 and it seems to work as well.
This method (UID) will get you 99.9% of the people. You will have some of the advanced users that will always cause issues. You can list who is a directory account by looking for the "OriginalNodeName" in the DS.
List all directory accounts, if no accounts it returns nothing.
dscl . list /Users OriginalNodeName 2>/dev/nullList only the names of the directory accounts, if no accounts it returns nothing.
dscl . list /Users OriginalNodeName | awk '{print $1}' 2>/dev/nullIf you are looking up a specific user, you could throw this into an if statement (as it will return nothing on a error)...
dscl . read /Users/username OriginalNodeName 2>/dev/null... if the user is only a local account, this will return with nothing.
+23I'm interested in this too, as we've locked down users and groups in 10.9 and modified the JSS's AD binding automagically create mobile account. It's mostly for a check/balance.
+24Just check the UID for the account. Directory based accounts always start in the 1000 and up range, at least for AD and I think that's also true for OD accounts. Local accounts can never have a UID above 999 and typically start at 501 and up, so using dscl and awk we can grab only account names with UniqueIDs above 500 but below 1000.
#!/bin/bash
dscl . list /Users UniqueID | awk '$2 > 500 && $2 < 999 {print $1}'
+10I wouldn't say that the local accounts can't go above 1000. I have a few users that tried tricking us into thinking they had AD accounts by changing their UID to be in the 10,000 range. I just changed a test account to 2900 and it seems to work as well.
This method (UID) will get you 99.9% of the people. You will have some of the advanced users that will always cause issues. You can list who is a directory account by looking for the "OriginalNodeName" in the DS.
List all directory accounts, if no accounts it returns nothing.
dscl . list /Users OriginalNodeName 2>/dev/nullList only the names of the directory accounts, if no accounts it returns nothing.
dscl . list /Users OriginalNodeName | awk '{print $1}' 2>/dev/nullIf you are looking up a specific user, you could throw this into an if statement (as it will return nothing on a error)...
dscl . read /Users/username OriginalNodeName 2>/dev/null... if the user is only a local account, this will return with nothing.
+9There are various kinds of filters that can be used, depending on exactly whet you want to test.
For instance to distinguish AD-Authorized accounts from others, (with details obscured) I have used:
MyAuth=$(dscl . -read /Users/$UserID OriginalAuthenticationAuthority)
if [[ "${MyAuth}" =~ "@MyDomain.co.uk" ]]; then
Perform_Action
fi
+5Thank you! That seems to work perfectly. I threw it in an extension attribute and we will hopefully have our users not using network accounts tracked down shortly. I'm guessing 75% of our Macs were deployed before we implemented Casper and then enrolled with Casper and joined to Active Directory as we rolled out new polices. We're hoping to proactively track these down and move them over to network accounts.
Here's the Extension Attribute script if anyone else needs it. Pretty simple.
#!/bin/sh
NETACCLIST=`dscl . list /Users OriginalNodeName | awk '{print $1}' 2>/dev/null`
if [ "$NETACCLIST" == "" ]; then
echo "<result>No Network Accounts</result>"
else
echo "<result>$NETACCLIST</result>"
fi
exit 0
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.