Skip to main content
Question

Report If Last User is Admin rights

  • March 20, 2024
  • 3 replies
  • 28 views
F
Forum|alt.badge.img+4

Hello,

 

I need a daily report. Our security team want a daily report like this. Does Last users has admin rights? How can i do that? I need your help.

 

Thank you. 

    3 replies

    dsavageED
    Forum|alt.badge.img+8
    • dsavageED
    • New Contributor
    • March 20, 2024

    You could run a script once a day to try and work out if the logged in user or last user has admin rights... Something like the following will give you a skeleton, though it's far from perfect.

    #!/bin/bash # Logged in user User_Name=$( echo "show State:/Users/ConsoleUser" | scutil | awk '/Name :/ && ! /loginwindow/ { print $3 }' ) if [ -z $User_Name ]; then # Mostly will return the last logged in user User_Name=$( last -1 | awk '{print $1}' ) fi # Members of the local admin group Who_is_Admin=`dscl . -read /Groups/admin | grep GroupMembership` # Check if the name is in the group Admin_Exists=`echo $Who_is_Admin | tr " " "\\n" | grep $User_Name` if ! [ -z $Admin_Exists ]; then echo $User_Name was an admin fi

     

    aparten11
    F
    Forum|alt.badge.img+4
    • foreverkan
    • Author
    • Contributor
    • March 20, 2024

    You could run a script once a day to try and work out if the logged in user or last user has admin rights... Something like the following will give you a skeleton, though it's far from perfect.

    #!/bin/bash # Logged in user User_Name=$( echo "show State:/Users/ConsoleUser" | scutil | awk '/Name :/ && ! /loginwindow/ { print $3 }' ) if [ -z $User_Name ]; then # Mostly will return the last logged in user User_Name=$( last -1 | awk '{print $1}' ) fi # Members of the local admin group Who_is_Admin=`dscl . -read /Groups/admin | grep GroupMembership` # Check if the name is in the group Admin_Exists=`echo $Who_is_Admin | tr " " "\\n" | grep $User_Name` if ! [ -z $Admin_Exists ]; then echo $User_Name was an admin fi

     


    Commands are working but how can i report the answer?

    dsavageED
    Forum|alt.badge.img+8
    • dsavageED
    • New Contributor
    • March 20, 2024

    So the best answer would probably be to send the info to a log server or a network share, in either case you would need to get the computer name within code. Jamf has extension attributes that could hold this info, but they are not updated once a day... If this information is being gathered for non-Macs you may want to put the info in the same place...

    aparten11
    Terms & ConditionsCookie settingsAccessibility statement