Skip to main content
Question

EA for Disabled Accounts

  • June 11, 2015
  • 6 replies
  • 19 views
J
Forum|alt.badge.img+16

There is a pwpolicy set to disable an account if a password has been entered x number of times incorrectly, and is supposed to reset after a certain amount of time. For some reason i've seen accounts not reset, but stay disabled. I'm able to enable them back again by running "sudo /usr/bin/pwpolicy enable user -u <USERNAME>" or by clearing the policy all together with "clearaccountpolicies". But i'm curious if there is a way to report back to JAMF if a system has any disabled accounts on it. I think it would be helpful to have this so i can see if any local accounts are being locked out and how often it's occurring.

Does anyone know of a way to report on this? All i see in pwpolicy is enableuser and disableuser, but not a "checkuser". Perhaps there is another way?

    6 replies

    mm2270
    Forum|alt.badge.img+24
    • mm2270
    • Legendary Contributor
    • June 11, 2015

    Seems like a disabled user has it mentioned in their dscl record.

    dscl . read /Users/$username AuthenticationAuthority | grep "DisabledUser"

    You should be able to build a script EA that would look at all local accounts and place the ones that are disabled into an array and make that the EA result.

    J
    Forum|alt.badge.img+16
    • Jason11
    • Author
    • Valued Contributor
    • June 11, 2015

    Thanks @mm2270. Using the information you provided I found a similar article on here (https://jamfnation.jamfsoftware.com/discussion.html?id=2595)

    I'm not sure yet, but it seems like any user who doesn't have AuthenticationAuthority is disabled. going to test more tomorrow but have this at the moment (still need to clean up the code a bit):

    #!/bin/bash
array=()

for username in $(dscl . list /Users); do
    output=$(dscl . read /Users/$username | grep AuthenticationAuthority > /dev/null 2>&1 ; echo $?)
    if [ "${output}" == 1 ]; then
        array+=("'$username' Disabled")
    else
        array+=("'$username' Enabled")
    fi
done

echo "<result>${array[@]}</result>"
    mm2270
    Forum|alt.badge.img+24
    • mm2270
    • Legendary Contributor
    • June 11, 2015

    Hmm, that's not actually my experience in doing a few quick tests. If I enable a previously disabled local account on my Mac I still see the AuthenticationAuthority key in its record, but it doesn't include the words "DisabledUser" in it anywhere. But the key is there so just grepping for AuthenticationAuthority alone may not be enough to know if its enabled/disabled. The ";DisabledUser;" gets added in front of ShadowHash and Kerberosv5.

    That being said, I wonder if an account that has never previously been disabled has no AuthenticationAuthority key in it. Maybe that's what you're seeing?

    T
    Forum|alt.badge.img+31
    • tlarkin
    • Honored Contributor
    • June 12, 2015

    Chiming in late here but I was actually testing this out for a customer and happened to check JAMF Nation on this subject. To test this I used pwpolicy to completely disable my user account named, 'testuser.'

    sudo pwpolicy -u testuser disableuser

    This in return disables that user account, as if they would fail the pwpolicy as well. So, I then checked the pwpolicy options from the man page, and found this:

    sudo pwpolicy -u testuser authentication-allowed
User <testuser> is not allowed to authenticate: Account is disabled via com.apple.access_disabled, must be enabled first

    So my next thought is, lets check out dseditgroup to see if we can parse that:

    dseditgroup -o checkmember -u testuser com.apple.access_disabled
yes testuser is a member of com.apple.access_disabled

    A simple one liner to return yes or no that we could put in an EA could be:

    dseditgroup -o checkmember -u testuser com.apple.access_disabled | awk '/yes|no/ { print $1 }'
yes

    The above returns yes, the user is disabled, but if I run it against my user account:

    dseditgroup -o checkmember -u tlarkin com.apple.access_disabled | awk '/yes|no/ { print $1 }'
no

    It returns no that my user account is not disabled. From this point a simple if/then test could be coded to do whatever you wanted based on the output of yes or no.

    Hope this helps

    Tom

    A
    A_Collins
    J
    Forum|alt.badge.img+16
    • Jason11
    • Author
    • Valued Contributor
    • June 15, 2015

    @mm2270 I believe you're correct. When I check for AuthenticationAuthority alone I see a large number of system accounts like _appleevents, _appowner, _devicemgr, etc. So perhaps the script i posted is one best to identify a list of accounts that have never logged on directly.

    @tlarkin That looks very interesting. I looked at the membership of that group and saw it didn't have any until I ran the disableuser command (likely none were disabled previously). It then did list the UID of the account I disabled. The full membership of that group can be listed below: 

    #!/bin/bash

members () { dscl . -list /Users | while read user; do printf "$user "; dsmemberutil checkmembership -U "$user" -G "$*"; done | grep "is a member" | cut -d " " -f 1; };


results=`members com.apple.access_disabled`
echo "<result>$results</result>"

    I'm going to try that as an EA and see if any of my systems show anything disabled.

    T
    Forum|alt.badge.img+31
    • tlarkin
    • Honored Contributor
    • June 15, 2015

    @Jason

    I hope that works out for you. One thing you could look at doing is trim down the number of users it will loop through by using a UID range. Otherwise you will always check for UID 0 through the highest UID. Unless if you want to audit for the root user and every daemon that runs as a user in OS X.

    A simple trick I have been using for years is just create a list of users by UID like so:

    dscl . list /Users UniqueID | awk '$2 > 500 { print $1 }'
testuser
tlarkin

    That returns the only two actual human users on my system.

    Let us know how it pans out

    Thanks,
    Tom

    Terms & ConditionsCookie settingsAccessibility statement