Skip to main content
Question

DSCL limitations on user accounts

  • July 21, 2020
  • 3 replies
  • 34 views
B
Forum|alt.badge.img+1

As a software developer, I am working on a macOS app in which one of the features is to check if a user has a password enabled or not. Recently I stumbled across the command dscl . -authonly $(id -un) "" , this command seems to give the desired result, returns nothing when no password is set, and returns an error when a password is set.

The main issue I have, well... question, is how will this command work in a "deployed environment"?(macOS machine in an enterprise environment). This app im building would be deployed using some kind of RMM tool.

Based on common practice, do regular uses(non-admin users) have access to this DSCL command? and can they perform this dscl . -authonly $(id -un) "" command? Perhaps a macOS sysadmin could aid in answer these questions.

    3 replies

    talkingmoose
    Forum|alt.badge.img+36
    • talkingmoose
    • Community Manager
    • 1913 replies
    • July 21, 2020

    The dscl command doesn't require admin privileges because it's not trying to change any local system settings. Any Active Directory domain member who is logged in to an AD-bound Mac with his or her account can use it to look up information in AD by default.

    T
    Forum|alt.badge.img+31
    • tlarkin
    • Honored Contributor
    • 2721 replies
    • July 21, 2020

    If a user has a password present, there will be a key in dscl that will have data, if not the key will not be found. The is should be AuthenticationAuthority IIRC

    boberito
    Forum|alt.badge.img+22
    • boberito
    • Jamf Heroes
    • 451 replies
    • July 22, 2020

    You may be able to get this info in a more programatic way using apple's OpenDirectory framework https://developer.apple.com/documentation/opendirectory


    Terms & ConditionsCookie settingsAccessibility statement