Skip to main content
Solved

Extension Attribute for Checking AD vs. Local User

P
Forum|alt.badge.img+9

I need an extension attribute to check if the logged in user (or any user) on a given machine is an AD user. We are trying to weed out users who are not authenticating against AD. We are using mobile accounts. Here is what I have at this point:

#!/bin/sh

result=$(ls -al /Users/ | grep Domain | awk '{print $4}')

if [ "$result" == "MYDOMAINDomain" ]; then
result="AD User"
else
result="Local User"
fi

echo "<result>$result</result>"

exit 0

However, I see there are some users who slipped through who have authenticated, probably because they are logged in as local users but have authenticated to AD in the past (?).

I could also test against users who are over 600 users by running:

dscl . -list /Users UniqueID

and filtering out users under 600, but am unclear on how to do that filtering.

In any scenario, there is probably a more graceful way of doing this, and am wondering if anyone has any suggestions?

Thanks.

Best answer by ctangora

The trick is to look in dscl and look at the "OriginalAuthenticationAuthority", as that is the hardest one to spoof.

dscl . -read /Users/yourusername | grep "OriginalAuthenticationAuthority"
View original
    Did this topic help you find an answer to your question?

    6 replies

    mm2270
    Forum|alt.badge.img+24
    • mm2270
    • Legendary Contributor
    • 7884 replies
    • June 9, 2014

    There are a few threads here already with some sample scripts for EAs you can look at. Getting the Unique ID is one method, but as has been pointed out by some folks, its possible for a user to spoof that if they know how to and are so inclined.
    Someone posted a good command to use to verify if the account is actually from a directory service and not local, despite any report of the UID. I'll have to find that thread and post back here with the link, because I don't remember now what was mentioned in the thread..

    C
    Forum|alt.badge.img+10
    • ctangora
    • Contributor
    • 194 replies
    • Answer
    • June 9, 2014

    The trick is to look in dscl and look at the "OriginalAuthenticationAuthority", as that is the hardest one to spoof.

    dscl . -read /Users/yourusername | grep "OriginalAuthenticationAuthority"
    mm2270
    Forum|alt.badge.img+24
    • mm2270
    • Legendary Contributor
    • 7884 replies
    • June 9, 2014

    Yeah, I was just about to post a link to this thread, which you provided an answer for @ctangora
    https://jamfnation.jamfsoftware.com/discussion.html?id=10179

    P
    Forum|alt.badge.img+9
    • Philsto
    • Author
    • Contributor
    • 25 replies
    • June 9, 2014

    Didn't catch that post, I will check it out, thanks much.

    C
    Forum|alt.badge.img+10
    • ctangora
    • Contributor
    • 194 replies
    • June 9, 2014

    It's tough to beat you to a post @mm2270.

    bentoms
    Forum|alt.badge.img+35
    • bentoms
    • Hall of Fame
    • 4331 replies
    • June 9, 2014

    I'd suggest grabbing the UniqueID & then looking it up against AD.

    Part of the below script grabs the UniqueID of a users account on AD.

    All you'd need to is get the logged users uniqueID & then look for the user on AD.

    Should be pretty difficult for the users to get around.

    http://macmule.com/2013/02/18/correct-ad-users-home-mobile-home-folder-permissions/

    Reply


    Most helpful members this week

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

     
    Cookie settings