Hi guys
i was wondering if someone can help me.
Im trying to run a script if the currently logged in user is a cached mobile account?
Has anyone got any ideas?
Thanks
+24Two ways. Check the UID, which should be above 1000 (typically much higher than that), although its been mentioned on other threads that the UID can be spoofed pretty easily, so its not an absolute way. The better way, as was mentioned was to check for the OriginalAuthenticationAuthority key as part of the account's info from dscl. That key does not exist in local accounts, but will with cached AD mobile ones.
So...
#!/bin/sh
loggedInUser=$(ls -l /dev/console | awk '{print $3}')
if [[ $(dscl . read /Users/${loggedInUser} OriginalAuthenticationAuthority 2>/dev/null) ]]; then
echo "$loggedInUser is an AD mobile account"
else
echo "$loggedInUser is a local account"
fiShould get you what you're looking for.
+31Just wanted to add one thing. Anyone with sudo rights and dscl can modify any attribute. So, you can spoof almost anything in there. You might want to look at actually checking if the computer is bound to AD (or LDAP), then take that users UID and see if it is in AD and not look at the local dscl entry.
I remember an old thread where the IT admin was claiming users were changing their UIDs to over 1000 on local accounts. I did some testing and I was able to use the -append switch in dscl and was able to basically spoof any attribute I wanted to in the local user record.
Reply
Most helpful members this week
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.